Hi, i’ve a rb493 with routeros 3.24. I’m trying to change the router mode to managed switch.
I do:
END.
Well, my problem is with VLANS. I add a vlan in the bridge1 but don’t work fine. I mean with this draw:
My real problem is that PC1 ping to 192.168.1.1 [interface 3 (vr2) of router1] but PC1 don’t ping to 192.168.2.1 [interface 3 (vlan1 on vr2 tag 2) of router1].
What’s my error?
Please post your config.
how? 
My actual config.
router1 (interface 1) = vr0 = public ip 1 = WAN
router1 (interface 2) = vr1 = public ip 2 = WAN2
router1 (interface 3) = vr2 = private ip = 192.168.1.1 = LAN
router1 (interface 3) = vr2 = vlan0 on vr2 (tag 501) = 192.168.2.1 = LAN2
pc1 = private ip = 192.168.1.2
pc2 = private ip = 192.168.1.3
pc3 = private ip = 192.168.2.33
I need use the rb493 as a managed switch with vlan support then my steps are:
but the ping in my computer (pc3) don’t ping with router1 (lan2 = vlan0 on vr2)
my mikrotik config:
[admin@MikroTik] > /interface export
# jan/01/1970 00:57:50 by RouterOS 3.24
# software id = NVJ4-LTT
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s \
max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=stp transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes mac-address=00:0C:42:34:73:F2 mtu=1500 \
name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F3 master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F4 master-port=ether2 mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F5 master-port=ether2 mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F6 master-port=ether2 mtu=1500 name=ether5 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F7 master-port=ether2 mtu=1500 name=ether6 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F8 master-port=ether2 mtu=1500 name=ether7 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:F9 master-port=ether2 mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes mac-address=\
00:0C:42:34:73:FA master-port=ether2 mtu=1500 name=ether9 speed=100Mbps
/interface vlan
add arp=enabled comment="" disabled=no interface=ether2 mtu=1500 name=vlan1 use-service-tag=no vlan-id=501
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=none name=default radius-eap-accounting=no \
radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX \
radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-key-0=\
"" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers=\
"" wpa-pre-shared-key="" wpa2-pre-shared-key=""
/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=vlan1 path-cost=10 \
point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes
/interface ethernet mirror
set mirror-port=none source-port=none
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=\
disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 \
mac-address=FE:EA:D9:B5:EA:23 max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 \
max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=\
300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no \
streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
and my pfsense config:
Ping work with 192.168.2.1
Ping don’t work with 192.168.2.33
The message:
I’m not sure I understand exactly what you want to achieve, and I don’t have the time right now to study your setup in detail. But am I right in assuming that you want your packets on the 2.x network to go tagged on vlan501 to pfsense?
If so, you need to bridge vlan501 together with something. As it is now, you’ve added vlan501 to a bridge on its own, and that won’t get the packets anywhere. With your current setup, I’d expect the packets of the ports to go untagged out on ether2.
I’ve not played much with the internal switch chip, but I assume you’d have to add vlan501 and another ethernet interface (not ether2, but ether3 for instance) to the bridge, and then set ether3 as the master port for the rest of the ethernet interfaces (or possibly add all ports to the bridge – I don’t know). Like (untested):
/int vl add name=vlan501 vlan-id=501 disabled=no interface=ether2
/int bri add protocol=rstp
/int bri port add bridge=bridge1 inter=vlan501
/int bri port add bridge=bridge1 inter=ether3
/int ethernet set ether4,ether5,ether6,++ master-port=ether3
Oh, with this setup you could use ether1 as uplink port and get more ports (ether2) using the switch chip.
By the way, it seems you’re using stp. I’d try using none or rstp. I see no point in using stp unless it’s a requirement for being compatible with the rest of the network.
(Edited to fix typos.)
I’ve been testing this out for the last hour, trying to help OP on IRC chat, but as far as I can see the big problem is that RouterBoard just can’t have the concept of an access port. If I bridged an untagged interface and a vlan interface, the arp requests of the data traffic coming from the tagged interface will reach the untagged, but the arp replies will not come back as they will not be tagged upon traversing the bridge. Same goes for any traffic, just to point that out, so static arps will no do any difference…
Possible conclusions:
Am I missing something?
If you do the following:
/int vl add vlan-id=1 interface=ether1 dis=no
/int bri add
/int bri port add bridge=bridge1 inter=vlan1
/int bri port add bridge=bridge1 inter=ether2
Then you can’t pass two-way traffic when connecting a PC to ether2, having traffic go untagged in/out on ether2 and tagged in/out on ether1? If so, please dump your config, as I’m very curious to why that isn’t working (I have done similar setups several places). Note that if this is the intended setup, OP’s config is/was wrong.
This was exactly my config. I can’t test it again right now, but I’ll try later again in the afternoon.
There’s no doubt about OP’s config is wrong, but if the correct configuration isn’t working either, there’s no point 
What OP is actually trying to achieve is two networks, one vlan tagged, one untagged, connecting to a firewall, followed by a series of PC’s on either access ports in the tagged network or access ports with no vlan tag.
I’ve been trying to help out in IRC.
As far as I am aware, unless the eth ports are bridged together, data won’t flow between. Bridging them all together, makes the board act like a switch. In this mode packets (regardless of tags) get passed from one eth port to another, without any packet stripping / natting. Which is by far the simplist way of doing this.
I have a single eth interface on my desktop running routerOS and it has 4 IP addresses, this in turn goes to an unmanaged 24 port switch, and all ports can see all 4 IP addresses.
How I’d get it to work would be to remove all ‘vlans’ from the mikrotik box, then bridge all interfaces together. I asked last night if PC1 and 2 can ping each other, as that would need nothing more than a function bridge between eth7 and 8. Sadly I didn’t get a response.
There are numerous ways to solve this problem. But you’ll need to think about the way that you want to.
JJOliver
Yes, sure, and you can also use the switch chip by setting all interfaces to except ether1 and ether2 to master-port=ether2, but that still wont give you vlans. And as far as I’ve understood OP, he needed vlans.
Unfortunately, considering what you wrote, I don’t think you’re of much help right now.
As far as I am aware, unless the eth ports are bridged together, data won’t flow between.
If you’d read his first post properly, you’d seen that he’s trying to use the switch chip present in some of the newer RouterBOARDs.
I have a single eth interface on my desktop running routerOS and it has 4 IP addresses, this in turn goes to an unmanaged 24 port switch, and all ports can see all 4 IP addresses.
With no possibility of having virtual LANs. You need to read up on things before trying to help people, ok?
/int vl add name=vlan501 vlan-id=501 disabled=no interface=ether2
/int bri add protocol=rstp
/int bri port add bridge=bridge1 inter=vlan501
/int bri port add bridge=bridge1 inter=ether3
/int ethernet set ether4,ether5,ether6,++ master-port=ether3
And I need set master-port = ether2 to pc2 and pc1 if i like that work because with master-port ether3 don’t work.
And with master-port = ether3 to pc3 work but… The two do not work at once. With this setup works sometimes and other time the ping does not work
I’m trying with rstp in the bridge, with two bridge (bridge1=vlan501 and ether3 and bridge2=vlan502 and ether4), with stp, with none,.. but don’t work.
Well, no surprise there (again, given that I understand what you want to do correctly). Bridge1 would have to consist of vlan501 and ether3, and ether9 should have ether3 as its master-port. To make pc1/2 work, which are connected to ether7 and ether8, you need to create another bridge where you bridge ether7, ether8 and ether2 (to make the packets go untagged out on ether2). So this should be correct (again, untested):
/int bri add
/int bri port add bridge=bridge1 inter=vlan501
/int bri port add bridge=bridge1 inter=ether3
/int bri add
/int bri port add bridge=bridge2 inter=ether2
/int bri port add bridge=bridge2 inter=ether7
/int bri port add bridge=bridge2 inter=ether8
/int ethernet set ether9 master-port=ether3
I don’t know if you can have multiple master ports (and I can’t check it for you as I don’t have a 493 available atm). If you can, you have to set for instance ether4 as being the master port for ether7 and ether8, and bridge ether2 and ether4 instead of ether2, ether7 and ether8 to utilize the hardware switching feature. If you can’t have multiple master ports, you have to choose which ports can be in the hardware “bridge” and bridge the rest with traditional software/RouterOS bridges.
That will work, if the purpose is to make ether3 a member of vlan501 and ether4 a member of vlan502, provided you have set the interface on both vlans to be ether2. This was, however, not the setup you outlined in one of your earlier posts (or I may have misunderstood something). Oh, and don’t get too hung up in different spanning tree protocols yet, just run with ‘none’ now for starters. You should probably forget about master-ports too, until you have the basic setup working.
If you ignore master ports for now and just want a basic setup where you run traffic on ether9 (pc3) on vlan 501 and traffic on ether7 and ether8 untagged, this would be it:
/int bri add
/int bri add
/int vl add name=vlan501 vlan-id=501 disabled=no interface=bridge2
/int bri port add bridge=bridge1 inter=vlan501
/int bri port add bridge=bridge1 inter=ether9
/int bri port add bridge=bridge2 inter=ether2
/int bri port add bridge=bridge2 inter=ether7
/int bri port add bridge=bridge2 inter=ether8
To mimic ether7 and ether8 being untagged interfaces, you will now have to filter vlan packets from/to ether7-8 using bridge filters so that only untagged packets will pass. I’ll leave this excercise to the reader.
YMMV as it’s untested, but you should now be able to ping from/to pc1, 2 and 3 at the same time, given that you have configured pfsense correctly (192.168.2.1 on vlan501, tagged on interface #1, and 192.168.1.1 untagged on interface #1).
Apologies in advance for spelling, typos or thinkos – I was in a hurry.
/int bri add
/int bri add
/int vl add name=vlan501 vlan-id=501 disabled=no interface=bridge2
/int bri port add bridge=bridge1 inter=vlan501
/int bri port add bridge=bridge1 inter=ether9
/int bri port add bridge=bridge2 inter=ether2
/int bri port add bridge=bridge2 inter=ether7
/int bri port add bridge=bridge2 inter=ether8
This is my solution!! Thx for all This work fine!. I’m testing but work fine
Very very thx vegard, without your help I never would have achieved.
Special Thx for Eising for your patience