RB750G no traffic on VLAN interface

apan · August 9, 2021, 11:58pm

I’ve an old RB750G that I’ve used as a NAT gateway and CAPsMAN manager, no problem with that for years. But now I’m trying to develop the setup by separating my devices to different networks with VLAN which is harder that I though. Since it’s an older device but still has a switch chip(atheros8316) I figured that I shall be able to use this guide as beginning https://wiki.mikrotik.com/wiki/Manual:Switch_Router.

I’ve basically copy pasted that guide but can’t get it to fly. I can get traffic to flow via different untagged ports but I can’t get traffic to or from the VLAN interfaces, it’s like they not connected to the bridge. So in the current setup devices connected to ether2 and ether3 doesn’t get DHCP, and I see no request coming in to the corresponding VLAN interface.

Apritiate if anyone could give me a hand here.

/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/ip pool
add name=POOL10 ranges=192.168.10.100-192.168.10.200
add name=POOL20 ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=POOL10 disabled=no interface=VLAN10 name=DHCP10
add address-pool=POOL20 disabled=no interface=VLAN20 name=DHCP20
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface ethernet switch rule
add dst-address=192.168.20.0/24 new-dst-ports="" ports=ether2 switch=switch1
add dst-address=192.168.10.0/24 new-dst-ports="" ports=ether3 switch=switch1
/interface ethernet switch vlan
add ports=ether2,switch1-cpu switch=switch1 vlan-id=10
add ports=ether3,switch1-cpu switch=switch1 vlan-id=20
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Jotne · August 10, 2021, 5:30am

I do not use the switch in RB750G r3.

Here is a long post about Mikrotik VLAN and this visio show more or less my final test setup.
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/21

apan · August 10, 2021, 7:59pm

Thanks, pity I didn’t find that thread before I posted.
I’m a little concerned running everything on the CPU but I’ll give it a try and see how it preforms.

tdw · August 10, 2021, 9:07pm

Using the switch chip only bypasses the CPU for traffic between ethernet ports within the same VLAN, traffic between VLANs and NAT will always be handled by the CPU. Unless you have significant traffic within the same VLAN on different ethernet ports it is much simpler to use a VLAN-aware bridge.

k6ccc · August 10, 2021, 11:15pm

Unless you have significant traffic within the same VLAN on different ethernet ports it is much simpler to use a VLAN-aware bridge.

None of my routers have any traffic between different Ethernet ports on the same VLAN because there are none. Routers are used exclusively as routers and switches are used for switching functions. 4 of the 5 ports on both of my RB750 series routers immediately plug into ports on a CSS326 switch. The switch handles all the switching and VLAN splitting as needed.
And in case you are wondering why only 4 of the 5 ports of the two routers - the 5th port is a tie between the two routers for traffic that comes into one router and leaves via the other router. And I used to run that connection through the switch (even though it served no useful purpose), but I was running out of switch ports, so by running directly between the two routers, I freed up two switch ports…

apan · August 12, 2021, 9:53pm

It was easy to get going with the VLAN filtering bridge. Unfortunately it uses to much CPU, when I connect my Firewalla the RB750G more or less stops responding due to high CPU load with also takes down CAPsMAN I guess sinse the WiFi also goes down . Not really sure what the Firewalla does to trigger that but it does not happen when I’m using hardware offloading. Besides the Firewalla issue there will from time to time be large traffic in the same VLAN so I need it to perform decent. Not necessary line rate but at least half.

I was just about to call it the day and accept that the RB750G is an old pice and not up for the game when I tried to add a VLAN on top of the untagged bridge. Basically just adding this.

/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
/interface ethernet switch vlan
add ports=switch1-cpu,ether5 switch=switch1 vlan-id=10

I shouldn’t be surprised since AFAIK it should work like that but I haven’t managed to get it to work before, and sound like more have been struggling with it. I’ll continue to build up the network based on this and see how it holds.