[RB750Gr3 (hEX)] - Simple VLAN and Management network

squeeze · March 22, 2018, 6:55pm

FIRST POST

I recently purchased an RB750Gr3 for home use. I am just trying to get a simple VLAN setup working, including a Management port on the Hex itself and a Management VLAN.

Using typical VLAN membership tables I have seen on other routers, this is my intent:

                VLAN     Ports
                      2  3  4  5
                1     X  U  U  U
SegregatedWiFi  5     X  X  X  T
SiteLAN         6     X  T  T  T
Management      7     T  X  X  T
                PVID  7  1  1  1

X = uninvolved/empty
U = untagged
T = tagged

After some reading around the documentation and online examples I could find, including the Wiki, I ran Winbox and first upgraded RouterOS to 6.41.3 from factory software of 6.38.7, in order to get the new VLAN-aware bridges and up-to-date features.

Then I accepted the initial Default Configuration choice, so I could keep the WAN and its associated configuration (NAT and firewalls etc.) and deleted the default bridge named “bridge” because it involved all the ports as group. So, now I had five ports: ether1 through ether5, with ether1 being the WAN - which I left untouched.

These are the configuration rules I used:

/interface bridge
add name=br1 vlan-filtering=yes
add name=brv0 vlan-filtering=yes
add name=brv1 vlan-filtering=yes
/interface bridge port
add bridge=br1 interface=ether3
add bridge=br1 interface=ether4
add bridge=br1 interface=ether5
/interface bridge vlan
add bridge=brv0 tagged=brv0,ether2,ether5 vlan-ids=7
add bridge=brv1 tagged=ether5 vlan-ids=5
add bridge=brv1 tagged=ether5,ether4,ether3 vlan-ids=6
/interface vlan
add interface=brv0 name=Management vlan-id=7
add interface=brv1 name=SegregatedWiFi vlan-id=5
add interface=brv1 name=SiteLAN vlan-id=6
/ip address
add address=192.168.88.1/24 interface=br1 network=192.168.88.0
add address=192.168.7.1/24 interface=Management network=192.168.7.0
add address=192.168.5.1/24 interface=SegregatedWiFi network=192.168.5.0
add address=192.168.6.1/24 interface=SiteLAN network=192.168.6.0

I have a dual NIC Windows server on which I am testing the Management port and Management VLAN. The first NIC is just connected to the Internet (and higher priority) via another router - so should not be relevant. The second NIC is connected to ether2 for Management port testing. I also changed and experimented with setting the VLAN ID for it to match the Management VLAN ID (i.e. changed it from its default of 1 to 7).

Problem: no matter how I experiment with either the client NIC’s VLAN nor minor tweaks to the configuration above, I cannot connect to the router via its IP of 192.168.7.1 UNLESS I change the IP interface from “Management” to “ether2”. Then suddenly it works. But this seems to defeat the purpose of having a Management VLAN and confounds my understanding of VLANs and Bridges in this Mikrotik router. Oddly enough, I can always connect via the MAC address of the ether2 port.

I started worrying I need to dream of “switch chips” or hidden bridges or that my initial basic intent is somehow invalid. Yet why would only this final step appear to be failing (IP)?

Can anyone point out where I am going wrong and any other glaring errors in my setup, please? More details: Management VLAN is to eventually put all the routers + switches in one subnet. SegregatedWiFI VLAN is to keep the WiFi away from the other networks yet provide Internet via this edge router. SiteLAN VLAN is to confine anything connected to its own network and without Internet (I believe the second part will require changes to the firewall).

Note. I am not networking professional, just a person with some experience in tech and not afraid to experiment.

squeeze · March 23, 2018, 5:22pm

Solution: The key was realizing that, despite the VLAN ID user interface to the NIC in Windows, my PC client was not VLAN-aware. So, having a tagged management port was preventing the router from talking to the PC above Layer 2. This occurred to me after the Wireshark software traffic analyzer could not find any traffic with the “vlan” tag (I am aware it can fail to find VLAN traffic for other reasons though).

I changed my VLAN plan to the following:

                VLAN     Ports
                      2  3  4  5
                1     X  U  U  U
SegregatedWiFi  5     X  X  X  T
SiteLAN         6     X  T  T  T
Management      7     U  X  X  T
                PVID  7  1  1  1

After some more reading around, I also simplified (and renamed) my bridge setup. It now consists of one non-VLAN-filtered bridge for the untagged ethernet non-management ports called “bridge”. As the first such bridge, it should benefit from hardware acceleration. Now the only other bridge is a single VLAN-filtered bridge containing all the VLAN memberships called “bridge-vlan”. I added all the ethernet interfaces as bridge ports, including the management port. I added the bridge-vlan interface itself to all the tagged lists in the vlan-aware bridge. I also cleaned up the interface lists.

/interface bridge
add name=bridge
add fast-forward=no name=bridge-vlan vlan-filtering=yes
/interface vlan
add interface=bridge-vlan name=Management vlan-id=7
add interface=bridge-vlan name=SegregatedWiFi vlan-id=5
add interface=bridge-vlan name=SiteLAN vlan-id=6
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge-vlan interface=ether2 pvid=7
/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan,ether5 vlan-ids=5
add bridge=bridge-vlan tagged=bridge-vlan,ether5,ether4,ether3 vlan-ids=6
add bridge=bridge-vlan tagged=bridge-vlan,ether5 untagged=ether2 vlan-ids=7
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.7.1/24 interface=Management network=192.168.7.0
add address=192.168.5.1/24 interface=SegregatedWiFi network=192.168.5.0
add address=192.168.6.1/24 interface=SiteLAN network=192.168.6.0
/interface list member
add comment=defconf interface=ether2 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Management list=LAN
add interface=SegregatedWiFi list=LAN
add interface=SiteLAN list=LAN
add interface=bridge list=LAN
add interface=bridge-vlan list=LAN

I will do all further VLAN testing with a VLAN-aware switch.

If anyone has any recommendations or sees any errors or problems in this setup, I would appreciate any help. Thank you.

EDIT:

The above configuration only solved a minor problem. The real solution was to have a single bridge for everything. Follow-up on this thread: https://forum.mikrotik.com/viewtopic.php?f=13&t=132437