I’ve been trying to set up a hEX router and I’m scratching my head. I come from a Cisco and Extreme background, so forgive my ignorance. I’d like to set up the ports on the device as “routed” ports, each being their own interface. Just to try and get things running, I came accross a forum post (http://forum.mikrotik.com/t/untagged-and-tagged-vlan-on-hex-lite/106207/1) that lead me to apply a VLAN interface to the master port. Once I tagged the other side, I was at least able to ping. But I’m not fond of the idea of using trunk ports, and would rather each port act as its own routed interface.
What I would like to do is have ethernet3 assigned to its own untagged vlan with its own IP interface. I tried assigning a VLAN interface to ethernet3 (configured with “none” master), but that didn’t work. Then I tried assigning the IP directly to the port, but that didn’t work, either. I tried my best to mirror the configuration of ethernet2 (the default master), but couldn’t get it to work outside of assigning the VLAN interface to the default master port.
I assume I’m just doing it wrong. I would appreciate any help I can get.
Default configuration of small RB routers is to have one routed port and other are switched (and bridged to WLAN). If you want to use ports individually, you need to remove all of them from router’s software bridge and/or switch group.
By default, ether1 port is not a member and is used as routing port towards WAN while ether2-ether5 are members of that bridge. If you remove any port from the bridge, it’s not switched/bridged to the other ports any more.
How this operation really is done depends on version of RS installed on your RB, the procedure is different for ROS < 6.41 than it’s for ROS >=6.41.
Or, from another perspective: it only makes sense to talk about VLANs if you need to have more that a single network on an interface or media, or if the packets of that single network on a physical interface have to be tagged with a VLAN tag because the interworking equipment requires that.
So what you actually want, as you say that all your “VLANs” should be tagless on their respective interfaces, is just to assign each physical interface its own IP configuration. And as @mkx says, the only thing you need to do in such case is to remove any reference to a “master interface” for the physical interface in 6.40 and below, or to remove the physical interface from a bridge in 6.41 and above. After doing that, you can assign the IP configuration directly to the physical interface.
Setup VLAN interfaces for each physical ethernet ports you want to use. Add proper IP addresses by attaching to VLAN interfaces you just created.
Then when ready remove the ethernet ports from the default bridge. This will cut your actual connexion but hopefully you should be able to reconnect through your VLAN.
You may also delete the bridge interface if you don’t need it at all.
Your next steps should probably be inside the IP firewall section. Per default with routeros, if no rule matchs then packet is accepted. Be careful to add suitable accept rules before the drop all rule especially for input interface or you might loose connection to the router itself. You might want to work in safe mode for automatic rollback in case that happen.
mkx, I upgraded to 6.41 and immediately saw what you were talking about. Once I got removed ports from the bridge I was able to accomplish what I needed. So, here’s a belated thank you!
I’m using the device for a site-to-site IPSec connection peering with my firewall. I’m 85% confident I’ve got the configs where they need to be and will be testing this week.
sindy,
Your comment makes me ask a basic noob question before I continue heading the right direction in my trial and error testing and exploring. Must I create vlans to do the following? Or is that only a necessity if I want clients to logically be grouped together into a lan regardless of where they connect in?
Setup the RB750Gr3 with each port 2-5 supporting a separate LAN having switches/APs downstream. And then firewall rules that: (1) allow clients on 2 and 3 to have access to 4 but not 5, (2) deny connections from 4 to any others (just internet), and (3) restrict access to manage the router to devices connected physically via port 5.
2 - Private LAN
3 - Guest LAN
4 - web server (remote access servers) LAN
5 - router management LAN
You’ve got it right, you only need VLANs if you need to separate L3 subnets at L2 level and/or create complex L2 topologies. So for your case, having each of your IP subnets on its own dedicated interface makes VLANs redundant.
If you might be ever so kind, another question. So I currently have the 4 internal ports on the RB750Gr3 on their own subnet with their own dhcp. I’m now pondering the bridging vs routing distinction (note: if relevant, I intend to setup firewall rules to control traffic between the subnets). I worked from the default config, which has the default bridge. I simply removed the other ports from the bridge. So, my assumption is that the bridge only has purpose if I have more than one port participating on the same subnet and if not, I should remove it entirely?
Correct. If there is only a single member port in a bridge, you can cancel the membership of that port (interface) in the bridge and move the IP confguration (static IP address, dhcp server, dhcp client, …) or PPPoE configuration from the /interface bridge to the /interface ethernet (or wireless or eoip if that’s the case). And then you can remove the /interface bridge from the confugration.
If the goal is to have a different net on every port, you do not need to use VLAN.
Just bind an IP to each interface and the L3 Routing will rout all together.
You can also add an DHCP server for each net like I have shown.
