I have recently purchased a CRS326 24-port switch running ROS 6.42.5. I’m trying to achieve the following:
1 WAN vlan (id 10) containing two ports (1 for my set-top-box, 1 for the provider modem connection) - DHCP client running on this, NAT to this network
1 very restricted port (vlan 40)
2 “all-access” ports (vlan 30), which can communicate with the WAN, LAN, and restricted port
the other 19 ports are regular LAN (vlan 20), being able to access the WAN through NAT and devices on VLAN 30.
My current problem is that traffic never appears to come up. Not even the DHCP negotiations. I’ve tried with multiple bridges, too, but that config didn’t work either.
With vlan-filtering=no, the pvid in the /interface bridge port doesn’t work. So you have to configure also /interface bridge vlan properly and set vlan-filtering to yes on the bridge.
Thanks for your response sindy, I forgot to add that I did enable vlan-filtering in the end (with the pvid of the bridge still set to 1). To add, there is one bridge interface from the default configuration (ip 192.168.88.1/24). If I remove that bridge, I get locked out and of course I cannot get in through any of the other ports since dhcp does not assign any IP. Manual IP assignment does not allow me to ping either.
To avoid further misunderstandings, I’ll post the current running config that gets printed by /export hide-sensitive:
I am very unsure of how you are handling your modem traffic.
How will the rest of your devices get to the internet if your stuffing into vlan10
a. is your internet traffic coming in on a vlan already (if so just add the vlan to the ethernet interface (port23) as dhcp client and nothing more. Internet will be then coming into the router and be available to the bridges. In other words, I dont think its correct to add vlan-wan to bridge.
(in other words making up vlan10 seems wrong)
b. is your set top box working on a specific vlan XX, if so, this would be a case for vlan from the provider to carry it to your set top box. I am not sure you would need to pvid this port (the one to set top box) as the providers devices probably already speak vlanXX
OP has ether 23 and ether24 set as access ports for vlan10 (pvid=10). If internet from modem is not tagged (by modem), then with vlan-filtering=yes internet will appear to be on vlan-wan interface on bridge.
@tdw: if you enable vlan-filtering, you have to unplug and re-plug ethernet cable between your management machine and RB … so that machine notices loss of connectivity and re-starts DHCP negotiation, during which it should receive proper IP address. You’ll have to re-start the management app (whichever you’re using, either Winbox, CLI connection or WebUI) and connect to the management IP address of your RB.
I’m able to access the internet now, but only because my device (laptop) gets assigned an IP from my ISP. I’m unable to ping any of the 172.16.x.x gateways.
Always start this type of adventure by configuring a single ethernet interface which is not a member of any bridge and has an IP address from a dedicated subnet attached to it. Even better, make sure that this interface is a member of interface list to which mac-telnet and mac-winbox refer so that you could connect using MAC address. Or, if you have a serial interface on the device and you don’t mind using command line, you can connect using a serial terminal. Test this connection and use it to configure the rest. Safe mode never hurts, you can lock yourself out by a mere typo if using the command line.
Next, the following must be there for VLAN X (X != 1) on a common bridge for which you want to have an L3 interface on the Mikrotik itself, the VLAN is tagged on the wire on etherA and tagless on the wire on ether B:
Okay Sindy, lets say I will buy there is no problem with vlanning the incoming modem traffic with vlan 10, if that is the intent.
(in which case pvid=xx ingress-filtering=yes are typically used - aka access port)
How do LANs on the bridge and VLANs on the bridge gain access to the internet??
My view is that only those on vlan10 will get internet traffic available.
Should I assume that he has eth23 attached to the modem as a DHCP Client?
If so how does the data escape the vlan10 to reach other LANS or vlans (not 10) on the bridge??
My ISP is different it comes in on vlanYY and the ethernet interface involved has a vlan setup for this but is not on any bridge!!
It basically terminates at the router I guess and then is availalble for everything behind the router… Not sure how that works either sigh…
Here’s how data flows from internet towards LAN host (the opposite direction takes reverse steps):
untagged packet exits ISP’s modem
untagged packet arrives at ether23. This port has pvid set, so it gets tagged with VLAN ID 10
vlan10 tagged packet enters bridge
vlan10 packet artives at interface vlan10 (created on top of bridge), where it gets untagged and becomes available to routing engine
routing engine does inverse src-nat magic and pushes resulting packet untagged to interface vlan20
interface vlan20 tags the packet with VLAN ID 20 and pushes it to bridge
vlan20 tagged packet finds correct egress port and leaves RB (possibly untagged if the chosen egress port is untagged member of VLAN20)
.
It basically terminates at the router I guess and then is availalble for everything behind the router… Not sure how that works either sigh…
Your setup is similar with the following differences:
ingress packets are passed through on ether port (they are already tagged)
they get untagged in vlan interface created directly on ether port as ether port is not member of a bridge. For routing engine this is all the same, it only needs untagged interface with WAN IP address set. It really doesn’t care about the underlying interface layers.
@quintenvk: your initial config might have been correct or it might not. It’s just that lots of things change when you change both L2 and L3 peer of your computer.
Okay lets take the latter first.
a. packets are already tagged when arriving at the ethport (dhcp client).
b. I created a vLAN associated with that interface for vlanyy.
c. The reason to create the VLAN is for the router to accept the tagged packets. One needs to create the vlan interface to do that!
(what happens to tagged packets at the etherport if I had no VLAN setup? Ignored and passed through and if so, that should work too, OR rejected because not pvid=1??
d. Then the packet leaves the vlan interface (no bridge to go onto) is automatically stripped of its vlan tags by the vlan interface and then is passed to the routing engine??
RULEA: To allow already tagged packets into the router a VLAN interface for that vlan has to exist.
RULEB: Any VLAN entering the router NOT attached to a bridge is stripped of its tags automatically by the applicable VLAN interface before being distributed by the router engine.
Now the former…
I understand PVID and tagging the packets and entering the bridge.
e. The ethport tags untagged packets IAW pvid=10 rule.
f. assuming ingress-filtering, packets not able to egress that port are blocked.
g. So the parts now are allowed on vlan10 on the vlan interface and arrive at the Bridge.
WHY does bridge untag these packets???
In normal function, vlanXXX traffic coming into the bridge would get passed to any other ethports on the bridge with the same applicable tagging.
It doesnt untag the packets and then miraculoulsy send them to unrelated VLAN ports???
THis part is extremely confusing.
a. Yes
b. Yes. Keep in mind that this association can be made in many places.
c. If etherport doesn’t have VLAN setup, tagged packets will pass the L2 portion of the port. They won’t get picked up (or, in your words, they’ll get rejected) by L3 portion of it so they won’t arrive at router’s IP interface, associated with that ether port.
d. Yes. vlan interface will perform ingress filtering and tag stripping on the way from trunk side to access side and tag packets on the way from access side to trunk side.
.
RULEA: To allow already tagged packets into the router a VLAN interface for that vlan has to exist.
Not exactly. To make tagged packet usable to L3 portion of routerboard, their VLAN tag needs to be stripped. And that’s performed by vlan interface.
L2 portion of router (namely the bridge) is happy with tagged packets.
.
RULEB: Any VLAN entering the router NOT attached to a bridge is stripped of its tags automatically by the applicable VLAN interface before being distributed by the router engine.
It’s not ether port tbat strips VLAN tags, it’s vlan interface that does it. And that vlan interface can be attached directly to ether port or to bridge.
OK, there are cases when ether port untags tagged packets on ingress, but doing that kind of setup really makes brains spin around …
.
Now the former…
I understand PVID and tagging the packets and entering the bridge.
e. The ethport tags untagged packets IAW pvid=10 rule.
f. assuming ingress-filtering, packets not able to egress that port are blocked.
g. So the parts now are allowed on vlan10 on the vlan interface and arrive at the Bridge.
WHY does bridge untag these packets???
Because there’s vlan interface attached to bridge (with vlan id 10). And it’s that interface that untags packets …
All packets live tagged on bridge. Nothing is confusing At least as long you don’t let untagged packets in bridge.
OK guys, thanks for the advice so far. I’ve decided to order a console cable more updates on thursday, probably, when i can start configuring properly again…
At least as long you don’t let untagged packets in bridge.
more updates on thursday, probably, when i can start configuring properly again…