Hi,

I’m trying to configure my Mikrotik RouterOS6 to work as a ‘simple’ switch that allows 3 vLAN’s to connect to my Untangle firewall. I’ve posted on the Untangle forums as well to verify the Untangle settings, however I would like to check here as well to see if the switch is configured correctly. I’ve spent quite a bit of time researching, and there’s a good chance I would be better off doing a factory reset, but can anyone look at the below two pages and let me know if anything seems off, or if anything is still missing that could prevent my ESXi on eth9 from getting an IP in subnet 10.10.13.xx?

I looked into CLI configuration as well but the logic is just completely different from what I learned with cisco and I cannot seem to grasp what the commands do exactly. This is on an RB2011 series with two switches, Atheros8327 & 8227

As bonus info, this is what I’m actually trying to do

post your config
/export hide-sensitive file=anynameyouwish

In the meantime read this thread for ideas…
https://forum.mikrotik.com/viewtopic.php?t=182276

Use a single VLAN-aware bridge, note that the bridging will be done in software so you are unlikely to achieve gigabit thoughput on ether1-5/sfp1 on a 2011. There is no easy way to use the switch chips directly if you wish to ports on both switches with hardware offloading, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithmultipleswitchchips for the gory details

I’ve since started over entirely, and was able to create the VLAN’s successfully by following a guide. I understand the commands just well enough to adapt them to my needs, however two issues remain:

• I cannot access the switch remotely, only by connecting a laptop to a port directly. I should probably add a management interface but there’s only the 3 VLAN’s being sent over the trunk. Thinking on that just now, I could just add the management VLAN on the other end as well.
  
  
  
• Two ‘dynamic’ entries slipped into the attached table, one apparently normal, the other one accidentally. I’m not sure what they mean or if I should remove them, and if so how.

I must say I’m not impressed with how to control this device so far :/.
Maurice.rsc (1.53 KB)

Both Atheros8327 & 8227 support VLANs in Hardware only using the Switch chip, /interface ethernet switch…
You have to configure the VLAN membership, your Trunk and Access Ports to the Switch menu…

Whatever configuration is done other than the above will be in Software ( CPU )…

The both dynamic entries are there because two bridge ports (ether1 and bridge … yes bridge has two personalities, one is interface) have PVID set but you didn’t include them in /interface bridge vlan … ether1 with PVID=1 is implicit default and bridge with PVID=10 is your configuration.

What is missing to access switch remotely is to assign switch an IP address … you have a defunct setting in /ip dhcp-client … you need to bind it to some interface, bridge interface will be fine. My personal suggestion, though, is to set IP address for LAN infrastructure devices statically on devices. There are some conditions where your switch might not be able to get IP address (e.g. if after LAN-wide black-out switch boots up faster than DHCP server) and you may end up with undeterministic state.

What @zacharias states … is about performance, not about functionality. Yes, after things start to work for you and you get acquainted with ROS style, you’ll probably want to reconfiugre switch to use switch chip features. That kind of configuration is a bit awkward, so I suggest you to proceed with your current configuration style. For now.

Also you failed to read or read and understand the link provided.

First mistake was changing the default PVID, although there may be instances where this makes sense, the majority of times it should be left alone.
You need vlan10 because that is your trusted vlan and the Mikrotik should have its IP from this vlan.
Also you forgot to define the vlans!!!

/interface bridge
add name=bridge1 pvid=1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11
add interface=bridge1 name=vlan12 vlan-id=12
add interface=bridge1 name=vlan13 vlan-id=13
/interface list
add name=Manage
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether9 pvid=13
add bridge=bridge1 interface=ether10 pvid=13
add bridge=bridge1 interface=ether7 pvid=12
add bridge=bridge1 interface=ether6 pvid=12
add bridge=bridge1 interface=ether5 pvid=12
add bridge=bridge1 interface=ether3 pvid=11
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether10,ether9 vlan-ids=13
add bridge=bridge1 tagged=ether1 untagged=ether5,ether6,ether7 vlan-ids=12
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=11
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
/interface list member
add interface=vlan10 list=Manage
/ip address
add address=192.168.XX.XX/24 interface=vlan10 network=192.168.XX.0 comment=“IP of MT device on trusted subnet”
/ip dns
set allow-remote-requests=yes servers=192.168.XX.1 comment=“dns through trusted subnet gateway”
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.XX.1 comment=“ensures route avail through trusted subnet gateway”
/tool mac-server
set allowed-interface-list**=none**
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Maurice

To add to what @mkx said, since your Bridge PVID = 10, this means that only members of said VLAN ( 10 ) will be able to access the Switch.

My previous comment is indeed about the performance of the switch…

You're right in that I failed to understand the link you sent. I cannot make sense of the different ways you can set this up. The config posted here differs entirely from mine and I can't apply configs I don't understand. I'll focus on adding an IP to the eth1 interface, then expand on that.

EDIT: I've attempted to add the lines related to the management interface, however I cannot seem to ping in either direction. At this point there's a good chance the firewall rules on the other end are involved however. Looking at the config, I'm confused as to why the original 3 VLAN's are configured completely differently from the new one. Only VLAN 99 is showing up under my interfaces, the other 3 I originally made (which also work) are shown under the Bridge>VLANs menu. Is there somewhere I can get more info on the philosophy behind these different menus?

mar/06/2022 10:51:05 by RouterOS 6.47.7

software id = 0FI9-BZC2

model = 2011UAS

serial number = 4271026A5F3B

/interface bridge
add name=bridge1 pvid=10 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether9 pvid=13
add bridge=bridge1 interface=ether10 pvid=13
add bridge=bridge1 interface=ether7 pvid=12
add bridge=bridge1 interface=ether6 pvid=12
add bridge=bridge1 interface=ether5 pvid=12
add bridge=bridge1 interface=ether3 pvid=11
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether10,ether9 vlan-ids=13
add bridge=bridge1 tagged=ether1 untagged=ether5,ether6,ether7 vlan-ids=12
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=11
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=10.10.99.51/24 comment="Management IP" interface=vlan99 network=
10.10.99.0
/ip dhcp-client
add
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Maurice

The way you have it configured, you should be able to access the Switch using Tagged Traffic with VLAN id 99 coming from ether1…
If you want to test it using Untagged Access, you can as well change a PVID of a port to 99 and check if through that port you can access the Switch through its Management VLAN.

Disclaimer: I am a MikroTik ROS noob… so independently verify what I recommend below.

Looking at the block diagram of the RB2011, it has two switch chips, one for the 5 lower ports (1Gbps capable), one for the 5 upper ports (only 100Mbps).

So the first question is: What kind of performance are you expecting? Does your Untangle firewall have all Gb ports? Are they individual ports (for example Qotom or Protectli), or something with a integrated switch? The reason I ask is because your graphic shows the connection from the rightmost port of the Untangle FW to the PC labelled as “VLAN 10”, and that isn’t what I would expect on a FW with dedicated ports. Unless Untangle is using a bridge device, any vlan 10 associated with that port would not be in the same broadcast domain as a vlan 10 on the trunk port (which isn’t mentioned).

What sort of environment is this in? I am just trying to understand what the reason for different vlans is.
Is this for learning about ROS? Then by all means keep playing.
Trying to repurpose old equipment? (if this is the case, how much is your time worth?)
How secure does the switch have to be?

• A home where you have good control of physical access to the devices, but generally the area is “trusted”.
  
  
  
• A business where the equipment is secured, and you don’t want anyone on vlans 11, 12 or 13 to have any chance of logging into the switch, even if they could guess the password?

If this is in a home, you want good performance on all the vlans, and you don’t really care about learning how to configure the RB2011, my suggestion would be to buy an 8 port vlan-aware switch. These are available on Amazon around $30 (TL-SG108E), but be aware that the “smart” switches are not business class, and by design there is no possible way to prevent any client using standard untagged ethernet frames from gaining access to the web interface of the switch, regardless of what vlan they are connected to. You can set a password, but that’s the only thing you can do; the web interface uses http only (no secure protocols), and there is no telnet or ssh. And the firmware has known buffer overrun bugs. See Not So Smart: TP-Link TL-SG105E V3.0 5-Port Gigabit Easy Smart Switch

I do own 3 of the TL-SG108E and use them at home, but I would never use them in a business, And never connected directly to the internet (even at home), although if you set the ip address to a static RFC1918 address, it would provide some protection.

So getting a dedicated switch would be my recommendation to someone that wanted to have a “trusted” vlan, a camera vlan, and an IoT/Guest vlan at home without having to learn ROS. For more money you can get better switches. I also have two MikroTik CSS106-5G-1S switches, and they are more feature rich than the TL-SG108E, but still no secure protocols for management or anything but web interface to SwOS (no support for WinBox either, but it is my current goto for a network tap for wireshark).

If you made it this far, I will assume you do want to learn how to get the RB2011 to work as a switch, and performance isn’t your highest goal.

You need to decide which VLAN can be put on the 100M switch. I would put the trunk and other two vlans on the lower ports (the 1Gbps) capable half.

Your cisco IOS knowledge isn’t going to transfer to the ROS way of doing things in a straight forward way. And as others have mentioned, if you use the bridge method everything is going to be done in software (slowly). That’s less of a concern for traffic that is going between vlans (because that will have to be routed anyway) but for two ports in the same vlan, normally all L2 traffic could be handled by a switch ASIC at near “wire” speed, but that won’t be what you see on the RB2011 if you use the bridge. For that, a TL-SG108E would give you better performance.

Here’s a webpage with some hints about Cisco to MikroTik – Switching and VLANs, although it is really aimed more at replacing with a CRS switch, not a RB2011.

Also, I am going to disagree with 404Networks suggestion to create multiple vlan interfaces, one for each vlan. That’s going to complicate things, because now the RB2011 will want to route between the vlans, and my guess is that you want to have all intervlan routing done by your Untangle firewall. Yes, you could put in firewall rules to prevent the inter-vlan routing by the RB2011, but the easiest way is to make that impossible. Without ip addresses, you wouldn’t be able to connect to them with ip, but perhaps with mac using winbox. Edit: I wasn’t thinking clearly, because the RB2011 won’t be able to route without having ip addressess associated with those interfaces, so as long as there is only a single interface with an ip address, then the RB2011 won’t try to route.

Study material: See the links in these posts: http://forum.mikrotik.com/t/issue-with-dhcp-server-and-vlans-and-console-access/156327/1 and for networking background http://forum.mikrotik.com/t/issue-with-dhcp-server-and-vlans-and-console-access/156327/1

Concur if the 2011 is so underpowered that routing many vlans dont make sense.

Ok I found your post on the untangle forum
https://forums.untangle.com/networking/45236-setting-up-trunk-between-untangle-mikrotik-switch.html
And it had useful information in the untangle settings.png file. Why didn’t you post that along with the Untangle layout.png?

The most important is that you want to access the management switch via the Untangle FW’s eth2 interface with ip address 10.0.0.1/24. Note that this interace is untagged.

If the only thing that is going to use the untangle eth2 untagged interface 10.10.0.0/24 network is your connection to the switch, then choose an unused vlan (I would leave as the default 1) and set the pvid of both the bridge and ether1 to the same value. If untangle has a dhcp server for eth2 (10.10.0.0/24) and you want the RB2011 to obtain its ip config via dhcp, then you need to set the bridge as a dhcp client. But first get it working with a static ip. The following assumes that your Untangle FW acts as a dns forwarder.

Edit: @404Networks noticed a mistake in the configuration in this post, which was based on my incorrect recommendation below. @tdw do you have any input?
/ip address add address=10.10.0.2/24 interface=ether1 <— Edit: WRONG ether1 is part of the bridge, this should be BR1 (which should now have default pvid 1, the untagged bridge interface.)
/ip address add address=10.10.0.2/24 interface=BR1 <— Edit: I now think it should be like this instead of above. Note this goes against advice in this post, but see my response in this post too.
/ip route add gateway=10.10.0.1
/ip dns set servers=10.10.0.1

EDIT: following up on the below, after exporting my own config again it seems these 4 lines did not make it into the config. Entering the lines again makes no difference however. I’ve attached the resulting exported config.
set bridge=BR1 tagged=ether1 [find vlan-ids=11]
set bridge=BR1 tagged=ether1 [find vlan-ids=12]
set bridge=BR1 tagged=ether1 [find vlan-ids=13]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99


Original post:
TL;DR

• Is there a difference between pvid and vlan-id?
  
  
  
• Why is there nothing in the UI regarding these configured VLAN’s (except for the interface for VLAN 99)
  
  
  
• What’s wrong with the below configs?
  
  
  

I’m studying networking in nightschool, and I work for an asset management software company (Lansweeper). The purpose, in fact, is to configure a tiny little network that is complicated enough to show off as my thesis/final exam project, and also allows me to reproduce certain niche situations that our customers find themselves in. I will be attaching HyperV’s, ESXi’s, a NAS etc to these ports, setting up exotic firewall rules hoping to break and then improve our software. In that regard, most traffic will be between my computer and any of the devices in the VLAN’s, very little traffic will be between the VLAN’s directly.

The teacher is a fan of Mikrotik, therefore so am I for the time being .

I have reset the device and adapted a config I found through links posted in this thread to meet my own needs.

I first added only this:

###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Switch with a separate router (RoaS)
# Web:			http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
# RouterOS:		6.43.13
# Date:			April 15, 2021
# Notes:		Start with a reset (/system reset-configuration)
# Thanks:		mkx, sindy
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Maurice"

#######################################
# VLAN Overview
#######################################

# 11 = BUE
# 12 = GREEN
# 13 = RED
# 99 = MGMT

#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################
# -- Access Ports --
########################################

# ingress behavior
/interface bridge port

# Blue VLAN
add bridge=BR1 interface=ether3 pvid=11

# Green VLAN
add bridge=BR1 interface=ether5  pvid=12
add bridge=BR1 interface=ether6 pvid=12
add bridge=BR1 interface=ether7 pvid=12

# Red VLAN
add bridge=BR1 interface=ether9 pvid=13
add bridge=BR1 interface=ether10 pvid=13

# egress behavior, handled automatically

#######################################
# -- Trunk Ports --
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=11]
set bridge=BR1 tagged=ether1 [find vlan-ids=12]
set bridge=BR1 tagged=ether1 [find vlan-ids=13]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

#######################################
# IP Addressing & Routing
#######################################

# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=MGMT vlan-id=99
/ip address add address=10.10.99.51/24 interface=MGMT

# The Router's IP this switch will use
/ip route add distance=1 gateway=10.10.99.1

#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.

I was able to connect to the switch on its IP, but unable to access the devices in VLAN 13. After enabling the below however I was once again unable to access the Mikrotik remotely. It strikes me as odd that I’m unable to find any information on the configured VLAN’s through the UI, except for VLAN 99.

#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

I have not yet enabled this part, as i did not expect it to be related?

#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether10]

# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from MGMT, the MGMT network
/interface list add name=MGMT
/interface list member add interface=MGMT list=MGMT
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT

I also added an interface in the untagged 10.10.0.xx range using Buckeye’s commands, and that also allows me to access the switch. This appears to circumvent the VLAN structure entirely, and was actually more in line with what I was looking for to get started.

The switch is currently connected to the firewall from switch-eth1 to FW-eth2, the firewall is setup with a number of VLAN’s it provides with DHCP (IP’s 2 - 50), it automatically creates routes between these networks. The switch now has a two fixed IP’s, 99.51 and 0.51, both working.
maurice3.rsc (967 Bytes)

Looking at my previous config, which did work but didn’t allow me to access the device, I added the below lines to the device:

add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 tagged=ether1 untagged=ether10,ether9 vlan-ids=13
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=11
add bridge=BR1 tagged=ether1 untagged=ether5,ether6,ether7 vlan-ids=12

After unplugging and reconnecting some devices, everything is now receiving IP’s from my firewall, in the correct subnet, and I’m able to connect to the switch both on the MGMT VLAN and the untagged 10.10.0.xx IP.

The hopefully final config (or at least my go-to fallback) would thus be:

# mar/09/2022 15:09:39 by RouterOS 6.47.7
# software id = 0FI9-BZC2
#
# model = 2011UAS
# serial number = 4271026A5F3B
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=MGMT vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 interface=ether3 pvid=11
add bridge=BR1 interface=ether5 pvid=12
add bridge=BR1 interface=ether6 pvid=12
add bridge=BR1 interface=ether7 pvid=12
add bridge=BR1 interface=ether9 pvid=13
add bridge=BR1 interface=ether10 pvid=13
add bridge=BR1 interface=ether1
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
add bridge=BR1 tagged=ether1 untagged=ether10,ether9 vlan-ids=13
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=11
add bridge=BR1 tagged=ether1 untagged=ether5,ether6,ether7 vlan-ids=12
/ip address
add address=10.10.99.51/24 interface=MGMT network=10.10.99.0
add address=10.10.0.51/24 interface=ether1 network=10.10.0.0
/ip dns
set servers=10.10.0.1
/ip route
add distance=1 gateway=10.10.0.1
add distance=1 gateway=10.10.99.1
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Maurice

Surprized anything works as you have not defined the vlans on the MT, other than 99…

You only require /interface vlan definitions if the Mikrotik itself requires access to the VLANs through the CPU - bridge interface. For VLANs merely passing through the bridge between external bridge ports they are not required.

Thanks tdw, I guess I learned something new today… Much thanks!
That makes sense thinking about it as my trusted home LAN is the important one (vlan) that is used for the management interface.

Okay then, what is the purpose of
/ip address
add address=10.10.99.51/24 interface=MGMT network=10.10.99.0
add address=10.10.0.51/24 interface=ether1 network=10.10.0.0

It is not a vlan and its a port used for incoming traffic and is thus part of the bridge…
This seems to be a config error???

The MT Device gets an IP on the trusted vlan, thats good.
There is no requirement for any IP address on ether1, its simply a trunk port on the bridge receiving all the vlans ???

The DNS servers should be associated with the trusted vlan like the IP address of the device.
The IP route should have nothing to do with 10.10.0.1 and should only be the gateway of the trusted vlan…

/ip address
add address=10.10.99.51/24 interface=MGMT network=10.10.99.0
add address=10.10.0.51/24 interface=ether1 network=10.10.0.0
/ip dns
set servers=10.10.0.1
/ip route
add distance=1 gateway=10.10.0.1
add distance=1 gateway=10.10.99.1


What am I missing.