(tagged) VLAN high level configuration question

Hey everyone,

I just got my MikroTik device and I’m very excited. I’ve just created a WAN-port which asks DHCP from my cable modem (=asking a public IP)and I’ve assigned the remaining 4 LAN ports to a bridge. My internal 192.168.x.x/24 network is being NATTED just fine. I owe the wiki and forum my thanks for the correct firewall rule and general setup:).

Now, I’m trying to accomplish the following:

VLAN switch (trunk to) ----> Routerboard 450G —> Cable modem
On the routerboard:
My next move it move the WAN port to VLAN 2 (a separate VLAN). All 4 other LAN ports will be assigned to VLAN 1. This VLAN 1 is to be NATTED as all hosts in that VLAN have internal, non-routable IPs (192.168.x.x/24 network)

And now the crux of the matter. On the VLAN swich there will also be a VLAN 2. Devices in that VLAN are to get a public IP address from the ISP instead of a 192.168.x.x/24 address from the routers’ DHCP. Those hosts should not be NATTED obviously.

I’m not having trouble understanding VLAN (tagging) and the use of the trunk. I don’t know however, how I set up the routing between the WAN VLAN (VLAN 2) and the LAN VLAN (VLAN 1).

Can anyone offer a rundown of what I need to do?

Each VLAN that you add to a MikroTik is treated as it’s own separate routed interface. What this means to you is the MikroTik will handle all routing between the interfaces for you with no special configuration, just like the Ethernet interfaces. All you need to do is add the VLAN interfaces to the RouterBoard, assign them the appropriate IP addresses and let it go from there. Obviously you can get more complex in your setup depending on the ultimate goals of the network.

Now that covers the RouterBoard part of the configuration. For the switch there are a few things you should know. The MikroTik does not have the concept of a PVID or Untagged port like a switch does. This means that all traffic leaving a specific interface will always be tagged with a VLAN, and all traffic coming into an interface needs to be tagged for a specific VLAN. Another thing to keep in mind, most client machines will not be able to or know how to read VLAN tags, this means any traffic heading to a client needs to have it’s VLAN tags stripped off by a device before finally being sent to the client in order for a client to be able to read it.

Hi Feklar. First of all, thank you for taking the time to type up such an informative reply. I had discovered you explaining this somewhere else too, but I’m not sure I really thoroughly understand what is going on. Thank god I’m starting off relatively simple.

I hope you can help me some more on this one:

What I’m trying to achieve is fairly easy:

1. I’m creating 2 VLANS a cisco smart switch

• a VLAN for all devices belonging to my 192.168.0.0/24 subnet. Those devices will be NATTED to the public IP on the ether 0 interface of the Mikrotik. I’ve named that interface WAN (I know, very creative).
• a VLAN for devices that need to talk to my cable modem directly. In short they should behave as being connected to a dumb switch that is connected to the cable modem.
  
  
  

This sounds like inter-VLAN routing (routing on a stick), but then automatically configured. So a VLAN is a virtual interface and I can restrict communication at IP level? Those restrictions will apply to all members of that VLAN. By default no restrictions are active?

I’m lost what this means for my trunk link. Traffic comming from my Cisco switch will be tagged (no untagged frames will be allowed over the trunk). And frames going TO my Cisco switch should also be tagged or the switch will drop them.

At least this one is crystal clear to me .

I’ll post my progression here. All this will hopefully start to make sense soon.

If the Cisco port is set to be a trunk and has the necessary VLANs assigned to it, you will likely be fine. One thing I did find out with working with Cisco gear, set the PVID of the port to some VLAN that does not really exist. Lets assume VLAN1 is your management interface, I had problems with a Cisco 2950 stripping off the VLAN1 tag with the port set to a trunk, but the problem went away when I made the PVID VLAN200 for the uplink port.

This sounds like inter-VLAN routing (routing on a stick), but then automatically configured. So a VLAN is a virtual interface and I can restrict communication at IP level? Those restrictions will apply to all members of that VLAN. By default no restrictions are active?

MikroTik handles VLANs like Linux does, each VLAN is it’s own separate interface as far as it is concerned. This means you can run whatever services you want over it, DHCP, Hotspot, etc. You can use the firewall with it just like any other interface. Just keep in mind the router can only control the traffic that goes through it, it cannot say prevent cliens that are part of VLAN10 from talking to each other. That is something that needs to be done on the switch or device that they connect to.

1. I’m creating 2 VLANS a cisco smart switch

• a VLAN for all devices belonging to my 192.168.0.0/24 subnet. Those devices will be NATTED to the public IP on the ether 0 interface of the Mikrotik. I’ve named that interface WAN (I know, very creative).
• a VLAN for devices that need to talk to my cable modem directly. In short they should behave as being connected to a dumb switch that is connected to the cable modem.

Both of what you want to do should be fairly simple. Assuming you can specify an management VLAN on your other devices it also opens up a few more options as well.

Lets assume you want to use VLAN10 for the Normal NAT network, and VLAN20 for the WAN network.

1.) Create VLAN10 and VLAN20 on your LAN interface.
2.) Create a WAN Bridge, and Bridge VLAN20 and your WAN interface together.
3.) Assign your WAN IP and other services to the WAN Bridge. (I’ve never done this so I’m unsure to some of what drawbacks there may be and any other potential issues, but it should work.)
4.) Assign your LAN IP, DHCP server, etc to VLAN10
5.) Set up NAT rules for the LAN, you will be NATing them out of the Bridge interface.
6.) On the Cisco switch, set your uplink port to be tagged for VLAN10 and 20
7.) On ports that you want on the NAT for the Cisco, set the port to access VLAN10, I believe the command is something like 'switchport mode access vlan 10"
8.) Do the same basic thing for VLAN20 if you want everything on a given port to have direct access to the WAN. You can also put a port into hybrid mode where you can have a tagged VLAN and an untagged on one the same port. This gives you the ability to say set the management VLAN on a device like an access point to VLAN20 so you can access it over that VLAN, but all other traffic going through that device will go out of the NAT network.

Obviously you may need to tweak and play around with it a bit more to get the results that you want. But those steps above should get you going and pointed in the right direction.

Thanks Feklar, I’ll have lots of fun tinkering with it. Just out of curiosity (you seem to be a VLAN-expert) and not Mikrotik related, what would Cisco mean by this (I hope I’m not bothering you with all these questions)

Tx Force untag:
when this option is enabled, all egress frames from this port become untagged. The default value is Disable. When this function is disabled, only frames with the VLAN ID equal to the PVID will become untagged, otherwise, frames are sent with a VLAN tag.

Obviously frames need to be untagged if this egress port leads to a non-VLAN aware device. But say this device is in VLAN 5, why would there ever be a need to untag frames with a VLAN ID different than 5? The point of VLAN’s is that other tagged frames with a different VLAN ID than 5 do not end up in VLAN 5.

Unless they mean it the other way around: when a VLAN aware device tags its frames, the switch will remove the tag before allow the frame out of the port where the device is connected to. This second idea looks far fetched though.

Basically what VLANs are is a way to logically divide up the same hardware so each section acts as it’s own independent piece of hardware where one VLAN cannot see or talk to another VLAN. So with an untagged port any traffic leaving that port will have it’s VLAN tag removed, and any traffic entering the port will have a VLAN tag added to it. With a tagged port, any traffic leaving a port will still retain it’s VLAN tag and any traffic coming in needs a VLAN tag.

When a port is a trunk it tags all traffic leaving it with appropriate VLANs so another VLAN aware device can read them and switch them to the correct place(s), this way you can have the same VLAN span multiple devices and everything on the same VLAN has access to each other, one of the coolest features of VLANs in my opinion. That is why you would potentially have multiple different VLANs on the same port. What the option above is saying is any traffic leaving the port strip the VLAN tag, and is something I would highly doubt you would use unless you possibly have a traffic sniffer that couldn’t read VLAN tags or something along those lines.

Most interesting topic this is. It all looks so easy, in theory.

I think we are on the same page with that. I just don’t use the word tagged port. It’s either a trunk (carrying multiple VLANs) or an access port (member of 1 VLAN). Trunks are set-up between devices that are VLAN aware. Access ports connect devices to the switch that are not VLAN aware.

Well obviously it would make no sense at all enabling this option on a trunk port. But I’ve come up with this:

Special notes:

• Take notice of the direction of the arrow

• -------- (dotted line = an ethernet frame)
  
  
  
  A) the option is enabled
  
  
  
  Switch ----------> VLAN UNAWARE DEVICE.
  
  
  Explanation: it does not matter what VLAN ID the frame has, the switch will strip the tag before sending the frame to the device. The options strips tags because VLAN unaware devices do not understand them.

When this function is disabled, only frames with the VLAN ID equal to the PVID will become untagged, otherwise, frames are sent with a VLAN tag.

.
Well, huh? Frames that are not equal the VLAN ID of that port should’t be allowed to reach the device. Why would there be a need to strip the VLAN ID from those frames…



B) the option is disabled (notice I’ve changed the direction of the arrow)


Switch <------- VLAN AWARE DEVICE


Explanation: If a VLAN aware device attempts to send a tagged frame, this tag will be stripped first before it is allowed to enter the switch.

Well eum, perhaps this is to overrule notebooks what can set a VLAN TAG (intel NIC’s can do it).


I’m logically assuming A is the correct answer. Suppose the VLAN unaware device is in VLAN 5. Why would a switch untag a frame with VLAN ID 8 and allow this frame to enter VLAN 5? I’m just saying, what is the purpose of this option? I can’t seem to come up with a use for it.

A is the correct answer. There are situations where you can have a tagged and untagged VLAN on the same port. That’s usually called Hyrbrid mode and is mostly used in the situation where a device is able to specify it’s management VLAN.

A lot of network equipment like access points can specify a management interface. What this does is it places it’s IP address on a different VLAN from the normal traffic that goes over it. In order to access it you need a tagged VLAN from a VLAN aware device. Normal traffic, such as traffic going through the device from clients connected to it are not part of the management VLAN and unless specifically told to use their own VLAN for that traffic will just pass the traffic through without a tag.

Darn, I’ve setup the VLAN thing and no dice. Could you please take a look for potential errors?
I had internet access before I configured the VLANs, so most of this works apart from the actual VLAN stuff.

On the cisco I put a port in VLAN 10 (access port) with matching PVID 10 and I configured the trunk to accept tagged frames only. The trunk port was put in VLAN 10, VLAN 20 and VLAN 1 (its native VLAN). The access port was only in 1 vlan, being VLAN 10 as I mentioned.

I connected a laptop to the Cisco switch but was unable to reach (read ping) the Mikrotik (set as gateway).

/interface

Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                        TYPE             MTU   L2MTU
 0  R  ether1                                      ether            1500  1524
 1     ether2                                      ether            1500  1524
 2     ether3                                      ether            1500  1524
 3     ether4                                      ether            1500  1524
 4     WAN                                         ether            1500  1524
 5  R  WAN-BRIDGE                                  bridge           1500  65535
 6  X  VLAN10(internal)                            vlan             1500  1520
 7  X  VLAN20(external)                            vlan             1500  1

/interface bridge

Flags: X - disabled, R - running
 0  R name="WAN-BRIDGE" mtu=1500 l2mtu=65535 arp=enabled
      mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

/interface bridge port

Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON  
 0 I  VLAN20(external)       WAN-BRIDGE          0x80     10         none     
 1 I  WAN                    WAN-BRIDGE          0x80     10         none

/interface ethernet

#    NAME      MTU   MAC-ADDRESS       ARP     MASTER-PORT         SWITCH
 0 R  ether1  1500  00:0C:42:3E:57:A3 enabled    none             switch1
 1    ether2  1500  00:0C:42:3E:57:A4 enabled    none             switch1
 2    ether3  1500  00:0C:42:3E:57:A5 enabled    none             switch1
 3    ether4  1500  00:0C:42:3E:57:A6 enabled    none             switch1
 4    WAN     1500  00:0C:42:3E:57:A7 enabled    none             switch1

/interface vlan

Flags: X - disabled, R - running, S - slave
 #    NAME                  MTU   ARP        VLAN-ID INTERFACE                
 0 X  VLAN10(internal)      1500  enabled    10      ether1                   
 1 X  VLAN20(external)      1500  enabled    20      ether1

/ip address

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.0.251/24   192.168.0.0     192.168.0.255   VLAN10(internal)

This actually worked but the cable to the cable modem was disconnected when I
printed this config:).

/dhcp-client

Flags: X - disabled, I - invalid
 #   INTERFACE                         USE ADD STATUS        ADDRESS
 0   WAN-BRIDGE                        yes yes searching...

/ip dns

servers: 195.x.x.x,195.x.x.x
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 5KiB

/ip firewall nat

Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=masquerade src-address=192.168.0.0/24

Your VLANs are disabled according to /interface vlan.

Indeed, just enabling them made everything work. Many thanks for helping me achieve this.

Something I found out is, that if you want more ports of the Mikrotik in VLAN 10 (internal lan) you must:

1. create a bridge
2. assign an IP to that bridge
3. assign VLAN 10 to the bridge
4. assign any port you want to be part of VLAN 10 to the bridge

So it appears tagging is being automatically performed by the Mikrotik. Would you know of any options complementing this (like ingress filtering in Mikrotik lingo for instance).

A small side effect I still need to solve is that with this config, I am unable to reach the Cisco’s management interface. That interface is in VLAN 1 (native VLAN). So in order to regain access to it, I moved the management interface in VLAN 10.

Glad to hear you got it working.

Because your actual physical interface does not have an IP address assigned to it, it had no way of reaching the management interface of the Cisco. By moving it’s management interface to VLAN10 you actually did what you wanted most likely. If you wanted a dedicated VLAN just for a management interface, you can move the Cisco’s back to VLAN1 or whatever you wanted and make another VLAN interface on the MikroTik and assign it’s own IP address and subnet to it.

I’m not really sure what you are asking about the options that could complement the VLAN setup. Like I said, each VLAN in a MikroTik is it’s own separate routed interface, this means you can apply any rules to it that you would a real interface, such as firewall rules, queues, DHCP servers/clients, etc. And yes each packet that leaves a VLAN interface on the MikroTik will have that VLAN tag attached to it and, in order for traffic to get back it needs the appropriate VLAN tag on it as well. Without the tag it will fall through to the physical interface. I personally use VLANs with the Hotspot to keep clients separated from each other on the network as well as separate from network equipment. It has the added benefit of also allowing me to see how much traffic is coming from what device, like an access point, and at a glance determining where a client is connected in the network.

What you have described with the bridge there is actually a work around to adding in “untagged” or “access” ports to the MikroTik. You can always just add in more VLAN interfaces to a different physical interface with the right tag and bridge the two VLANs together as well. The name that you give a VLAN has no affect on it’s tag, only the VLAN ID setting does.

Thanks, just for clarity, my LAN now looks like so:

Cable modem -------- (ether 5=WAN) Mikrotik (ether 1 = trunk) ------- -Cisco switch ------- VLAN 10 + VLAN 20
…(ether 2) ------ ‘dumb’ switch

The … are just for alignment reasons:)
Notes:

• Ether 2 is in a bridge with VLAN 10 (just as ether 5 is in a bridge with VLAN 20).
• My daily computer and wireless access point are also connected to the ‘dumb’ switch (I.E. they are also in VLAN 10).

Hmm, I’m not quite sure what you mean by “Because your actual physical interface does not have an IP address assigned to it, it had no way of reaching the management interface of the Cisco.”

VLAN 1 on the Cisco switch is the native VLAN. I did not have a native VLAN configured on the Mikrotik. Wouldn’t that have been the most likely problem? I’m going to try this:

1. Create VLAN 1 with ID 1 on ether 3
2. give it (VLAN 1) an IP
3. connect a computer to ether 3
4. ping the Cisco after I’ve put it back to VLAN 1

Now I come to read it, this appears to be what you’ve just said.

Would adding in more VLANs be more efficient than my approach (in terms of throughput + latency). It’s bridging VLANs with the same VLAN ID together versus bridging 1 VLAN together with physical ether interfaces.

Talking about efficiency, in the routerboard 450G is a switch chip which should be capable of doing all of this without routing or bridges. Well, as long as no inter-VLAN routing is required of course. No one seems to go that way yet. As soon as I’ve got my config fully tweaked I’m going to save it and tinker with the switch chip.

What I’m saying is that each VLAN is it’s own separate interface in the MikroTik. Because ether3 does not have an IP/subnet assigned to it, and by default the Cisco switch is not looking for tagged VLAN for it’s management interface, the router has no way to communicate to that management interface. I think you got the basics of what I’m getting at though. All of your traffic leaving the router is being tagged for VLAN10 or VLAN20, neither of these were the management interface of the Cisco by default so your router had no way of communicating to that interface until you moved the management interface. If you had an IP/subnet assigned to ether3 as well as to the VLAN interfaces, all traffic entering the Cisco without a VLAN tag will generally be tagged to VLAN1 by the switch unless configured differently and therefore has access to the VLAN1 management interface.

Would adding in more VLANs be more efficient than my approach (in terms of throughput + latency). It’s bridging VLANs with the same VLAN ID together versus bridging 1 VLAN together with physical ether interfaces.

Talking about efficiency, in the routerboard 450G is a switch chip which should be capable of doing all of this without routing or bridges. Well, as long as no inter-VLAN routing is required of course. No one seems to go that way yet. As soon as I’ve got my config fully tweaked I’m going to save it and tinker with the switch chip.

CPU in either case will be the same probably with the bridge, I was just using it as an example. Bridging interfaces uses the CPU, while the switch uses the switch chip. With bridging however you get more control over the traffic flow since you can make the packets be processed against the firewall. I haven’t played around with the switch chip that much, mainly because I have no real need to. If I have a network where I need to use VLANs I then need a managed switch. I will typically need more ports than any RouterBoard can offer me in that case, and I get a good managed switch to handle everything for me. I find the options and features of the switch chip unable to compare to what a good fully managed switch can offer me. If you just need a simple switch for the most part, the switch chip should be more than enough.

What features are you missing?

if you check out http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features the Atheros8316 seems to be a fully featured switch chip.
And I do agree entirely, using the routerboard just for routing (or inter vlan routing) is more powerful yet less complex.

I know L3 switches can do basic routing but they can’t do NAT for instance. And then there are L3 switches that can do NAT. But those are very, very very expensive:)

If I need a managed switch I want it to this and a few other things:
1.) Prevent communication between ports/clients that connect to the switch
2.) I really like the CLI interface of the Cisco and 3Com switches, this is more of a personal preference.
3.) Ability to see traffic levels and statistics on a per port basis.
4.) Easy to understand and implement VLAN support.
5.) Ability to see where devices/clients are connected to on the network.

To me it basically comes down to figuring out what you want the network to be capable of doing and then invest in the hardware that will support that.

Valid points although for (1) the RB450 and RB493 should be able to do this (you can divide the switch chip). Doesn’t make all too much sense since port count is pretty low.

and (5) is a really cool option.