I want to achieve a VLAN translation with RB951. Here is the actual scenario:
Same subnet for every computer and network device (192.168.0.0/22). One router connected to internet, provided by the ISP which doesn´t allow trunk ports on it´s LAN ports, and can´t translate any type of VLAN received…very restricted to be honest. All the switches on the network are 3750G´s and 3560G´s. 2 of the 3750G´s will be connected directly to Mikrotik, and mikrotik then connected directly to the ISP router through its WAN port.
All the Cisco switches has different VLAN´s, to maintain privacy between the different departments.
So what I´ve been trying without success is to translate to VLAN 1 all the VLAN´s received from the Cisco switches. I did creating all the VLAN, bridge for every VLAN etc etc, as I found in this forum. No success.
Also tried to forward all the traffic with fixed routes to WAN port on mikrotik, no success.
I tried with NAT and without NAT. Same result.
So first of all, is the RB951 capable to do this task?
If so, what would be the best configuration for this? WAN port on mikrotik should be with VLAN 1 tagged (ingress/egress) or either be an access port and just forward everything taking all the tag received…
I wasn’t sure, as the description suggests that addresses from the same IP subnet are randomly scattered among the VLANs. So it’s fine to untag any packet coming from any of the VLANs from the client to the WAN side, but the problem arises when you need to tag the packet in the opposite direction as there is no way to map the MAC address to VLAN ID.
So either I’m missing something important in the description, or the only solution I can see is to act at L3 and use policy routing as described here. If there is a risk that two devices in different VLANs might have the same IP address (the description does not clarify whether the address spaces are coordinated or not), NATting each VLAN to a distinct address or pool is necesary, otherwise there could be weird failures if two clients with the same native IP address would establish a connection to the same server from the same ephemeral port.
Thanks CZFan for your answer. I thought so the same, but couldn´t find the way to do it properly, plus there is the handicap on the opposite direction as sindy stated.
Thanks sindy for your detailed answer, I appreciate it.
I don´t think you missed anything on the info. You are correct, In case we untag everything, mikrotik won´t know where to send the packets in the opposite direction. Good point
To clearify, Mikrotik will be the DHCP server (right now is the ISP´s router, which I will disable the dhcp option). In this case, there is no risk to have duplicate IP address in the same or different VLANs.
I read the post you shared, looks interesting. Will give a shoot later during the day, applying the config written by Sob on post #13, which seems to fix this issue.
Will keep you updated. Thanks both for your answer. Any other ideas or suggestions are welcome
Well, if you can make the 'Tik a DHCP server for those VLANs, there is no need to keep 192.168.0.0/22 for all of them and you can slice that range (or use other subnets outside that range) into one subnet per VLAN so the whole task becomes much simpler, it then involves just plain L3 routing with a bit of firewalling used to control traffic between the VLANs/subnets.
At first stage, shouldn´t be any traffic between those VLAN´s. But I´m anticipating next request, which will be to share servers for the different departments. Therefore one subnet for all of them.
Are the VLANs on the existing switches using unique addressing already? Are you able to add a static route or static routes to the ISP device? I’m sure you’ve asked this but the ISP device cannot be put into a “bridge” like mode where the public addressing is presented directly to the new MikroTik (assuming 192.168.0.0/22 is not what the provider views as public addressing)?
First of all, thanks for participating in this topic. I appreciate all the question, will try to answer in the best way.
Those switches aren´t config yet till I fix this problem with the ISP router, but yes the idea is same subnet for all of them.
Yes, is a possibility. Althought, I tried with static routing and it didn´t work our because of the trunking port with the ISP router, I mean, the 3750G-12S-S couldn´t “translate” or redirect the VLAN´s without taking the VLAN tag, therefore the ISP router doesn´t allow any packet to go outside. Really odd.
Definately was the first idea an option to do, but I´m agraid not a possibility. That router is quite blocked for admin/user management
I´ve been modiying the config and doing some test during the past days, based on the config from the post you shared. Thanks for that.
So far, if the switche connected to mikrotik is in access mode (vlan 1), no problem at all. Mikrotik does L3 correctly.
The problem is when I add VLAN´s to the Cisco switches, and make that port between mikrotik and the switch a trunk port. Then nothing is passed, or translated.
I made a mistake a made a backup outside the flash, so the day after when I started the good config was not there. Anyway, I tried to reproduce what I have in the following code:
Here is a definiton of each address:
router: 192.168.0.1/24
mikrotik: - WAN: 192.168.0.2/24
LAN: 192.168.10.2/24 (this is on ether5 only, but might be usefull to have ether2-5 in a bridge linked to that address)
switch: 192.168.10.3/24
laptop: 192.168.10.10/24
Despite of the idea that VLAN´s aren´t created at this moment in the mikrotik (the other day were created, but didn´t work either). What else am I missing?
Finally ISP is convinced, and provided a router which is allowed to be in “bridge mode”. I put in bridge mode, and configured mikrotik to connect through PPPoE. Till here, everything is correct. NAT rule (the one that is created automatically) is working good translating anything from VLAN1 to go out through WAN port.
Now the issue comes when I add the rest of the VLAN´s and configuration.
First of all, Cisco switch connected directly to mikrotik with this config:
switch trunk encapsulation dot1q
switch mode trunk
switch trunk allowed vlan 10,20,30,100.
Then, other port on that Cisco switch configured as: (is where I connect the laptop to make tests)
switch mode access
switch access vlan 10
On mikrotik: (don´t know how to export the configuration to paste it here, like “show running-config” in Cisco)
All VLAN´s are created. Each VLAN has an IP address.
So, where seems to be the problem? As soon as I set up an access port on the switch to VLAN 10,20,30… I can´t ping to that VLAN´s address defined in mikrotik, neither going out to internet.
Should I read the above statement the way that until you set up the access ports, you can go out to internet?
But regardless that, how on earth have you managed to configure your /interface vlan without specifying an interface name? The 'Tik normally doesn’t allow you to do that
If Mikrotik permitted creating /interface vlan hanging in the air, I would attribute that to your following the Cisco way of thinking where a VLAN exists regardless whether it has any member ports or not, but here the philosophy is significantly different, an /interface vlan is a pipe which tags frames as they pass in one direction and untags them as they pass the other way, and the tagged end of the pipe must always be attached to some interface and its tagless end is an interface itself.
Other than that, as you seem to plan to use the 'Tik as a router with several VLANs on a single port and not to bridge the VLANs anywhere else, you can radically simplify the configuration in the following step: instead of making the /interface vlan single member ports of their unique bridges, you can attach the IP configuration (/ip address, /ip dhcp-server) directly to the /interface vlan (after you remove that /interface vlan from the bridge).
Regarding /ip dhcp-server I’m not sure I understand what you intend to do. As the devices are connected to the VLANs using the access ports of the external switch, the relay item is useless as it indicates an IP address from the same subnet like the pool, which makes little sense.
And only clients which get leases from 10.10.10.0/24 and 10.10.80.0/24 will get the default gateway assigned by the DHCP server, because an /ip dhcp-server network item exists only for these two networks. Is that an intention?
Understood, put this way it makes sense to me and it is in step with your configuration where ether4 itself (representing the tagless traffic on it for the L3) has an IP configuration and a completely configured DHCP server attached.
VLAN 1 on Cisco is by default the native VLAN of all ports and even on trunk ports, frames internally tagged with a native VLAN ID set on that port are untagged on egress (which makes that port a “hybrid” one in other vendors’ vernacular).
Mikrotik’s handling of VLAN ID 1 is more complex to understand, but it seems that setting pvid=1 (an equivalent of cisco’s switchport trunk native vlan) on an interface means that tagless frames remain tagless as they get in, which is impossible on most traditional switches where internally everything runs tagged.
You may do that, but it is not necessary to do it immediately, it will just simplify the configuration, not fix it. Which returns me to a question whether specifying the ether4 as the interface property of each /interface vlan did fix the issue at least for the VLAN where the DHCP server was configured?
Thanks ADahi for participating in this topic. At this stage, and with this simple configuration don´t think is needed the CRS, but I understand CPU/hardware wise would perform better. Check below configuration, which solved the issue.
Thanks CZFan. I checked that post, wouldn´t say is the same situation. Seems sindy pointed to the right spot where to look at.
Hi sindy,
Thank you to take a look to that code, and point to the errors, don´t really know how mikrotik allowed to do that. But giving a phisical interface solved the issue.
Anyway, I was curious as well about your advice on deleting the bridges (I learned in other posts/videos doing with bridges, that´s why I tried that way), so I deleted the bridges and interfaces linked to them. Everything works like a rock. I manage to have internet on every VLAN, plus each DHCP-Server is giving the correct IP address depending on the VLAN. Many thanks for tip.
