I decided to give Mikrotik hardware / OS a try to include it in my network and I recently started to play with a 450G.
Before anything, I’d like to mention that I read lots of different things about following question and I’m not able to find an answer.
Setup is: RB450G → Netgear Manageable Switch (GS110TP) → Rest of network
The switch is able to get an IP address from the DHCP server, so is the rest of the network.
Until there, pretty basic stuff huh I’m able to reach the switch web interface and that’s great.
Now I want to create one or more VLANs on the 450G and trunk them towards the switch. This is where things gets fuzzy.
1/ I created a VLAN (ID 100) on the Mikrotik
2/ I assigned it an address
3/ I created a pool of addresses assigned to the DHCP server and finally added a network to the DHCP server
4/ Then on the Netgear switch I configured the VLAN, tagged port 1 (connected to Mikrotik ether 5) with vlan 100 and untagged port 2 with vlan 100 (going to raspberry pi for testing purposes)
The raspberry pi is unable to get an IP address from DHCP server so I thought about switching ether 5 from slave to master and it worked!
But the now the switch itself is unable to get an IP from the “base” network and is unreachable.
What’s the correct way of trunking vlan(s) to a switch and make it so I can still access its web interface for management ?
Basically you want to create a bridge per VLAN. e.g. bridge-vlan100 and bridge-vlan1.
Then you want to create the vlan interfaces on the appropriate interfaces (the ones you want tagged).
Then you bridge together the untagged ports and then vlan ports.
This is a config I wrote for someone else… yours would look similar
/interface bridge
add comment=“VLAN 10 Bridge” l2mtu=1584 name=bridge-vlan10 protocol-mode=none
add comment=“VLAN 20 Bridge” l2mtu=1584 name=bridge-vlan20 protocol-mode=none
add comment=“VLAN 30 Bridge” l2mtu=1584 name=bridge-vlan30 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01-gateway
set [ find default-name=ether2 ] name=ether02-vlan10
set [ find default-name=ether3 ] master-port=none name=ether03-vlan20
set [ find default-name=ether4 ] master-port=none name=ether04-vlan30
set [ find default-name=ether5 ] master-port=none name=ether05-trunk
set [ find default-name=ether6 ] master-port=none name=ether06-slave-local disabled=yes
set [ find default-name=ether7 ] master-port=none name=ether07-slave-local disabled=yes
set [ find default-name=ether8 ] master-port=none name=ether08-slave-local disabled=yes
set [ find default-name=ether9 ] master-port=none name=ether09-slave-local disabled=yes
set [ find default-name=ether10 ] master-port=none name=ether10-slave-local disabled=yes
/interface bridge port
add bridge=bridge-vlan10 interface=ether2-vlan10
add bridge=bridge-vlan10 interface=ether5-trunk
add bridge=bridge-vlan20 interface=ether3-vlan20
add bridge=bridge-vlan20 interface=ether5-trunk
add bridge=bridge-vlan30 interface=ether4-vlan30
add bridge=bridge-vlan30 interface=ether5-trunkBy default routeros will pass all traffic, so if you only have the config above both networks should be able to access each other.
In addition to setting untagged membership of VLAN 100 on port 2 of the switch you need to set the PVID for port 2 to 100 - the option is right below VLAN membership on that Netgear switch.
The GS110TP allows you to set which VLAN the management interface is on - unfortunately not all low cost VLAN aware switches do! The setting is in IP configuration.
efaden, thanks a bunch for your answer, really appreciated!
1/ So port has to be a master port (and use a bridge) and not slave, correct ?
2/ How can the switch get its own IP address for management ? It won’t “see” regular network anymore, right ?
CelticComms, thanks as well for your answer - PVID was set and I forgot to mention it.
My other issue (point 2 above) is that the switch doesn’t get an address for management.
I’m going to have a look in the interface, but I can’t remember seeing such setting to set VLAN for management interface.
Here you go - Note that Mikrotik manages the VLANs and trunk them onto a single port.
There’s no vlan 100 / 200 or whatever connected directly to any of its port as mentioned in your code.
I can’t find anybody explain how this would work…
It’s Mikrotik with vlan declared locally → trunked or whatever the name is onto eth5 connected to a switch onto which devices of different vlans will be connected using untagged ports.
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-trunk
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether5-trunk l2mtu=1516 name=vlan100-ether5-trunk vlan-id=100
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=network-dhcppool ranges=10.0.0.50-10.0.0.254
add name=vlan100-dhcppool ranges=10.1.0.50-10.1.0.254
/ip dhcp-server
add address-pool=network-dhcppool disabled=no interface=ether2-master-local name=network-dhcpserver
add address-pool=vlan100-dhcppool disabled=no interface=vlan100-ether5-trunk name=vlan100-dhcpserver
/ip address
add address=10.0.0.1/24 interface=ether2-master-local network=10.0.0.0
add address=10.1.0.1/24 interface=vlan100-ether5-trunk network=10.1.0.0
/ip dhcp-server network
add address=10.0.0.0/24 comment=“default configuration” dns-server=10.0.0.1 gateway=10.0.0.1
add address=10.1.0.0/24 dns-server=10.1.0.1 gateway=10.1.0.1
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=ether1-gateway
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway to-addresses=0.0.0.0A Raspberry PI connected to Eth5 is configured right now as follows:
I manually set eth0 inet to 10.0.0.50/24
I manually set eth0.100 inet to 10.1.0.50/24
Then:
Can’t ping 10.0.0.1 from eth0
Can’t ping 10.1.0.1 from eth0
Can ping 10.1.0.1 from eth0.100
Can’t ping 10.0.0.1 from eth0.100
How can the raspberry see the “none vlan” network 10.0.0.0/24 and why can’t the rest be reached ?
Edit 1:
After upgrade to 6.10, results are the same.
Edit 2:
OK so as far as I was able to read, having both tagged and untagged packets going through a port is not possible (at least with the 450G). So that clears one of my questions. I think the way to go is to then create a management VLAN onto which my switch(s) / access point(s) will request their IP address, little bit worried though regarding my netgear AP running DD-WRT, not sure they can do it.
Regarding why 10.1.0.50 (eth0.100 on Raspberry PI) can’t see 10.0.0.1, I think it’s just because no default gateway is set on the raspberry PI so I should be fine with my current setup.
You don’t need a default gateway if the target address is within the range of a connected interface.
I would test using the Netgear switch at first then look at the Pi after the routerboard/switch combination is working as expected.
If you aren’t using switch commands then only the RouterOS capabilities should matter. Chip limitations may be misleading so don’t confuse chip VLAN capabilities with general RouterOS VLAN capabilities.
My Raspberry PI is connected straight to the Mikrotik ether5 and I configured both eth0 and eth0.100 onto the rpi.
If I ping 10.0.0.1 while specifying eth0.100 as source interface it doesn’t work.
Don’t you think it’s because it doesn’t know that 10.1.0.1 should be contacted to reach 10.0.0.1 ?
Are you talking about CPU ? Not sure to understand what you mean.
I think maybe you mistyped the question but certainly if you force the traffic via an interface without indicating a gateway on its network you could expect an error.
Placing VLAN virtual interfaces on physical Ethernet interfaces is a core RouterOS feature. I think the problems regarding untagged and tagged traffic that you may have read about are probably related to some specific switch features thus Routerboard model dependent. As far as I can see you are not using any switch-based VLAN features at this time so you should be able to have both tagged traffic and untagged traffic on the port.
OpenWRT: The switch chipset (Atheros AR8316) however does not provide support for mixing tagged and untagged VLAN’s on the same port.
Jeroen1000: If you read around a bit, you will see that ROS cannot support tagged and untagged frames on the same interface (supposedly a hardware limitation). I practically wrote a book on it here on the forums before support said it could not be done.
May I don’t get what you say cause I tried everything and I couldn’t have both tagged and untagged frame “go” through a single port.
So I went for a management vlan.
Is there any reason in my situation to use switch_cpu, … ? I will try to read more about it but except to add vlan to frames missing it, or getting rid of it, secure, … I don’t see a reason.
But I saw there are speed reasons ?!
The first of those quotes clearly relates to VLAN capabilities on the 8316. I suspect that the second one does too though I couldn’t immediately see the context.
I opened a session to a RouterBoard with the 8316 a couple of minutes ago and observed:
Traffic on 6 VLANs (tagged frames)
Switch STP traffic as untagged frames
above on the same ether port and that port is an 8316 port.
Try using Torch on an interface to see what isgoing on in the traffic.
But I’m wondering anyway if I should keep going this way.
Only reason why I want to have both tagged and untagged frames go through is to have my switches and access point get an address on same range as router itself.
I went for a management vlan and both of my switch are getting IP on this vlan now and it works as expected.
I’m able to reach the switch web interface and that’s great.