VLAN configuration pfsense + Mikrotik CRS125-24G-1S-2HnD-IN

Hi,
I am fairly new to vlan configs on Mikrotik, so I hope somebody can help me out.
I have configured 4 different vlans on one interface of my pfsense firewall / router vlanid 20, 40, 80 and 90, so traffic there is send vlan tagged. On each of these virtual interfaces I have configured a dhcp server that will hand out IPs in a certain range. The port can also carry some untagged traffic.

Now I want to connect my Mikrotik CRS125-24G-1S-2HnD-IN in this configuration

• Switch port 1: Trunk port that is connected to the pfsense that will carry the above 4 vlans
• Switch port 2: should serve as a trunk port towards my ubiquity wireless access points. It should carry vlanid’s 20, 80 and 90 (not 40)
  (port 3-4 reserved as potential future trunks)
• Switch port 5-8: Should only carry vlan 20 traffic as access ports (so untagged)
• Switch port 9-12: Should only carry vlan 40 traffic as access ports (so untagged)
• Switch port 13-16: Should only carry vlan 80 traffic as access ports (so untagged)
• Switch port 17-20: Should only carry vlan 90 traffic as access ports (so untagged)
  (port 21-24 currently not used, for future use)

I tried looking in the interface, but I was quickly confused by all the different submenu’s with vlan settings (you have a vlan config in the “interfaces” tab, then vlan settings in the switch tab and also at some other places). Can somebody guide me how to do this configuration (and maybe also briefly describe the purpose of the different vlan settings in the different categories)

The software version on the switch is RouterOS v6.44.3

Thanks alot,

A newbie

I did add another vlan and wanted to reach this config

port 1: no config: port to manage the switch

I first made sure that all ports were part of bridge1 for hardware

# Create bridge1
/interface bridge
add name=bridge1

# Hardware switch together all ports
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
...
add bridge=bridge1 interface=ether24 hw=yes

Then I configured the access ports that should have untagged vlan traffic (port 5-24 carry various vlans)

/interface ethernet switch ingress-vlan-translation
add ports=ether5 customer-vid=0 new-customer-vid=10
add ports=ether6 customer-vid=0 new-customer-vid=10
add ports=ether7 customer-vid=0 new-customer-vid=20
add ports=ether8 customer-vid=0 new-customer-vid=20
add ports=ether9 customer-vid=0 new-customer-vid=40
add ports=ether10 customer-vid=0 new-customer-vid=40
add ports=ether11 customer-vid=0 new-customer-vid=40
add ports=ether12 customer-vid=0 new-customer-vid=40
add ports=ether13 customer-vid=0 new-customer-vid=70
add ports=ether14 customer-vid=0 new-customer-vid=70
add ports=ether15 customer-vid=0 new-customer-vid=70
add ports=ether16 customer-vid=0 new-customer-vid=70
add ports=ether17 customer-vid=0 new-customer-vid=80
add ports=ether18 customer-vid=0 new-customer-vid=80
add ports=ether19 customer-vid=0 new-customer-vid=80
add ports=ether20 customer-vid=0 new-customer-vid=80
add ports=ether21 customer-vid=0 new-customer-vid=90
add ports=ether22 customer-vid=0 new-customer-vid=90
add ports=ether23 customer-vid=0 new-customer-vid=90
add ports=ether24 customer-vid=0 new-customer-vid=90

port 2: Trunk coming from pfsense, carrying vlan 10, 20, 40, 70, 80, 90, tagged traffic. Pfsense serves as router, firewall and dhcp server, so IPs are assigned from there

/interface ethernet switch egress-vlan-tag
# incoming trunk from pfsense
add tagged-ports=ether2 vlan-id=10
add tagged-ports=ether2 vlan-id=20
add tagged-ports=ether2 vlan-id=40
add tagged-ports=ether2 vlan-id=70
add tagged-ports=ether2 vlan-id=80
add tagged-ports=ether2 vlan-id=90

port 3: should carry tagged vlan traffic for 40, 70, 80 and 90 towards a ubiquity wireless AP. However this step failed with “failure: already have such switch egress vlan tag entry”

/interface ethernet switch egress-vlan-tag
# outgoing to ubiquity AP
add tagged-ports=ether3 vlan-id=40
add tagged-ports=ether3 vlan-id=70
add tagged-ports=ether3 vlan-id=80
add tagged-ports=ether3 vlan-id=90

Anyone has an idea how to make this work? Port 3 should forward traffic coming from the pfsense device on port 2 for vlan 40, 70, 80 and 90 towards ubiquity

Then I finished the configuration with:

# Add entries to the VLAN table to specify VLAN memberships for each port and each VLAN ID
/interface ethernet switch vlan
add ports=ether2,ether5,ether6 vlan-id=10
add ports=ether2,ether7,ether8 vlan-id=20
add ports=ether2,ether3,ether9,ether10,ether11,ether12 vlan-id=40
add ports=ether2,ether3,ether13,ether14,ether15,ether16 vlan-id=70
add ports=ether2,ether3,ether17,ether18,ether19,ether20 vlan-id=80
add ports=ether2,ether3,ether21,ether22,ether23,ether24 vlan-id=90

# After valid VLAN configuration has been setup, you can enable unknown/invalid VLAN filtering
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24

In addition to the error I have configuring port 3: would I need additional settings for security?

Have you followed below link?

https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples

If so, where you getting stuck?

Seems like you can’t add another config line for same vlan-id=xx, rather you should change existing config line … like this

/interface ethernet switch egress-vlan-tag
set [ find vlan-id=40 ] tagged-ports=ether2,ether3
set [ find vlan-id=70 ] tagged-ports=ether2,ether3
set [ find vlan-id=80 ] tagged-ports=ether2,ether3
set [ find vlan-id=90 ] tagged-ports=ether2,ether3

Or, if above construct with [ find vlan-id=xx ] doesn’t work, use index numbers, displayed by executing print just before using set YY tagged-ports=ether2,ether3 (where YY is index number).

Yes, I am following that example. However, in the examples there is only 1 trunk port and the rest access ports. I am stuck when configuring a second trunk port with the error message I showed in my second post

Or, if above construct with > [ find vlan-id=xx ] > doesn’t work, use index numbers, displayed by executing > print > just before using > set YY tagged-ports=ether2,ether3 > (where YY is index number).

How would that syntax look like print set YY tagged-ports=ether2,ether3

Any reason I cannot just do

add tagged-ports=ether2 vlan-id=10
add tagged-ports=ether2 vlan-id=20
add tagged-ports=ether2,ether3 vlan-id=40
add tagged-ports=ether2,ether3 vlan-id=70
add tagged-ports=ether2,ether3 vlan-id=80
add tagged-ports=ether2,ether3 vlan-id=90

Again, and just add ether3 for the 4 vlans?

The command would look like this:

/interface ethernet switch egress-vlan-tag
set 2 tagged-ports=ether2,ether3

where the “2” in the command would be the same index as printed in (I guess) first column of output of

/interface ethernet switch egress-vlan-tag print

and where vlan-id corresponds to VID to which you want to add ether3 as tagged port.

The commands above are fine. But might work only if there isn’t existing definition targeting same vlan-id.

There are quite a few configuration sections where you can not (or you can, but things go haywire) add configuration targeting same basic “quantity” … such as vlan-id in the list of egress port members (who knows how these commands translate to actual switch chip configuration). In those places when you want to do some config, you can not add configuration, you rather have to change existing configuration. And change in configuration is done using set.

So again: the above quoted commands would probably work just nice but only if previous state of /interface ethernet switch egress-vlan-tag was empty config.

Thanks; this worked. Thanks for all the support.

The settings mentioned in this thread, are they OK from a security point of view, or do I need to take additional steps if I am using vlan’s to separate my networks for security purposes?

Settings seem fine to me.

But then … I don’t have any CRS1xx so I can’t say for sure there isn’t something that should be set.