VLAN for WAN to enable access port with direct WAN connection

witje · January 17, 2023, 7:54pm

This topip is about VLAN so usefull topic to read is: link.

main router: RB750GL with a Atheros 8327 chip

ether 1: WAN connection
ether 2: trunk to AP/switch
ether 3: trunk to switch
ether 4: trunk to AP/switch
ether 5: maintenace port

Vlan configuration done via /interface/ethernet/switch/vlan (–> reason: Hardware offloading is disabled when using vlan via “bridge Vlan filtering” (reference link)). → not done via bridge VLAN filtering as mention in the VLAN Topic

VLAN 10: main vlan
VLAN xx: iot / guest / …

I now want to create a VLAN100 which gives me the posibility to ‘route’ a direct WAN connection to some ports on my AP/switches (a computer connected to those ports must receive an external WAN IP)
What I dit was to add ether 1 to the LAN Bridge and ether1 is an access port for VLAN100. I changed my DHCP client from ether 1 to VLAN100, I changed the firewall settings and de NAT settings (VLAN100 is the WAN network).

Problem: VLAN100 does not receive an IP (no external IP) and no Internet connection is possible anymore.

What am I doing wrong?

/interface bridge
add admin-mac=...... auto-mac=no comment="Bridge voor Local Network" name="Bridge LAN" protocol-mode=none
add comment="Bridge voor WAN" disabled=yes name="Bridge WAN" protocol-mode=none
add name=bridge_maintenance protocol-mode=none
/interface vlan
add interface="Bridge LAN" name="VLAN Gasten" vlan-id=20
add interface="Bridge LAN" name="VLAN Main" vlan-id=10
add interface="Bridge LAN" name="VLAN Main_ext" vlan-id=15
add interface="Bridge LAN" name="VLAN VLVO" vlan-id=40
add interface="Bridge LAN" name="VLAN WAN" vlan-id=100
add interface="Bridge LAN" name="VLAN iot" vlan-id=30
/interface ethernet switch port
set 0 default-vlan-id=100 vlan-header=always-strip vlan-mode=fallback
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 4 vlan-mode=secure
/interface bridge port
add bridge="Bridge LAN" ingress-filtering=no interface=ether1
add bridge="Bridge LAN" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether3
add bridge="Bridge LAN" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether4
add bridge="Bridge LAN" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether2
add bridge=bridge_maintenance ingress-filtering=no interface=ether5
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=40
add independent-learning=no ports=ether1,switch1-cpu,ether2,ether3,ether4 switch=switch1 vlan-id=100

anyone an idea?

thanks

mkx · January 17, 2023, 7:59pm

You should not mix VLAN configuration under /interface ethernet switch and under /interface bridge. If you want to have it on switch chip, then configuration under bridge is straight forward without VLANs. Do keep VLAN interfaces, they are necessary in any config scenario.

The config you posted looks quite complete to me. You only have to add ports to bridge … it’s necessary even if you configure VLANs on switch chip.

anav · January 17, 2023, 8:11pm

Hold up mkx, this is an old model I doubt with effective switch chip utilization.
Suggest bridge vlan filtering may be the only viable method ???

mkx · January 17, 2023, 8:35pm

RB750GL has got a decent switch chip (AR8327) and a slow MIPSBE CPU. Much like RB951G which I own a few and work great when VLANs are configured on switch chip directly.

anav · January 17, 2023, 8:44pm

Okay I stand corrected… Switch chip it is…

Which source/guide applies to this old device…

P. SWITCH CHIP VLANS
Switch Chip Features - https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features
CRS1 / CRS2 -Switches - https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835
CRS3 / CRS5 / CCR2 Switches - https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features
L3 Hardware Offloading - https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading

witje · January 17, 2023, 9:17pm

I used this reference: Basic VLAN Switching

@mkx
I didn’t mix /interface ethernet Switch with /interface bridge (I think) → every port in the bridge settings has the “ingress-filtering=no” (I thought it disables all VLAN settings in the bridge part)

The config you posted looks quite complete to me. You only have to add ports to bridge … it’s necessary even if you configure VLANs on switch chip.

the ports are added to the bridge (ether 1 to ether 4)

Everything works great, when I use Ether 1 as a ‘normal’ WAN port, and the VLAN 10-50 on the Bridge. When I try to create the VLAN100 for the WAN, it breaks.

mkx · January 17, 2023, 9:25pm

Indeed ports are bridge members. I missed that due to useless crap of VLAN config (which, BTW, doesn’t do anything because bridge doesn’t have vlan-filtering=yes set … nothing to do with ingress-filtering, that’s another functionality).

I think that setting vlan-mode=fallback on ether1 is not correct for access port. I have it set to vlan-mode=secure and works correctly as access port for set default vlan id.
Also verify this: switch1-cpu port (on my RB951G it’s the last port with index 5, 0-4 are ether1-5) should be set to vlan-mode=secure.

BTW, I always recommend to enable safe mode when changing settings on switch chip … if things go wrong, reset to default config (button press or similar) is the only way to regain management access.

witje · January 17, 2023, 9:40pm

Thanks I will try it tomorow… I also have set ether 5 as a seperated maintenance port as extra safety measure.

witje · January 18, 2023, 8:34pm

Thanks,

setting vlan-mode=secure for the access port and the switch was the solution, I’m now getting an expternal IP-adres on my VLAN-WAN. → it works.

i’ll do some further testing and will post a working config as reference for future readers.

witje · January 21, 2023, 9:17am

Working setting:

Ether1 and 5= Access port for VLAN 100. (set 0 resp. set 3)
Ether1 = connection to provider

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment="Bridge voor Local Network" name="Bridge LAN" protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps

/interface vlan
add interface="Bridge LAN" name="VLAN Gasten" vlan-id=20
add interface="Bridge LAN" name="VLAN Main" vlan-id=10
add interface="Bridge LAN" name="VLAN Main_ext" vlan-id=15
add interface="Bridge LAN" name="VLAN VLVO" vlan-id=40
add interface="Bridge LAN" name="VLAN WAN" vlan-id=100
add interface="Bridge LAN" name="VLAN iot" vlan-id=30

/interface ethernet switch port
set 0 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure

/interface bridge port
add bridge="Bridge LAN" ingress-filtering=no interface=ether1
add bridge="Bridge LAN" ingress-filtering=no interface=ether3
add bridge="Bridge LAN" ingress-filtering=no interface=ether4
add bridge="Bridge LAN" ingress-filtering=no interface=ether2
add bridge="Bridge LAN" ingress-filtering=no interface=ether5

/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=40
add independent-learning=no ports=ether1,switch1-cpu,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=100

But I still have problem getting IP-adresses from my provider.
I receive 1 IP adres for the main router (on the interface VLAN WAN)
But when I connect a computer on ether 5 then he doesn’t receive an address.
When I do the samen on one of my AP/switches, and I snif on ether1 (via mirrorport to ether 5 and Wireshark), I can see the DHCP discovery messages on ether 1 (so the LAN part looks OK), but I do not see any responses.
Even more strange. When I create an VLAN interface on my HapAC2 (one of the switch/AP) and set a DCHP client, → it receives an IP address (and via Wireshark I can see the differnet DCHP handshaking). When I do the samen on the ohter switch/AP hapAX3, no IP-address, and only a DHCP discovery message is ‘sniffed’.

Any Ideas?

mkx · January 21, 2023, 11:42am

Verify that ether5 really has index number 3 under /interface ethernet switch port, I’m betting it’s index number 4. Executing command print shows port names instead of indices.

witje · January 21, 2023, 11:59am

Yeah, that looked also strange to me, but:

0 ether1       switch1  secure     always-strip  100            
1 ether3       switch1  secure     leave-as-is   auto           
2 ether4       switch1  secure     leave-as-is   auto           
3 ether5       switch1  secure     always-strip  100            
4 ether2       switch1  secure     leave-as-is   auto           
5 switch1-cpu  switch1  secure     leave-as-is   auto

And port 5 is not connected now, that’s confirmed by:

Flags: X, I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE  BRIDGE              HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0  H ether1     Bridge LAN          yes     1  0x80             10                  10  none   
1  H ether3     Bridge LAN          yes     1  0x80             10                  10  none   
2  H ether4     Bridge LAN          yes     1  0x80             10                  10  none   
3  H ether2     Bridge LAN          yes     1  0x80             10                  10  none   
4 X  ether5     bridge_maintenance          1  0x80             10                  10  none   
5 IH ether5     Bridge LAN          yes     1  0x80             10                  10  none

mkx · January 21, 2023, 7:07pm

Did you perform “cold boot” of your mikrotik after finalizing configuration? In some rare cases actual configuration of hardware (switch chip) did not match shown config. So actual performance seemed to be erratic.
Cold boot (starting from state with power source disconnected) solved that.

witje · January 22, 2023, 1:21pm

aaahhhgg,
why didn’t I think about “did you restart your device?”

→ I rebooted the router and the providers modem… → everything works as a charm.

Thanks @mkx for the support!