So we are trying to configure a VLAN connection for one of the clients thru our distribution port the devce on client side is a cyberoam router/firewall, but VLAN doesnt seems to work
can any one suggest some tips on this ?
USING CCR1009-8G-1S-1S+ on service provider side
VLAN.PNG
on other end we are simply defining IP address and vlan ID (ip address from /30subnet) do we need to do something else or this should work
PS: we tried direct IP addresses to the port and it works perfectly
How do you assign ips once the VLAN is in place?
I am assigning IPs to VLAN interfaces
192.168.48.0/30
Did you try to check the “use service tag” checkbox ?
yes tried that also
infact just made a setup in office with following setup with UBNT EdgeRouter- Lite
its not working here also
please see pics:
VLAN of main Router:
VLAN.PNG
IP Address of Main Router:
ipadd_main.PNG
Vlan and IP Address of ER-LITE:
vlan_er.PNG
Does ping work when you ping between erlite and 951 and viceversa?
no that’s the problem the basic of the basic even ping doesn’t works, I tried configuring IP directly on the interfaces it works. But once put on VLAN they don’t work
Can you post /interface ethernet switch export ?
Looks like something in between is “eating” tagged frames…
so the setup is :
PC <—> CCR1009(Vlan 3521) <—>ERLite (Vlan 3521) <—> PC
IP on CCR is 192.168.48.1/30
IP or ER Lite is 192.168.48.2/30
both routers are not able to ping each other.
there is no switch in between
Are the PCs configured to use VLAN tagging on their network connections?
Remember that VLAN is a layer2 thing (ethernet) and not an IP thing. Putting a VLAN sub-interface on ether2 means that anything connected to ether2 must expect tagged frames to listen to that VLAN, and must tag its frames with that VLAN when communicating on the VLAN.
Think of it like putting multiple channels on the same cable, and you have to “tune in” to the channel in order to see it.
Probably what you mean is that you’re receiving a vlan from upstream, and you want to pass that to a specific PC, right?
If this is the case, you need to configure a bridge:
/int bridge add name=Vlan3521
And you need to create the vlan sub-interface on the ethernet interface that points to the edgerouter (e.g. ether3)
/int vlan add name=eth3vlan3521 interface=ether3 vlan-id=3521
Then supposing the PC is on ether2, connect the vlan interface to the pc’s interface on the bridge:
/int bridge port
add bridge=Vlan3521 interface=eth3vlan3521
add bridge=Vlan3521 interface=ether2
You would need to do something similar in the edgerouter (I don’t know if it supports bridging or not)
thanks for your reply zerobyte,
currently not doing NATting or Route to PCs just checking from router to router
If you’re looking to provide a second IP interface on an existing link, but with a VLAN tag, then the Mikrotik side is very simple, just like what you did. Basically this makes the Mikrotik participate in the VLAN as an end device, but it can’t connect the VLAN to anything else without the bridge… but from what you’re saying, you just want to be an endpoint in a VLAN, so that’s fine for now.
If your laptop supports vlan tagging, then try configuring the laptop as the “remote device” and see if it can ping the Mikrotik (make sure the firewall input chain allows pings, or at least allows them from the VLAN interface) and if you can do that, then do the same thing with the ER to make sure it’s not the Mikrotik’s fault. I’ve never run into a situation where I had to use the service tag, so chances are, you don’t either.
ok it works once the interface is bridged and VLAN is created on the bridge . Dnt know why it cant work directly but only on a bridged interface thou
It can work without being attached to a bridge. Sometimes putting the vlan interface on the bridge is correct and sometimes bridging between the vlan interface and other ethernet interfaces is correct, and sometimes you don’t even need a bridge. It just depends on what you’re doing