vlan issue

Hello,

i have a ccr2004-1G-12S+2Xs as router to replace my isp router (orange livebox).
I have follow instruction available on french forum lafibre.info.
there are no vlan on the lan dedicated port.
At this point, without vlan all work fine.

i have installed a crs309 with 2 vlan:
vlan 1 is the default vlan untagged on all port
vlan 10 is the vlan for some vm tagged on 2 port dedicated to my vmware server. (where i have several vm some on vlan 1, other on vlan 10)
here the config:

/interface bridge
add admin-mac=78:9A:18:31:73:9E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface bridge vlan
add bridge=bridge comment=vlan209vmware tagged=\
    sfp-sfpplus1-ARUBA,sfp-sfpplus2-vmware,sfp-sfpplus3-vmware,sfp-sfpplus5-LAN-CCR2004 vlan-ids=10
add bridge=bridge comment=LAN untagged="sfp-sfpplus1-ARUBA,sfp-sfpplus2-vmware,sfp-sfpplus3-vmware,sfp-sf\
    pplus4-pcfp,sfp-sfpplus6-nas,sfp-sfpplus5-LAN-CCR2004" vlan-ids=1

i have configured port sfpplus1 as tagged vlan 10 and untagged vlan 1 to ma other switch aruba and that work, the on lan 10 could ping the aruba ip on vlan 10.

But i don’t understand how configure vlan between crr2004 and crs309 so that all vlan could reach internet

Side of the crr2004 i have add vlan 1 and vlan 2 on the interface dedicated to the lan and side of the crs 309 i have tried several things such as admit only tagged vlan but withour result.

i would like that the 2 vlan reach internet but don’t communicated together.

how do it?
Thank you for your help.

Did you read through this tutorial? The setup you showed is a bit awkward (it’s not recomended to use VLAN ID 1 for explicit setups).

And it’s likely that the problem lies in CCR setup. Can you show that config?

hello,

i have follow the documentation :
https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering
i will read your tutorial.
i didn’t know that it’s not recommended the vlan id 1, i’m a beginner in network config


here the confif of the ccr without vlan on lan port, just fthose need for the internet config
(here the the link for the internet config https://lafibre.info/remplacer-livebox/guide-de-connexion-fibre-directement-sur-un-routeur-voire-meme-en-2gbps/)
i have modify a bit these config, i have install the onu on the crs309 and use it for set cos on vlan 832 and use port isolation for the protection

[admin@MikroTik] > export
# 2023-11-13 17:44:27 by RouterOS 7.12
# software id = RRWR-IYNF
#
# model = CCR2004-1G-12S+2XS

/interface bridge
add admin-mac=8C:C5:B4:11:22:CC auto-mac=no name=br-wan
/interface ethernet
set [ find default-name=sfp-sfpplus7 ] comment="Routeur TV local" name=ether7-TV
set [ find default-name=sfp-sfpplus8 ] comment=Livebox name=ether8-LB
set [ find default-name=sfp-sfpplus10 ] auto-negotiation=no comment=WAN-ONU-2500GBaseX name=ether10-WAN speed=\
    2.5G-baseT
set [ find default-name=sfp-sfpplus12 ] comment=LAN name=ether12-LAN
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether12-LAN name=vlan10 vlan-id=10
add disabled=yes interface=ether12-LAN name=vlan300 vlan-id=300
add comment="Internet ONT" interface=ether10-WAN loop-protect-disable-time=0s loop-protect-send-interval=1s \
    name=vlan832-internet vlan-id=832
add comment=Tv-Stream interface=ether10-WAN loop-protect-disable-time=0s loop-protect-send-interval=1s name=\
    vlan840-TV-Stream vlan-id=840
/interface list
add name=WAN
add name=LAN
add name=orange_tv
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=0x736167656d
add code=77 name=userclass value=\
    0x2b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e4c697665626f7833
add code=90 name=authsend value="toto"
/ip dhcp-server option
add code=120 name=SIP value=\
    0x00067362637433670350555406616363657373116f72616e67652d6d756c74696d65646961036e657400
add code=119 name="domain search" value="'CLE.access.orange-multimedia.net'"
add code=15 name="domain name" value="'orange.fr'"
add code=125 name="vendor specific" value=\
    0x00000de9280412365363356234050f444D32303135363239323931353231012345677665626f78204669627265
add code=6 name=dns value="'80.10.246.134''81.253.149.5'"
add code=90 name="option 90" value=0x0000000000000000000000
/ip dhcp-server option sets
add name=TV options="vendor specific,dns,SIP,option 90"
add name=TEL options="SIP,domain search,domain name,vendor specific,option 90"
/ip pool
add name=pool_lan ranges=10.28.201.10-10.28.201.90
add name=pool-TV ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=pool_lan interface=ether12-LAN lease-time=1w name=LAN
add address-pool=pool-TV interface=ether7-TV name=LAN-TV
/ipv6 dhcp-client option
add code=16 name=class-identifier value=0x0000040e0005736167656d
add code=11 name=authsend value="toto"
add code=15 name=userclass value=\
    0x002b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e6c697665626f78340a

/queue interface
set ether7-TV queue=ethernet-default
set ether8-LB queue=ethernet-default
set ether10-WAN queue=ethernet-default
set ether12-LAN queue=ethernet-default
/interface bridge filter
add action=set-priority chain=output comment="cos 6 vlan832 dhcpv4" dst-port=67 ip-protocol=udp log=yes \
    log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=vlan832-internet \
    passthrough=yes
add action=set-priority chain=output comment="cos 6 vlan832 dhcpv6" log=yes mac-protocol=ipv6 new-priority=6 \
    out-interface=vlan832-internet passthrough=yes
/interface bridge port
add bridge=br-wan interface=vlan832-internet

/ip address
add address=10.28.201.244/24 comment=defconf disabled=yes interface=ether1 network=10.28.201.0
add address=10.28.201.243/24 interface=ether12-LAN network=10.28.201.0
add address=192.168.1.15/24 disabled=yes interface=ether10-WAN network=192.168.1.0
add address=192.168.2.1/24 interface=ether7-TV network=192.168.2.0
add address=192.168.255.254 interface=vlan840-TV-Stream network=192.168.255.254
add address=10.13.13.1/24 interface=wireguard1 network=10.13.13.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,userclass,vendor-class-identifier interface=br-wan
/ip dhcp-server lease

/ip dhcp-server network
add address=10.28.201.0/24 dns-server=10.28.201.155 gateway=10.28.201.240 netmask=24
add address=192.168.2.0/24 dns-server=80.10.246.134,81.253.149.5,80.10.246.130,81.253.149.1 gateway=192.168.2.1 \
    netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=10.28.201.0/24 list=support
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" disabled=yes list=bogons
add address=10.28.209.0/24 list=support
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=\
    "Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THI\
    S RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=\
    !support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet log=yes \
    protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 log=yes protocol=tcp \
    src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=accept chain=forward comment="Allow Forward Multicast Orange" dst-address=224.0.0.0/4 dst-port=\
    8200,8202 in-interface=vlan840-TV-Stream protocol=udp
add action=accept chain=input comment="Allow Input Multicast Orange" dst-port=8200,8202 in-interface=\
    vlan840-TV-Stream protocol=udp
add action=accept chain=input comment="Allow Input IGMP Protocol" in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=forward comment="Allow Forward IGMP Protocol from vlan840" dst-address=224.0.0.0/4 \
    in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=forward comment="Allow Forward IGMP Protocol from decodeur" dst-address=224.0.0.0/4 \
    in-interface=ether7-TV log=yes protocol=igmp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input \
    connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=\
    ssh_blacklist
add action=accept chain=input comment="allow wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow wireguard traffic" src-address=10.13.13.0/24
add action=drop chain=input comment="BLOQUE TOUTES LES CONNEXIONS ENTRANTES (exception avant)"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet \
    protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall mangle
add action=set-priority chain=output comment=\
    "Les trames des messages IGMP doivent etre emises vers l'upstream avec CoS 5 pour etre prises en compte." \
    log=yes new-priority=5 out-interface=vlan840-TV-Stream passthrough=yes src-address-type=local
add action=change-dscp chain=output comment="Set dscp to 40 for packets with priority 5sent to Orange" \
    new-dscp=40 out-interface=vlan840-TV-Stream passthrough=no priority=5
/ip firewall nat
add action=masquerade chain=srcnat out-interface=br-wan to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=80 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
    to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
    to-ports=443
add action=dst-nat chain=dstnat dst-port=993 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
    to-ports=993
add action=dst-nat chain=dstnat dst-port=587 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
    to-ports=587
add action=dst-nat chain=dstnat dst-port=25 in-interface=br-wan protocol=tcp to-addresses=10.28.201.155 \
    to-ports=25
add action=dst-nat chain=dstnat dst-port=32400 in-interface=br-wan protocol=tcp to-addresses=10.28.201.108 \
    to-ports=32400
/ip firewall raw
add action=drop chain=prerouting in-interface=br-wan src-address-list=blacklist
add action=accept chain=prerouting dst-address=224.0.0.0/4 dst-port=8200,8202 in-interface=vlan840-TV-Stream \
    protocol=udp
add action=accept chain=prerouting dst-address=224.0.0.0/4 in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=prerouting in-interface=vlan840-TV-Stream protocol=igmp
add action=accept chain=prerouting in-interface=ether7-TV protocol=igmp
/ip route
add disabled=no distance=1 dst-address=10.28.209.0/24 gateway=10.28.201.240 pref-src="" routing-table=main \
    scope=10 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes

/routing igmp-proxy
set query-interval=1m quick-leave=yes
/routing igmp-proxy interface
add interface=ether7-TV
add alternative-subnets=193.0.0.0/8,81.0.0.0/8,172.0.0.0/8,80.0.0.0/8 interface=vlan840-TV-Stream upstream=yes
/system clock
set time-zone-name=Europe/Paris
/system logging
add topics=e-mail
add topics=debug
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool sniffer
set filter-interface=vlan840-TV-Stream,vlan840-TV-Stream filter-ip-protocol=igmp
[admin@MikroTik] >

I don’t see any IP setup on vlan10 interface on CCR … you’ll definitely need some if you want CCR to communicate with devices in that subnet (and you want if it’s supposed to be gateway for that subnet).

i’m a dumb…, thank it work.
i will make change to use an another vlan than the default vlan id 1.

Other dumb question, ont the crs 309 it’s better to set the ip for the lan on the bridge or an interface?

There are interfaces (L3 entities, essentially anything carrying IP address) and there are ports (L2 entities). When something is set as member of bridge, it becomes a port. And it should not be used as interface. Ever. Bridge has a few personalities, one of them being an interface which allows communication between router’s CPU (software stack) and bridged network.

In short: whenever bridge is used and device needs to communicate with (any of) bridged network, it’s bridge interface which has to be used to setup such connectivity.

In your particular case: if you want switch IP to belong to some VLAN, then create vlan interface, anchored to bridge (not to some of member ports), and then use that vlan interface to set IP address. If VLANs are not in the mix, then set IP address directly on bridge interface.

thank you for your reply.
so if i create a vlan interface achored to bridge i use L3, so the cpu? no?

Yes, in most setups involving VLAN interface (created under /interfacw/vlan), vlan interfaces should be used exclusively to support L3 operations (routing, providing services such as DNS). Using vlan interfaces in L2 operations (such as tagging/untagging frames) is highly likely an abuse (and should be reported to nearest capable MTCNA) exactly for this reason - it’s relying on CPU to do the task.

If a device doesn’t perform L3 operations in certain VLAN (e.g. it’s used as VLAN-enabled switch), then corresponding vlan interface is not needed (and for security reasons it should not be present, bridge (CPU-facing) port should not be member of that VLAN either.

i’m a bit lost.
in my case i use the crs309 as VLAN-enabled switch, the the general routing is made by the crr2004, and the inter vlan too.
it’s the right way, yes?

I use 2 vlan,the default id 1 (i will change this) untagged on all port and id 10 tagged on the port for the vmware server and the trunk port to crr2004.

So the management ip will be at least in the default vlan (not vlan id 1).

If have follow your explanation,in my case (use of vlan) i need to create a vlan interface anchored on bridge and set an ip for the management.

But the switch don’t perform L3 opération, so , according your last post vlan interface is not needed and bridge (CPU-facing) port should not be member of that VLAN either.

Before the crs309, i used an l2 switch aruba 1930 instant on.The management ip was reachable on one particular vlan.

So, with what i have understood, that functionning will be the same with crs309 in the case of vlan interface anchored on bridge and an ip set in for the management.


I have in mind that using l3 with the crs309 will generate bad performance because that use cpu

Sorry but i’m not really sure to understand what’s the best practice to configure management ip.

Maybe i just over thinking for nothing.

I will sleep on it tonight , maybe my ideas will be clearer tomorrow.

High-level view on CRS will show:

1. single vlan-enabled bridge
2. all SFP+ ports (and ether1 port) will members of bridge with per-port vlan settings as needed (port connecting to CCR will be tagged-only, other ports might be untagged access ports for a particular VLAN with pvid set appropriately)
3. bridge port will be set as tagged member of mgmt VLAN (and will not be nember of other VLANs)
4. there will be single vlan interface anchored to bridge interface with vlan-id set to mgmt VLAN ID
5. vlan interface will have IP address set

Bullet #2 makes sure that management access (even non-IP using winbox) is possible only through mgmt VLAN. Bullet #3 makes sure that switch won’t route anything as it will only be able to “talk to” management VLAN. Bullet #1 will make L2 HW offload possible (multiple bridges can’t be offloaded).

I suggest you to leave ether1 out of bridge while configuring switch, it’s only too easy to screw L2 config and loose management access in which case device has to be reset and configuring restarted from scratch. If you leave ether1 aside, you can use it to connect using winbox and fix config.

Hello,
I have not yet success made the change, not enough time .
Thank you for your help and your tips.