Vlan on crs125-24g-1s-2hnd-in

gjniewenhuijse · September 11, 2024, 7:22am

Hello,

I like to setup an vlan on my crs125-24g-1s-2hnd-in. I read the docs and that gives an example how to use it with the switch settings.

My goal: two vlans
199 management
200 iot

Ether 1 = wan
Ether 2 = management
Ether 3 = trunk to other crs125 (optional)
Ether 7 = vlan 200 (port based vlan)
Mac C4:AD:34:D1:49:A2 = vlan 200 (mac based vlan)
All other ports (only internet, no lan)

But my code doesn’t work, on port 7 or the mac address C4:AD:34:D1:49:A2 never received a ipadress from the IOT vlan 200 range. Anyone an idea whats wrong?

# 2024-09-11 09:16:23 by RouterOS 7.15.3
# software id = GJYA-HA07
#
# model = CRS125-24G-1S-2HnD

/interface bridge
add admin-mac=D4:CA:6D:F9:FF:D0 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=netherlands disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-F9FFE8 \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name="vlan199 mgmt" vlan-id=199
add interface=bridge name="vlan200 iot" vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-vlan200 ranges=192.168.200.10-192.168.200.254
add name=pool-vlan199 ranges=192.168.199.10-192.168.199.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan200 interface="vlan200 iot" name=dhcp-vlan200
add address-pool=pool-vlan199 interface="vlan199 mgmt" name=dhcp-vlan199
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge disabled=yes interface="vlan200 iot"
add bridge=bridge disabled=yes interface="vlan199 mgmt"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether7 vlan-id=200
add tagged-ports=ether2 vlan-id=199
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 new-service-vid=0 ports=ether7
/interface ethernet switch mac-based-vlan
add new-customer-vid=200 src-mac-address=C4:AD:34:D1:49:A2
/interface ethernet switch vlan
add disabled=yes ports=ether2,switch1-cpu vlan-id=0
add ports=ether2,ether7,switch1-cpu vlan-id=200
add ports=ether2,ether3,switch1-cpu vlan-id=199
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.200.1/24 comment="vlan200 iot" interface="vlan200 iot" \
    network=192.168.200.0
add address=192.168.199.1/24 comment="vlan200 mgmt" interface="vlan199 mgmt" \
    network=192.168.199.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.199.0/24 comment="vlan200 mgmt" dns-server=192.168.199.1 \
    gateway=192.168.199.1
add address=192.168.200.0/24 comment="vlan200 iot" dns-server=192.168.200.1 \
    gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="accept Remote winbox" dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/lcd interface pages
set 1 interfaces=ether13,ether14,ether15,ether16,ether17,ether18,ether19
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="Test 01"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · September 11, 2024, 8:35am

These two settings are not coherent:

/interface ethernet switch egress-vlan-tag
add > tagged-ports> =ether2,> ether7 > vlan-id=200
/interface ethernet switch ingress-vlan-translation
add > customer-vid=0 new-customer-vid=200 > new-service-vid=0 ports=> ether7

The first one says that VLAN 200 has to remain tagged on egress via ether7 (leaving switch towards connected device) while the second one tells switch to tag untagged frames with VLAN 200 on ingress (entering switch from connected device).

This doesn’t break communication if device, connected to ether7, is configured to work with tagged frames. However, the second setting indicates that connected device doesn’t work with tagged frames … and in this case ether7 should be declared as untagged on egress.

Note that some (if not most) windows drivers by default ignore VLAN tags so the setup above might just work. However this kind of operation is simply wrong and if NIC driver, used on your device, is working correctly, it’ll ignore frames received from switch.

gjniewenhuijse · September 11, 2024, 9:08am

I disable the In. Vlan Tran. rules
Schermafbeelding 2024-09-11 110552.png
But it receive a ipadres of the default dhcp server, not from vlan 200.

mkx · September 11, 2024, 11:14am

As I already hinted: does device, connected to ether7, expect tagged VLAN 200 or not? Required configuration on switch entirely depends on this “design decision”. From your observation in last line of previous post it seems that device doesn’t talk VLANs … in which case you do need the ingress translation, but you have to declare ether7 as untagged port member of VLAN 200 in egress vlan tag section.

gjniewenhuijse · September 11, 2024, 12:53pm

The device in ethers 7 doesn’t have a vlan. So i like to force them to vlan 200.

Another option is to use mac-based vlan on port 10-12. And then force that specific mac-adres to vlan 200.