vlan on wan - simple routing question

kamina · February 2, 2011, 1:19pm

I’m trying to work out how to configure my RB450G and going piece by piece… Finally I need to have two wan addresses, one should go through a vlan and the other untagged. For now I’m just trying to get the vlan one to work…

I’m resetting to factory settings adding the vlan, configuring dhcp-client to the vlan, disabling the one connected to eth1 and verifying it’s working over the switch it’s connected to:

interface vlan add name=iptv vlan-id=252 interface=ether1-gateway disabled=no
ip dhcp-client add interface=iptv disabled=no
ip dhcp-client disable 0

It’s getting an IP just fine:

ip dhcp-client print detail
Flags: X - disabled, I - invalid
 0 X ;;; default configuration
    interface=ether1-gateway add-default-route=yes
default-route-distance=1 use-peer-dns=yes use-peer-ntp=yes

 1   interface=iptv add-default-route=yes default-route-distance=1
use-peer-dns=yes use-peer-ntp=yes status=bound
    address=193.94.xxx.213/24 gateway=193.94.xxx.1
dhcp-server=193.64.xxx.208 primary-dns=193.64.xxx.215
    secondary-dns=193.64.xxx.204 expires-after=11h59m43s

But that’s where it ends, I can’t get any traffic through. I guess it’s since the iptv interface is not connected to the bridge / interface my client is on?

ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static,
r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 0 ADS  dst-address=0.0.0.0/0 gateway=193.94.xxx.1
gateway-status=193.94.xxx.1 reachable iptv distance=1 scope=30
       target-scope=10

 1 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1
gateway=bridge gateway-status=bridge reachable distance=0 scope=10

 2 ADC  dst-address=193.94.xxx.0/24 pref-src=193.94.xxx.213
gateway=iptv gateway-status=iptv reachable distance=0 scope=10


interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
 0  R  name="ether1-gateway" type="ether" mtu=1500 l2mtu=1524

 1  R  name="ether2-local" type="ether" mtu=1500 l2mtu=1524

 2     name="ether3-local" type="ether" mtu=1500 l2mtu=1524

 3     name="ether4-local" type="ether" mtu=1500 l2mtu=1524

 4     name="ether5-local" type="ether" mtu=1500 l2mtu=1524

 5  R  name="bridge" type="bridge" mtu=1500 l2mtu=1524

 6  R  name="iptv" type="vlan" mtu=1500 l2mtu=1520


interface bridge print detail
Flags: X - disabled, R - running
 0  R name="bridge" mtu=1500 l2mtu=1524 arp=enabled
mac-address=00:0C:42:A0:61:10 protocol-mode=none priority=0x8000
     auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m

I hope you don’t laugh me out of here…

Feklar · February 2, 2011, 2:28pm

I’m not 100% sure of your configuration here. But you do not want to ever bridge a VLAN with the physical interface that the VLAN is a part of. It messes things up and will probably not work. When you add a VLAN to a MikroTik, as far as the MikroTik is concerned it is just another separate routed interface that it can use, think of it as such.

So if the IPTV VLAN needs to pick up a DHCP lease, then the appropriate traffic going into that interface needs to be tagged for that VLAN. Depending on the switch you have connected to the router, you can have tagged and untagged VLANs on a port if it is set to hybrid mode.

kamina · February 3, 2011, 7:43am

So I should map the same vlan to a physical port and set it to untagged (for now as I’m testing without a switch)? Should that port be removed from the bridge then?

I’m testing this at the office and it should give me a “fully blown” connection. When I take it home my idea has been to put an IGMP proxy and attach it to the vlan. However at home I’m not sure if that vlan will actually give anything else then dhcp and multicast.

Anyway, for now my priority is just to get this to work so I can debug at home and see what I get through that vlan, and make further configurations based on that.

Feklar · February 3, 2011, 2:58pm

I’m not exactly sure on your setup here or what you are looking for, but based off of the first post, this should be how it goes.

1.) Make the VLAN interface and name it whatever you want. Define the VLAN tag in the interface, do not enable “Use Service Tag”. The VLAN interface will automatically tag everything leaving that “interface” with the VLAN tag. The Service tag is for 802.1ad, probably something you don’t want.
2.) Assign your DHCP client to the VLAN interface. You can also assign another DHCP client to the physical interface.
3.) You will need a device, probably a managed switch, that will read VLAN tags. Put your WAN interface into one of the ports on the switch, and set the switch in hybrid mode where it will tag your VLAN, and have an untagged VLAN for something else. The PVID of the port should be the same as the untagged VLAN. So traffic leaving the port for one VLAN will retain it’s VLAN tag, and the other traffic will have it’s VLAN tag stripped on it’s way out of the port. Any untagged traffic going into the port will automatically get the PVID VLAN, and tagged traffic will stay the same.
4.) Connect your two different ISP devices to separate ports on the switch with the appropriate VLANs.
5.) Set up your LAN interfaces however you want.

This will get you two WAN interfaces on the MikroTik both running a DHCP client and getting different address space. Just treat the VLAN as a different physical interface like you would another Ethernet interface. The router will route between the subnets on those interfaces automatically. And like I said, do not Bridge the physical interface and it’s sub VLAN interface together.

The same basic thing could be done with two VLAN interfaces instead of one VLAN and one physical port, and might be a bit cleaner for you.

kamina · February 9, 2011, 8:40am

Thanks for your help, I think I got this to work.

By default the configuration is that there is a dhcp-client on the wan port, a bridge on ports 2-5, an ip-range on port 2 (which I assume is inherited by the bridge).

I removed port 5 from the bridge, put a vlan on the wan port, added a new ip-range on port 5, created a new dhcp pool with that ip-range and made dhcp server distribute it on port 5. Then I copied the existing firewall rules for the vlan (accept established and related connections, then drop) and added a NAT masquerade on the vlan. Then I added DNS to the new network and it seems to work.

I still need to test with two machines at the same time, but with a Mikrotik 250GS switch I can access the network attached to the vlan, and from ports 2-4 on the router I can access the old network. I have the device at work currently as testing is easier here. It’s attached to an HP switch which is sending one workstation network with a vlan tag and another untagged.

edit:

Actually it’s not working as intended. Both subnets come out from the same IP (from dhcp-client 1):

ip dhcp-client print detail 
Flags: X - disabled, I - invalid 
 0   ;;; default configuration
     interface=ether1-gateway add-default-route=yes default-route-distance=1 use-peer-dns=yes use-peer-ntp=yes status=bound 
     address=10.168.0.178/24 gateway=10.168.0.1 dhcp-server=193.64.xxx.208 primary-dns=193.64.xxx.215 
     secondary-dns=193.64.xxx.204 expires-after=22h23m48s 

 1   interface=vlan3 add-default-route=yes default-route-distance=0 use-peer-dns=yes use-peer-ntp=yes status=bound 
     address=193.94.xxx.213/24 gateway=193.94.xxx.1 dhcp-server=193.64.xxx.208 primary-dns=193.64.xxx.215 
     secondary-dns=193.64.xxx.204 expires-after=9h1m5s

I’m guessing it’s because the default-route-distance is lower?

ip route print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=193.94.xxx.1 gateway-status=193.94.xxx.1 reachable vlan3 distance=0 scope=30 
        target-scope=10 

 1  DS  dst-address=0.0.0.0/0 gateway=10.168.0.1 gateway-status=10.168.0.1 reachable ether1-gateway distance=1 scope=30 
        target-scope=10 

 2 ADC  dst-address=10.168.0.0/24 pref-src=10.168.0.178 gateway=ether1-gateway gateway-status=ether1-gateway reachable 
        distance=0 scope=10 

 3 ADC  dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge gateway-status=bridge reachable distance=0 scope=10 

 4 ADC  dst-address=192.168.89.0/24 pref-src=192.168.89.1 gateway=ether5-local gateway-status=ether5-local reachable 
        distance=0 scope=10 

 5 ADC  dst-address=193.94.xxx.0/24 pref-src=193.94.xxx.213 gateway=vlan3 gateway-status=vlan3 reachable distance=0 scope=10

Or because route 1 here is not active?

edit2:

Or from reading the documents - because I can’t have two routes with the same destination of 0.0.0.0? Any way around this?

Feklar · February 9, 2011, 2:57pm

You are actually very close. What is going on in that case is the default routes added by the DHCP clients are being put into the main routing table. With that current setup a simple failover would be working, just not any load balancing.

The last step is to read up and look at doing load balancing. PCC or Policy Based Routing would be the best place to start. Basically what you do with those setups is in the firewall mangle is mark connections, and then mark those connections for routing. By marking for routing, you are then telling the router to use a specific routing table, so you then copy the default routes and specify a routing mark in them. This puts those static routes in that specific routing table.

kamina · February 10, 2011, 10:03am

Regarding making these rules - ultimately I want to have an IGMP proxy between the vlan and interface 5. I tested making a route that would direct 224.0.0.0/4 traffic to the vlan interface, but would that actually bypass the proxy (it did not seem to work)? Also, all I did was add the rule, I did not use mangle or anything else…

Feklar · February 10, 2011, 3:04pm

Unfortunately I’m unfamiliar with Multicasting setups, so someone else may need to chime in on that. But what I would do in that case would be a policy based routing situation.

/ip firewall mangle 
add action=mark-connection new-connection-mark=Multicast dst-address=244.0.0.0/4 connection-state=new
add action=mark-routing new-routing-mark=Multicast connection-mark=Multicast
/ip route
add comment="Multicast" dst-address=0.0.0.0/0 gateway=193.94.xxx.1 routing-mark=Multicast

dvdwood · July 18, 2014, 2:00am

I have a VLAN (2) assigned to ether1 connected to our ISP. It is working and receives a public IP from the the ISP’s DHCP server. We are only getting a portion of the speed that we should. The ISP said that we need to use 802.1p: All upstream traffic must be marked with p-bit 2. This is also known as Class of Service (CoS) marking. I have been searching for hours and have not been able to locate information to set this seemingly simple setting.
How can I set the p-bit to 2 and assign it to the VLAN assigned to the WAN-VLAN2 interface?