Hello, last few days I am trying to setup multiple Vlans over second router.
What I am trying to do is that I have two dhcp server running on my CRS125 both vlans has to be passed over RB2011 and therefore to be accessed on RB260GS on port2 port3.
Also I have another dhcp-server on RB2011 and this dhcp has to be accessed on port4 (RB260GS).
If someone could explain how to setup properly the VLANS.
Thank you
This is my network diagram
CRS125 config
RB2011 config
Which vlan is the management/trusted vlan 11 or 22 ??
@anav: vlan11
Cant help with CRS, but for the
RB2011 please post the config.
/export hide-sensitive file=anynameyouwish
ok tnx, lets try
rb2011 config
/interface bridge
add name=dhcp-server
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=dhcp-server name=dhcp1
/interface bridge port
add bridge=dhcp-server interface=ether1
add bridge=dhcp-server interface=ether4
add bridge=dhcp-server interface=ether5
/ip address
add address=172.16.0.2/24 interface=ether2 network=172.16.0.0
add address=192.168.4.1/24 interface=dhcp-server network=192.168.4.0
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.2.0/24 gateway=172.16.0.1
/system identity
set name=RB2011
/tool romon
set enabled=yes
anynameyouwish.rsc (924 Bytes)
Your setup makes no sense to me, you have ether 1,4,5 as bridge ports but missing ether2,3, you name bridge DHCP-Server, why to confuse people?
This is what makes sense to me for the 2011 based on your diagram.
/interface bridge
add name=bridge2011 vlan-filtering=yes
/interface vlan
add interface=bridge2011 name=vlan11 vlan-id=11
add interface=bridge2011 name=vlan33 vlan-id=33
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=management
/interface list members
add interface=vlan11 list=management
/ip neighbor discovery-settings
set discover-interface-list=management
/ip pool
add name=dhcp_pool33 ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add address-pool=dhcp_pool33 disabled=no interface=vlan33 name=dhcp33
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1
/ip address
add address=192.168.1.XX interface=vlan11 network=192.168.1.0 { whatever IP you statically set for the 2011 in vlan11 in the CRS device }
add address=192.168.4.1/24 interface=vlan33 network=192.168.4.0
/interface bridge port
add bridge=bridge2011 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge2011 interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
/interface bridge vlan
add bridge=bridge2011 tagged=bridge2011,ether2,ether3 vlan-ids=11,22
add bridge=bridge2011 tagged=bridge2011,ether3 vlan-ids=33
/ip dns
set allow-remote-requests=yes servers=192.168.1.1 comment="dns through trusted subnet gateway"
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server mac-winbox
set allowed-interface-list=management
Now the problem that could arise as your requirements are weakly stated, is the traffic flow for vlan33.
Are you thinking that vlan33 traffic goes past the RB2011? Ie to the CRS and perhaps to internet etc…
If so the CRS will not know where to send returns of such traffic so you have two choice…
- Create a route on CRS something like
add dst-address=192.168.4.0/24 gateway=192.168.1.XX ( fixed static IP of RB2011 )
OR - sourcenat all the vlan33 traffic, so it looks like its coming from the RB2011 vlan11…
add chain=srcnat action=masquerade src-address=192.168.4.0/24
What is the best practice between these two solutions? I have some sort of the same config with vlans. Now i have done it with sourcenat.
VLANs can really only be extended “over a router” when the router in reality is a switch. I.e. you can configure a bridge with VLAN filtering on each router and the interconnecting cable can have the VLANs tagged (or one untagged and the others tagged). That will extend the VLAN to another place.
But it is switching, not routing. When you want routing (i.e. different network ranges on different cables) there is no real way of fitting VLANs into that other than firewall rules, NAT rules, etc.
2 Likes
I don't think either of them are good (for VLAN passthrough), but the OP's requirements were not clear, and the posted diagram had little correlation to the configs. If the vlans are in fact "just passing through", then what @pe1chl posted is a more appropriate solution.
Using routes requires the the return traffic knows what gateway to use.
Using sourcenat (masquerade) makes the egressing traffic appear to be from the egress interface's ip address in the connected network (subnet), so it will work in cases where another gateway exists in that subnet. This is because within subnet, the gateway won't be used; arp will be used to determine the mac address of the destination host, and then the traffic will be sent directly to that mac address.
It would be best to post your network diagram and requirements in a new topic/thread instead of necroposting to a 3 year old topic that probably isn't very similar to your config.
The config in this thread is very odd, and using the wrong equipment for the job. (for example the RB2011 has 10/100 ports and no Gb support). Both the CRS125-24G-1S-IN and the RB2011 are discontinued products and require special configs to utilize the HW switch capability. About the only reason to continue to use them would be in an existing working configuration that is working as wanted. Or as a leaning experience in a lab scenario.
Hopefully you have newer equipment that can use the vlan-filtering (vlan aware) bridge with HW offloading support.