VLAN PROBLEM

Exactly · December 14, 2022, 6:27pm

Hello,

I’m new in Mikrotik World and i need help.

My ISP give me to VLAN 100 and 200 on two servers location, this able to connect this location for making backup and connection with the same IP.

On first location i have:
Router CCR1072
CRS317-1G-16S+

On second:
The same

First location:

On Router:
On port eth2 i created vlan frm ISP 100 and 200
On port eth3 i eth4 i created bridge LAN (100) and BACKUP(200)
On switch:
I created 2 vlan 100 and 200
Ports 1-8 i set to Strict Untagged 100
Ports 9-16 i set to Strict Untagged 200

Second Location:
The same configuration

I cannot ping this two diffrent location, you know what i make bad?

mkx · December 15, 2022, 6:50am

As always there are “many ways to skin the cat” when it comes to dealing with VLANs in RouterOS. Your vague description what you tried to do is one of them (but we can only guess if you did it right), but the recommended way is to use single VLAN-enabled bridge. @pcunite wrote a nice tutorial about it.

If you decide to pursue the way you went with, post configuration of all devices (at least part under /interface) for review.

Exactly · December 15, 2022, 5:11pm

1 location:
set [ find default-name=sfp-sfpplus1 ] comment=WAN
set [ find default-name=sfp-sfpplus2 ] comment=“VLAN PROVIDER” loop-protect=on speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] comment=“switch VLAN100 prod”
set [ find default-name=sfp-sfpplus4 ] comment=“switch VLAN200 backup” speed=1Gbps
set [ find default-name=sfp-sfpplus5 ] comment=“server backup”
set [ find default-name=sfp-sfpplus6 ] comment=server backup
set [ find default-name=sfp-sfpplus7 ] comment=“server backup” speed=100Mbps
set [ find default-name=sfp-sfpplus8 ] arp=proxy-arp comment=“server backup” full-duplex=no rx-flow-control=auto tx-flow-control=auto
/interface vlan
add arp=proxy-arp interface=sfp-sfpplus2 name=backup_vlan vlan-id=200
add arp=proxy-arp interface=sfp-sfpplus2 name=prod_vlan vlan-id=100
/interface bridge port
add bridge=WAN interface=sfp-sfpplus1
add bridge=LAN_prod interface=prod_vlan
add bridge=LAN_backup interface=backup_vlan
add bridge=LAN_prod interface=sfp-sfpplus3 trusted=yes
add bridge=LAN_backup interface=sfp-sfpplus4 trusted=yes
add bridge=LAN_backup interface=sfp-sfpplus5
add bridge=LAN_backup interface=sfp-sfpplus6
add bridge=LAN_prod interface=ether1 trusted=yes
add bridge=LAN_backup interface=sfp-sfpplus7
add bridge=LAN_backup interface=sfp-sfpplus8

SFP1-WAN
SFP2- ISP Provider VLAN to other location
SFP3- Connected to SWITCH 1-12 Port Untagged 100
SFP4- Connected 13-16 port untagged 200

The same configuration on second location but on second location have two switch. On the second switch i make the same vlan untagged, the same configuration what on switch one.

https://ibb.co/YNgC0L8
https://ibb.co/xmTLm5Z

mkx · December 15, 2022, 8:06pm

If you have CCR1072 port sfp-sfpplus3 connected to one of CRS317 ports 1-12 (that’s what I can read from screenshots, too heavily cropped to be sure), then the rest of CRS ports 1-12 should be able to talk via VLAN 100 with peer devices on the other location.

Similarly, if you have CCR1072 port sfp-sfpplus4 connected to one of CRS317 ports 13-16 (again that’s what I can read from screenshots), then the rest of CRS ports 13-16 should be able to talk via VLAN 200 with peer devices on the other location.

If physical connections between CCR and CRS are not as written above, then CCR and CRS configuration is not in par with physical setup.

As I aleady noted: VLAN setup can ve done in different ways, yours is a bit odd (mildly put). E.g. single connection between CCR and CRS carrying both VLANs would be more common. If you want to use two links, you could use them in bond (again carriying both VLANs), providing increased capacity and fault tolerance.

Exactly · December 15, 2022, 9:17pm

SECOND LOCATION

/interface bridge
add arp=proxy-arp name=Backup
add arp=proxy-arp dhcp-snooping=yes name=LAN
add name=wan
/interface ethernet
set [ find default-name=ether1 ] comment=“SWITCH 1G”
set [ find default-name=sfp-sfpplus1 ] comment=WAN
set [ find default-name=sfp-sfpplus2 ] comment=SWITCH-PROD speed=1Gbps
set [ find default-name=sfp-sfpplus3 ] comment=“BACKUP LINK VLAN”
set [ find default-name=sfp-sfpplus4 ] comment=SWITCH-BACKUP speed=1Gbps
set [ find default-name=sfp-sfpplus8 ] comment=SERVER PROD
/interface vlan
add arp=proxy-arp interface=sfp-sfpplus3 name=vlan_backup vlan-id=200
add arp=proxy-arp interface=sfp-sfpplus3 name=vlan_prod vlan-id=100
/interface ethernet switch
set 0 name=switch1
set 1 name=switch2
set 2 name=switch3
/interface list
add name=WAN
add name=IT
/interface bridge port
add bridge=LAN interface=sfp-sfpplus2 trusted=yes
add bridge=Backup interface=sfp-sfpplus4 trusted=yes
add bridge=LAN interface=sfp-sfpplus5
add bridge=LAN interface=sfp-sfpplus6
add bridge=LAN interface=sfp-sfpplus7
add bridge=LAN interface=sfp-sfpplus8
add bridge=LAN interface=ether1 trusted=yes
add bridge=wan interface=sfp-sfpplus1
add bridge=LAN interface=vlan_prod
add bridge=Backup interface=vlan_backup

SFP1 - WAN
SFP3 - ISP PROVIDER VLAN 100/200 Connetion to other location
SFP2 - LINK TO SWITCH PROD PORT UNTAGGED 100 VLAN
SFP4 - LINK TO SWITCH BACKUP PORT UNTAGGED 200 VLAN

SWITCH1:
https://ibb.co/169sdgH
https://ibb.co/f2NQXNK
LINK1 on SWITCH CONNETED TO SFP2
LINK15 on SWITCH Conneted to SFP4
LINK16 on SWITCH conneted to second switch on this location

SWITCH2:
https://ibb.co/mqc69Dp
https://ibb.co/PcfZ40F

Location1 have problem to see Location2, Do u have suggestion why or what is your way?

How i can make single port use connection to switch?

mkx · December 16, 2022, 9:51am

By using single VLAN-aware bridge … as per tutorial linked in my post #2 above. It works on all ROS devices versions 6.42 and above. Recent SwOS will handle trunk (tagged-only) ports fine as well.

But essentially it’ll be the same as your inter-location fibre carrying two tagged VLANs.

mkx · December 16, 2022, 9:59am

I don’t have any idea about why you can’t use devices in different locations which belong to same IP subnet … other than it’s something else on router(s) which is in the way. Since both locations use same VLANs, but yet you have two routers (assumingly to break out local traffic to internet) … it may be down to IP addressing (and routing and firewalling). How do you configure L3?

Exactly · December 16, 2022, 2:37pm

The same configuration on two router:

/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=drop chain=input comment=“brute force ssh” dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=2w1d chain=input comment=“3” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input comment=“2” connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=input comment=“1” connection-state=new dst-port=22 protocol=tcp src-address=!1xxx.xxx.xxx.xxx
add action=drop chain=input comment=DNS dst-port=53 in-interface=WAN protocol=udp
add action=drop chain=input comment=DNS dst-port=53 in-interface=WAN protocol=tcp
add action=accept chain=forward in-interface=WAN protocol=icmp
add action=accept chain=input in-interface=WAN protocol=!icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=LAN-NET out-interface=WAN

mkx · December 16, 2022, 3:22pm

The last post did not really answer to my question

How do you configure L3?

And that means all of it … addresses, routes, whatnot. I’m getting tired of pulling bits of information out of you. And I can not help you without seeing the full picture.

Exactly · December 18, 2022, 12:54pm

Sorry. my mistake. DHCP in this network is off, all is manual configuration.

Location first:
/ip address
add address=XXX.XX.XX.XX/30 interface=WAN network=XXX.XX.XX.XX
add address=192.168.0.1/24 interface=LAN_prod network=192.168.0.0
add address=10.0.0.1/24 interface=LAN_backup network=10.0.0.0

/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx WAN GATEWAY

Location second:
/ip address
add address=xxx.xxx.xxx.xxx/29 interface=wan network=xxx.xxx.xxx.xxx
add address=192.168.0.252/24 interface=LAN network=192.168.0.0
add address=10.0.0.1/24 interface=Backup network=10.0.0.0

add distance=1 gateway=xxx.xxx.xxx.xxx WAN GATEWAY

mkx · December 18, 2022, 2:00pm

It could be that you’re seeing effects of routing triangle. But I can’t say if that’s so because I can’t get a grasp on the network layout you’ve got.

Traffic between device on 192.168.0.0/24 subnet on site 1 and device in the same subnet on site 2 should flow undisturbed. Similarly for 10.0.0/24. The only thing that might get into the way is proxy arp setting on bridges. Any good reason to have it enabled?

Traffic between different subnets will take different paths in each direction, local router will route it to the other VLAN. And this upsets connection tracking machinery. Similar could happen even for intra VLAN traffic if proxy arp “pulls” traffic to router’s L3 where it becomes subject to firewalling.

I’m sure there are multiple ways out but as I wrote: since I can’t get a grip on how your networks are like, I don’t know which way out would be appropriate.

anav · December 19, 2022, 12:04pm

https://forum.mikrotik.com/viewtopic.php?p=908118