I’m starting my first setup for a SOHO environment. I intend to use a hEX as router / firewall and a CRS125-24G-1S-RM for distribution to the client devices. I want to use VLAN to separate classes of clients e.g., business workstations, private PC of the kids, common services, etc. The router shall enforce access policies. However, it might not be the best idea to route the NFS / Samba traffic from the CRS to the hEX and back. So any more optimal approach is appreciated.
I roughly followed https://administrator.de/tutorial/mikrotik-vlan-konfiguration-ab-routeros-version-6-41-367186.html to setup the hEX and https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching to setup the CRS. However, I configured the hEX to NAT on the WAN port and of course I used my own VLAN IDs. Attaching my client to ether4 I receive DHCP and can access the internet hopefully via “clients-trusted-vlan”. Next step, was to set up a trunk connection in between the hEX and the CRS. To me it looks sufficiently similar to the tutorials, but if I try to ping the hEX from the CRS I get “host unreachable”.
I have no idea to further troubleshoot the matter. What am I missing?
Update: Using the setup for the hEX made ether2 another tagged port and connected it to a linux server, where I let the kernel sort out the VLAN. It works perfectly, so I assume that the set-up of the hEX ist fine. I also found this https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_1_.28Trunk_and_Access_ports.29 tutorial, but still I cannot ping in between the two switches.
This is the relevant part of the hEX configuration:
/interface bridge
add name=vlan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=Trunk-eth5
set [ find default-name=ether1 ] name=WAN-eth1
/interface vlan
add interface=vlan-bridge name=admin-vlan vlan-id=110
add interface=vlan-bridge name=clients-trusted-vlan vlan-id=131
add interface=vlan-bridge name=services-vlan vlan-id=115
add interface=vlan-bridge name=vlan1 vlan-id=1
/interface bridge port
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=131
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=110
add bridge=vlan-bridge interface=Trunk-eth5
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge vlan-ids=1
add bridge=vlan-bridge tagged=vlan-bridge,Trunk-eth5 untagged=ether4 vlan-ids=131
add bridge=vlan-bridge tagged=vlan-bridge,Trunk-eth5 vlan-ids=110
add bridge=vlan-bridge tagged=vlan-bridge,Trunk-eth5 vlan-ids=115
/ip address
add address=172.18.1.1/24 interface=admin-vlan network=172.18.1.0
add address=172.18.32.1/24 interface=clients-trusted-vlan network=172.18.32.0
add address=172.18.16.1/24 interface=services-vlan network=172.18.16.0
And this is the configuration excerpt from the CRS:
/interface bridge add name=vlan-bridge vlan-filtering=yes
/interface vlan
add interface=vlan-bridge name=admin-vlan vlan-id=110
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether9
/interface bridge port
add bridge=vlan-bridge interface=ether1
add bridge=vlan-bridge interface=ether10
add bridge=vlan-bridge interface=ether9
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=110
add tagged-ports=ether1 vlan-id=115
add tagged-ports=ether1 vlan-id=131
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=131 ports=ether9
/interface ethernet switch vlan
add ports=ether1,ether9 vlan-id=131
add ports=ether1,switch1-cpu vlan-id=110
/ip address
add address=172.18.1.2/24 interface=admin-vlan network=172.18.1.0