Hi i’m new to Mikrotik and RouterOS, but i’m trying to setup my RB951G-2HnD the way it’s explained in the picture. To somehow I don’t know how to setup de vlan’s the way it should be done.

Here are the instructions that I should follow to get it working, but unfortunately I can not get it working.

You use a router with vlan support. That connects to your fiber optic connection and Experiabox. The router sends VLANs 7 through to the Experiabox and start an Internet session on VLAN 6.

I would like to see incoming vlan 7 (VOIP) is connected to port 5 and incoming vlan 4 (IPTV) and 6 (Internet) connected to port 2 t / m 4.

Can anyone help me with this?

I'm going to try this configuration.

/interface ethernet

Poort 1 (ether1) = FIBER

set 1 arp=proxy-arp auto-negotiation=yes
disabled=no full-duplex=yes l2mtu=1598
mtu=1500 name=ether1-gateway speed=1Gbps

Poort 2 (ether2) = LAN

set 2 arp=enabled auto-negotiation=yes
disabled=no full-duplex=yes l2mtu=1598
mtu=1500 name=ether2 speed=1Gbps

VLAN 6 = internet, deze koppelen we aan de fysieke interface ether1

Maak VLAN 4 en 7 aan en koppel deze (ook) aan poort 1

/interface vlan
add arp=enabled disabled=no interface=ether1-gateway l2mtu=1594 mtu=1500
name=vlan1.6 use-service-tag=no vlan-id=6

add interface=ether1-gateway l2mtu=1594 name=vlan1.4 vlan-id=4
add interface=ether1-gateway l2mtu=1594 name=vlan1.7 vlan-id=7

Maak een VLAN 7 aan op poort 5 om verkeer tagged naar de experiabox te sturen

add interface=ether5 l2mtu=1594 name=vlan5.7 vlan-id=7

\

PPPoE profiel, heel standaard.

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=
default use-encryption=default use-mpls=default use-vj-compression=
default

PPPOE CLIENT, deze koppelen we aan de VLAN6 interface die eerder gemaakt is.

(vul eigen MAC in ipv xx-xx...) Let op: hier worden streepjes gebruikt ipv dubbele punten

/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2
dial-on-demand=no disabled=no interface=vlan1.6 max-mru=1480 max-mtu=1480
mrru=disabled name=pppoe password=kpn profile=default service-name=""
use-peer-dns=no user=XX-XX-XX...@direct-adsl

PPPOE CLIENT extra configuratie voor RouterOS 6

betreft de keep-alive-timeout.

De timeout komt hiermee op 20 seconden, de spatie en het cijfer 0 is om de interface aan te duiden.

/interface pppoe-client
set keepalive-timeout=20 0

BGP, alleen maar even om zeker te zijn dat hij disabled is

/routing bgp instance
set default disabled=yes

Bridges, ofwel verzameling switchpoorten die bij elkaar horen. Let op: poort 1 zit niet in de LAN bridgepoort!

/interface bridge
add name=bridge-local
add name=bridge-iptv
add name=bridge-tel

/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none
interface=ether4 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none
interface=wlan1 path-cost=10 point-to-point=auto priority=0x80

add bridge=bridge-iptv interface=vlan1.4
add bridge=bridge-iptv interface=ether2
add bridge=bridge-iptv interface=ether3
add bridge=bridge-iptv interface=ether4

add bridge=bridge-tel interface=vlan1.7
add bridge=bridge-tel interface=vlan5.7

/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no

/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled

Lokaal IP adres van de router. Pas dit aan naar het IP adres in de reeks die je gebruikt (of laat het zo)

/ip address
add address=192.168.5.250/24 disabled=no interface=ether2 network=192.168.5.0

De DNS van Google, lekker betrouwbaar.

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=2048KiB
max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4

De 3 standaard rules voor de firewall. Dit zijn geen veilige rules, alles staat open!

/ip firewall filter
add action=accept chain=input disabled=no in-interface=pppoe protocol=icmp
add action=accept chain=input connection-state=related disabled=no
add action=accept chain=input connection-state=established disabled=no

De NAT regel om vanaf LAN het internet te kunnen gebruiken, vervang evt het src adres door je eigen LAN IP reeks.

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe
src-address=192.168.0.0/16 to-addresses=0.0.0.0

Geen rotzooi naar KPN sturen, dus we disablen discovery op de poorten naar KPN

Vanaf versie 6 van RouterOS moet je hieronder 'disabled=yes' vervangen door 'discover=no' en andersom.

/ip neighbor discovery
set sfp1-gateway disabled=yes
set ether1-gateway disabled=yes
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set wlan1 disabled=no
set bridge-local disabled=no
set pppoe disabled=yes
set pptp-in1 disabled=yes
set vlan1.6 disabled=yes

Hou de PPPoE verbinding aktief door elke 20 seconden een ping te sturen

Vervang bij voorkeur het IP adres door iets anders.

Vanaf RouterOS 6 is dit niet meer nodig wanneer je gebruik maakt van de

keep-alive-timeout in de PPPoE client instellingen! (zie boven)

/tool netwatch
add host=193.0.14.129 interval=20s

Algemene andere dingetjes

/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add disabled=no interface=bridge-local type=internal
add disabled=no interface=pppoe type=external
/lcd
set backlight-timeout=10m enabled=yes
/system clock
set time-zone-name=Europe/Amsterdam

You need to add a virtual vlan interface on any of the ports that need to use that vlan. I believe you can add a vlan to a bridge or a bridge to a vlan.

Think of the vlan as an interface. If you need vlan 4 on ether1 then create an ether1-vlan4 interface. If you need ports 2 & 3 to both have vlan7 then either create two vlan 7 interfaces and bridge the vlan interfaces or bridge ether 2&3 and create a vlan on the bridge.

Thank you. I have some help with the router config prepared as set out in the attachement.

Could this work?
router-config.txt (6.47 KB)

If you follow the steps on the tutorial belonging to the picture, you’re pretty close to the solution.
Only difference you should keep in mind is the lack of 10 ether ports.

It should look something like this.
Assume ether1 is your ISP connected port

One remark I have on your desired config is that the ether ports can not be both for IPTV and normal internet.
You have to choose there.
I suggest you do IPVT on ether4 and use ether2 and ether3 for normal internet.
/interface bridge
add name=voip
add name=local
add name=iptv

/interface vlan
add name=vlan4-ether1 interface=ether1 vlan-id=4
add name=vlan6-ether1 interface=ether1 vlan-id=6
add name=vlan7-ether1 interface=ether1 vlan-id=7

add name=vlan7-ether5 interface=ether5 vlan-id=7

/interface bridge port
add bridge=voip interface=vlan7-ether1
add bridge=voip interface=vlan7-ether5

add bridge=iptv interface=vlan4-ether1
add bridge=iptv interface=ether2
add bridge=iptv interface=ether3

add bridge=local interface=vlan6-ether1
add bridge=local interface=ether4If desired also connect the wlan interface to the network bridge for wifi internet.

The difference to the pictures is that VLAN 4 and 6 should be connected to port 2 to 4.
Is this even possible?

Yes it is possible.

Create Ether2-VLAN4 and Ether3-VLAN4. Then create a VLAN4-Bridge interface that has Ether2-VLAN4 and Ether3-VLAN4 as port members.
Then do the same for VLAN 6.

/interface vlan add name=ether2-vlan4 interface=ether2 vlan-id=4
/interface vlan add name=ether3-vlan4 interface=ether3 vlan-id=4
/interface bridge add name=VLAN4-Bridge
/interface bridge port add bridge=VLAN4-Bridge interface=ether2-VLAN4
/interface bridge port add bridge=VLAN4-Bridge interface=ether3-VLAN4

/interface vlan add name=ether2-vlan6 interface=ether2 vlan-id=6
/interface vlan add name=ether3-vlan6 interface=ether3 vlan-id=6
/interface bridge add name=VLAN6-Bridge
/interface bridge port add bridge=VLAN6-Bridge interface=ether2-VLAN6
/interface bridge port add bridge=VLAN6-Bridge interface=ether3-VLAN6

But the traffic is tagged than, isn’t it??

VLAN 4 and 6 should be untagged…
As far as I know…

I am not sure what you mean by VLAN 4 & 6 being untagged. The only untagged VLAN is VLAN1 which is the same as not having a VLAN.

If you mean ports 2 & 3 should accept untagged traffic and should be able to communicate with devices on the same subnet that are on a VLAN then that is done through routing.

If I read the graphic correct, the interface belonging to vlan 4 is supposed to accept untagged traffic and to tag input traffic to vlan 4. As far as I know if vlan 4 is assigned that interface, the input traffic should be tagged and output traffic is tagged with the vlan is. This is not as desired. I stay with my conclusion that a ether interface can not serve untagged traffic for 2 different vlans. So WijnantsRMJ must choose what vlan should be available on what ether interface.

I think we have some confusion about how RouterOS handles VLANS piratically speaking.

The router will only tag the traffic on egress when the traffic exits through a VLAN interface. The interface does not tag traffic on ingress, rather traffic enters the physical or virtual interface based upon the VLAN tag that is part of the packet header. If the packet already has a VLAN tag then it will enter the VLAN interface otherwise it will enter the physical interface.

Traffic that entered the router tagged with two different VLANS can exit on a single interface regardless if the egress traffic is tagged, re-tagged or untagged. Any physical interface can accept traffic on multiple virtual VLAN interfaces. The router could even split untagged traffic sourcing from an untagged interface into two different vlan tagged egress interfaces by simply matching the traffic and adding a routing mark that could cause the packet to exit on a tagged interface.

I suspect that VLAN tagging is not even needed for this configuration although I am making assumptions of what is going on. I have a few questions that should help me understand what your trying to do.

What is purpose of the VLAN’s?
Is the traffic coming from NTU VLAN already tagged traffic?
Is the ATA (IP to telphone adapter) configured for use on VLAN7?
Is the IPTV configured for use on VLAN4?
Is the router performing NAT for the LAN traffic, IPTV traffic & TEL traffic?

What is purpose of the VLAN’s?

The provider delivers Internet, IPTV and VOIP on VLAN’s to me. To use them, you have to take them apart. The router of the provider does this standard. However, it is not possible to set DHCP or DNS itself.

Is the traffic coming from NTU VLAN already tagged traffic?

The traffic coming from NTU VLAN’s is already tagged traffice.

Is the ATA (IP to telphone adapter) configured for use on VLAN7?

Yes, this is the default router from the provider and does this by default.

Is the IPTV configured for use on VLAN4?

Yes, I think it is. In my current setup I have a dump switch behind the provider router and on the switch there are IPTV decoders (only wired) and desktop, laptop, tablet and smartphone devices (wired and wireless).

Is the router performing NAT for the LAN traffic, IPTV traffic & TEL traffic?

The router should perform NAT for LAN traffic, IPTV traffic & TEL traffic. The provider router is also doing that now.

The provider router will still be used to provide VOIP services, because the provider doesn’t say what the setup is. If it’s simpler to get the Mikrotik behind the provider router and to be able to configure DHCP and DNS, this also would be fine.

So then I would have to get VLAN4 and VLAN6 from the provider router on a different subnet which it’s own DHCP and DNS setup.

If the provider is giving you a router then can you put your IPTV & VoIP in front of your MikroTik and only use the MT for your LAN? If that works then you won’t need VLANS unless the data is on a VLAN in which case you only need it on the WAN interface.

If you cannot then add the IPTV VLAN & VoIP VLAN to your provider interface. Then add the VOIP VLAN to an interface for the VoIP phone and add the IPTV VLAN to the TV interface and create a TV & VoIP VLAN where you can add each vlan interface to the bridge. This will allow the VLAN info to pass straight through the router as unchanged.

But I want the VLAN’s of Internet (6) and IPTV (4) connected to the same dumb switch, because the PC’s en IPTV devices are all connected to it. I think the IPTV devices are vlan awhere, but I know de PC devices are not.

Or should I use flexports http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Rule_Table, to filter the traffic to the IPTV devices (which are of Motorola) by mac protocol.

If you want to access VLAN tagged traffic on an interface then create a VLAN sub-interface on that interface with the appropriate VLAN ID.

If you want to have a given physical port untagged access that VLAN traffic then bridge the corresponding physical port to the relevant VLAN interface - this makes the physical port an “access port” in CiscoSpeak.

Again…

I’ve got a RB951G-2HnD and want to be able to use Internet (incoming on VLAN 6) en IPTV (incoming on VLAN 4) on a mixed internal environment (see attachment). The VOIP (incoming on VLAN 7) is bridged to VOIP modem.

The RB951G-2HnD is in default configuration from Mikrotik. I’m running RouterOS version 6.1 on it. To be able to use Internet, it should be setup to start over a PPPoE connection on VLAN 6 and it should keep open the line else the line will drop and not accessible for 10 minutes.

Thanks again for all your help. I’m really new to RouterOS and can use all the help to setup it up right.

As far as my knowledge goes (and the explanation given by joshaven) your desired setup is only possible if your IPTV devices are VLAN aware and are confgurable to transmit data tagged with VLAN ID 4 (and obviously accept incoming traffic which is tagged with this VLAN ID).
If both the IPTV and internet devices can not cope with VLAN tagged traffic, you can’t achieve your goal with the dumb switches you have now. You have to implement VLAN aware switches in both your living room and first floor and let them separate the tagged traffic which is coming from the routerboard.

This conversation is overly complicated for the need here…

Lets assume that the ISP is giving you three DHCP assigned IP addresses on the three VLANS that they are communicating on.

Rename your external interface to WAN ( or translate the rest of my instructions accordingly ).

Create three virtual VLAN interfaces on the WAN interface: WAN-VLAN4, WAN-VLAN6, WAN-VLAN7
Setup a DHCP Client on each of the Virtual WAN interfaces. Check that each are assigned addresses appropriately. If they do not receive assignment (which I would supposed they wouldn’t) then you need to contact your ISP to find out why the interfaces are not receiving an IP on the VLAN Interfaces. The reason I would suppose they would not is that you said the ISP is installing a router which I would suspect is handing untagged traffic to your LAN. However, given that you are specifically inquiring about using VLAN’s in your home I’ll continue assuming that you have three WAN interfaces that are receiving tagged traffic.

Now create three src-nat rule for anything exiting WAN-VLAN4, WAN-VLAN6, or WAN-VLAN7 with an action of masquerade.

Now create a bridge called LAN and two virtual VLAN interfaces on that bridge. LAN-VLAN4 LAN-VLAN7. Setup a private subnet on the three LAN interfaces, namely the untagged, VLAN4 & VLAN7. I would recommend:
LAN gets 10.1.0.1/24
LAN-VLAN4 gets 10.4.0.1/24
LAN-VLAN7 gets 10.7.0.1/24
The addressing is irrelevant except that the subnets need to be unique from any other subnet on your router or in your route table.

Now setup a DHCP server on each of your three LAN interfaces: LAN, LAN-VLAN4, LAN-VLAN7.

The above configuration is for three external interfaces (all being tagged traffic) and three internal interfaces: untagged, VLAN4 & VLAN7. This configuration is not bridging any of the VLANS but is routing and NATing them. Each of the LAN subnets will be available on any of the internal ports. If the device (VoIP or IPTV) is configured to tag traffic then it will “automatically” be on that VLAN and communicate across any “dumb switches” on the VLAN to the virtual interface on the router.

By the way, I run an ISP (and we do use VLANS in our distribution network). Although the network topology your describing is possible, I am almost positive that your receiving information that is only applicable outside of your home network. The networking nightmare that your dealing with is not only unnecessary but would require a network engineer for every home installation of internet. If the ISP is actually requiring VLAN use in the home then they really need to rethink their policy or the support cost will sink the company. The complications of in-home VLANs will not make your VoIP or IPTV service any better. VLANS are a good way to partition hundreds or thousands of devices from one another but make no since when you have 10 or fewer devices that are all passing through dumb switches anyway.

Maybe I explained it wrong…

I got fiber in to my home. The ISP is bundling the Internet, VOIP en IPTV signal into one signal. On the ISP router of the provider the signals get untangled (vlan id 4,6 en 7). The ISP router delivers VOIP directly to the phone. The ISP router also delivers Internet and IPTV access all of the router ethernet ports (1,2,3 and 4) and it delivers WiFi. To access Internet the ISP router normally sets up a PPPOE connection on VLAN6 (WAN side).

Now I wanted to place the Mikrotik router in between the ISP router and the NTU (ISP), just to able to run my own DHCP, DNS and servers. Those services aren’t changeable on the ISP router. I still need the ISP router for VOIP handeling, because there is no documentation on whats needed to make it work public available.

I don’t think I need VLAN’s on my home network, but I only know that on the ISP side VLAN6=Internet, VLAN4=IPTV, VLAN7=VOIP and that need a PPPOE connection on VLAN6 (WAN side) to able to access the Internet, and that it should always be on.

Hope this explains it better?