Hi,
I have created point to point link between two sxt lite 5 with one device as bridge and other is station bridge. At one end I have dhcp server running in vlan 300 and at other end Users are connected. I want these users to get IP from dhcp server which is in vlan 300.
How can I configure these devices such that I can tag users traffic with vlan 300 and vlan 1 would be management vlan.
Thanks,
You need to add a VLAN interface to the bridge in the router. If you want to bridge VLAN 300 all the way across then you’ll have to have a VLAN 300 interface on each physical interface that the traffic will be crossing… in that case you will want a “VLANBridge” which has members like: “E1-V300” & “W1-V300”. However I think the simplest answer is as follows:
For instance… on the DHCP side of the link:
Create a bridge if you don’t already have one… “bridge1” (will be the name unless you rename it)
Create a VLAN interface (which I would name: “E1-V300”) with ether1 as the interface and 300 as the VLAN id.
Add E1-V300 to the bridge “bridge1”
Also make sure the wireless interface is a member of that bridge. You may or may not want ether1 to be a member of that bridge depending upon you network goals.
You will want to setup WDS (probably in dynamic mode) and set the WDS bridge to “bridge1” or whatever name you choose.
You will want to have the remotes side setup with bridge for WLAN1 & Ether1 as well as WDS setup for that bridge.
The effect of this will be bridging VLAN 300 to the untagged network and then crossing the bridge to your remote side. It is a valid configuration to transport both untagged and VLAN300 to the remote side and bridge the VLAN traffic with the untagged at that end if that meets your network goals better.
Basically what you need is to bridge untagged traffic to the VLAN traffic at some point in the network if you want untagged devices to see the DHCP server on that VLAN.
Feel free to ask more questions if something about this message doesn’t make since. VLANS on the MikroTik are very simple but its a bit confusing until it you get a good idea of how the MikroTIk handles them. Good luck.
Thanks for the reply. What I have done so far before writing this Post is as below:
sxt lite 5-A
set on bridge mode
created bridge1 and added ether1 and wlan ports
sxt lite5-B
same as above
Later created vlan 300 in both sxt and tried to add them to bridge1 in both sxt, but it’s not accepting. At one point it accepted. Don’t know how.
my setup/requirement is as below:
DHCP server-----manageable switch----(fiber)----sxt lite5-A(bridge)---------sxt lite5-B(station bridge)------user
DHCP server connected to manageable switch on vlan 300
Fiber is connected to manageable switch on trunk (to carry untagged and vlan 300 traffic). Fiber is required as the link is at remote site.
Fiber is terminated to ether1 of sxt lite5-A
Point to Point between two sxt lite 5-B
Users are connected on sxt lite 5-B on ether1. (Users should be on vlan 300 and management of sxt should be on vlan 1)
Adding a single VLAN interface on each would not do what your wanting. If you wanted to fully bridge VLAN 300 across you would need to add a VLAN 300 to both ethernet interfaces and to both wireless interfaces and add all four vlan interfaces to a bridge.
I suspect that you just want to recieve VLAN300 traffic on the ether1 interface of Site1 and bridge that to the untagged wireless interface and leave the traffic untagged from their on. I would guess that the final destination is not vlan aware.
Here is what I understand that you built:
DHCP on V300 >>>> Site2 % NO VLAN BRIDGE % VLAN 300
Untagged LAN >>>> Site2 >>>>>untagged bridge>>>>> Site2 >>>>>>>>> Client
The VLAN 300 network doesn’t exist on the wireless side of the router however there is a VLAN 300 on the far side of the link but there is no LAYER 2 connection back to the DHCP server.
Is the end client a VLAN aware client that is looking for DHCP on VLAN 300?
End client is not vlan aware client but I want to put him in vlan 300 so that he can receive dhcp from dhcp server which is on vlan 300.
I want client’s data to be tagged with vlan 300 once it enters in sxt lite5 and the tagging should be preserved till dhcp server.
As suggested by you, I will try adding vlan 300 to both ether1 and wlan and in bridge as well. Will update.
Will any traffic go over the SXT connections that is on any other VLAN?
Hi
Only vlan 300 (users) and vlan 1 (management of sxt)
OK… I think I have a solution.
The Untagged Network
The SXT at site B should have the management IP on the “bridge1” interface which should have WLAN1 as the only port memeber. WDS should be using bridge1 as the default bridge. This means that there is no access from SiteB to the management network except by using a router at Site A to change networks on both a layer 2 and layer 3 prospective.
The SXT at site A should have the management IP on “bridge1” as well. WDS should also have bridge1 as the default bridge. Ether1 & WLAN1 should be the port members of bridge1. This will allow both SXT’s to communicate with each other on untagged interfaces which means they are on the same layer2 and layer3 networks. VLAN 300 traffic will only be able to communicate with the untagged interfaces via a router at Site A that is not one of the SXT’s
The VLAN300 Network
The SXT at Site B will need a ‘V300’ bridge which will have Ether1 & W1V300 as port members. This means that all traffic entering the Ethernet interface will exit the SXT on the wireless interface tagged as VLAN 300.
The SXT at Site A will need a ‘V300’ bridge which will have E1V300 & W1V300 as port members. This means traffic arriving at either the wireless interface or the Ethernet interface on VLAN 300 will leave on the other interface and retain the VLAN tag.
The VLAN bridges at both sides could have an IP address in the subnet that is used on VLAN 300 this may be helpful for testing if something is odd.
Recapping:
Bridge “bridge1” members: Site A: (Ether1 & WLAN1) Site B: (WLAN1)
Bridge “V300” members: Site A: (E1V300 & W1V300) Site B: (Ether1 & W1V300)
Thanks for the response. Will give it a try. Its complicated as compared to other products.
This scenario can be easily achieved in other products like ubiquity’s Nano Bridge, Airgrid etc. Just we have to create point to point link and tag the traffic with desired vlan.
Will update on this.
The complication is not due to the network design that I am proposing given my understand of your need not the product. The complication is that you cannot both keep tagged traffic together with untagged and keep them separate at the same time. If you need both layer 2 networks on the same back-haul and you need to add a tag at some point and remove tags at another then I think you are forced to have the config I am proposing regardless of the hardware & software used.
If you can tell me how you would do it with another product then I can tell you how that would be configured on a MikroTik. By the way I would do this exactly the same way if I was using a Ubiquity back-haul. The answer I gave did use a little MikroTik specific terminology but it is really just design theory explained rather then a configuration explanation.
It is however likely that I do not understand your use case fully and am making this more complicated then necessary. I cannot think of another way to tag traffic from Site B and un-tag traffic when returning while having management to both sites on an untagged network.
By the way, the only place I use a config like this is with a Ubiquity Rocket AP and Ubiquity NanoStation Stations. I use VLANs to separate VoIP traffic from Management traffic. I have the Rocket AP setup with a VLAN10 bridge and a untagged bridge just like I suggested for your Site A. The NanoStation has VLAN 10 on the wireless interface for management only just like I suggested for your Site B. I have a further consideration in that I have a PPPoE interface on the customer router and the VoIP traffic is in front of the customer router on an ATA in bridge mode (untagged). The NanoSation receives an IP via DHCP on VLAN10 and the VoIP ATA receives an IP via DHCP on the untagged network. The customer’s internet connection receives an IP address via the PPPoE interface (also on the untagged network). All three networks are separate on layer 2 as well as layer 3. This is the closest situation I have to what I understand is your need.
Basically I want user’s traffic to be tagged with v 300 once it enters in sxt and it should be untagged in cisco switch where DHCP server is connected on vlan 300. Also I should be able to manage sxt from central location. In ubiquity it is just one click.
Will test this scenario as suggested by you today.
Thanks
What is the one click in ubiquity?
In the Ubiquiti ones you can specify the “Management VLAN: Enable” then in the “VLAN ID:” box enter a number.
For Mikrotik you have lots of options, which require a bit more understanding of what’s happening behind the scenes with VLAN’ing and the other networking components/services.
I usually disable all the IP Services I don’t need and keep only api-ssl and winbox. I create a management bridge and block all IP access (in the firewall) from outside of my management networks. Then I disable Winbox MAC server and IP Neighbours on all interfaces other than that bridge. I then add a VLAN interface to an existing interface (my VLAN trunk) and add it’s port to the bridge. If I need an untagged access port to the VLAN, I add it to the bridge as well.
To setup the Ubiquiti management interface on a VLAN it is many fewer clicks in simple mode, but there is a good chance the end result is not really what you want from a security perspective. You usually need to go into Advanced and change the bridges around as it just creates the management VLAN and changes the interface it listens on and assumes the rest. If you leave it bridged to the wrong interfaces (it will depend on your configuration) you may be leaving yourself more vulnerable than you expect. Once again, it depends on your configuration.
VLAN management is also very easily accomplished on the MikroTik but the need is much more complicated then VLAN management as I understand the problem. The remote Site B needs to add VLAN 300 to all ingress layer 2 traffic on the ethernet interface yet have the management of the MikroTik be untagged and accessible. Furthermore Site A needs to leave VLAN 300 traffic tagged but support untagged for management of the SXT’s.
The poster of the problem says that this network config is easy to accomplish on UBNT so I am suspecting that I am misunderstanding the situation. I am waiting on an answer on how this would be easily accomplished on the UBNT platform so that I can translate the solution for his SXT’s. The easy solution will show me how I am over complicating the issue in my misunderstanding.
Yeah I read it entirely differently.
I read it as
Switch (Vlans 1 & 300) → RadioA (vlans 1 & 300, management on 1) → Radio B (vlans 1 & 300, 1 management on 1, 300 bridged to ethernet to make it untagged)
It’s quicker to do with airMax stuff, yes, but I do it on both regularly and the Mikrotik version affords more flexibility and isn’t that tricky. We need the config essentially. I think what is happening is the vlan and bridges are not being connected to the correct interfaces. On Radio B I believe there should be both VLAN entries: 1 & 300 both set on the wlan interface then a bridge with VLAN 300 and the ethernet interface. On Radio A you would want the wlan and ether bridged, and I would probably set the vlans on the ether interface.
Ravin, export the config from both radios and post it here. If you’re having troubles, post where you get stuck.
Hello,
I spend hours and hours trying this same configuration and hardware (I have an untagged connection and simply want to add a tagged vlan for voip)
When I test with two bridges with two tagged vlan in the SXTs, everything works fine, the connection with the SXT and the connection to the customer.
The problem is when one of these vlan is tagged and the other untagged. I have connectivity issues with the SXT. The problem is that my entire network is untagged and simply would need to add a tagged vlan voip, but I can not.
There is a difference to note between these two cases (2 tagged / 1tagged + 1 untagged)? or am I just doing something wrong and I not see it?
Thank you very much
ok… now i am having 2 SXT Lite 5 working as a backup bridge between two switches with a lot of VLAN’s in the network.
can i just have a simple way to transmit data from all VLAN’s in the network with that bridge.
the bridge is a backup just like a simple CAT5 cable between two switches…so i think the system should be simple…
i went through this entire thread and it has now confused me more…
waiting for a kind help…
-sid