I have been using Mikrotik RB750GR2 for couple of month as my main router and till now I have been able to configure everthing I really needed.
Now I am extending my home lab and would like activate several VLANs which are more or less intended for VMware lab.
Network topology is very basic. There is Mikrotik hEX RB750Gr2 as main roter and Managed TP-Link switch SG108E (see attached topology).
What is confusing to me, is that there are several ways to configure VLANs on Mikrotik. Some people are using bridge and some not, but nevertheless nothing is really working for me.
What is the goal:
To configure only Mikrotik port 4 to be able to trunk VLAN 100,200,50,88 to TP-Link switch Port1. Than I would again trunk 4 ports from Switch to 2 ESXi hosts where multiple VMs are deployed.
In my case I really dont have idea whether configure Mikrotik without VLAN bridging:
Interface list: Add VLAN, choose ID and assign to Port4
Address list: Add addressess and assign it to previously created VLANs
…Or with bridging and vlan filtering?
Create new bridge interface
Add port 4 to the bridge
Create VLAN tabble (tagging only Port4, Untagging 0)
Activate VLAN filtering
Let me also mention that I already have one active bridge, if that is playing any part?
Topology:
SG108E:
Thank you in advance for any help or tip!
I’m interested in this answer because I have the same issue as you. Also, just in case you know, I have the same topology as you with the exception that I want port #4 (in the router) to be a separate VLAN for my VOIP. My issue is that I have tried many settings, but I can’t get port 4 to issue an IP corresponding to my VOIP IP pool. It just issues a bridge native IP, and if I turn on VLAN filtering, I don’t get any IP at all. In my setup all ports are a member of 1 bridge. I’m using ROS 7.1.1
If you need to use only one port on RB, and you’re sure that you won’t need more in future (e.g. you won’t need to extend same VLANs to another switch in second RB’s port), then just remove that port from any existing bridge, add four VLAN interfaces to it, and that’s it (aside from IP settings and such).
Regarding the SG108E setup…
The only ports with native vlan1 set as pvid should be the trunk ports.
The other ports (access port) will have the pVID of the vlan in use ( tagged when traffic coming from dumb device onto switch and stripped when traffic heading back to dumb device)
Management port for 2-4 STEWPID ubiquiti APs that expect the management vlan OKAY (damn hybrid ports to come in untagged However the production vlan 2000 should be removed from ports 2-4!! The ubiquitis should only need 100 untagged and 88 tagged. (same here the untagging of pvid 100 removes vlan1 here).
If they were normal APs, both 88 and 100 would go to them as a trunk port.
I would rather keep everything in one bridge for simplicity, I don’t know what exactly I’m missing. The PVID is already changed. VLAN is configured in the interface menu/ not at the bridge lvl.
Your Bridge definition is non-standard REMOVE PVID14 for now. Its not the place to use vlanID normally.
You dont identify the bridge as the managment vlan either, its a bridge!!!
You have 6 vlans and 7 Pools, dont tell me you are using the bridge to also do dhcp etc. ???
If so, keep it simple and consistent take that subnet and make it a vlan aka where is your management vlan ???
In other words simply add VLAN14 LIKE ALL THE OTHERS!!!
Thanks, the 7th pool was from the default configuration and was on the bridge as a dhcp. I will remove the VLAN from the bridge, and also add the management VLAN to interfaces.
I will read the suggested article and make the changes afterwards. I would like to have access to the management VLAN in ports 2 & 3 only, just in case the access point goes down, then I can still access the management vlan physically at the router location (basement). Port 4 is only for the VOIP. the rest of the vlans with be pushed to switch through the SFP and then to their respective SSIDs.
V/r
a. yes its a good idea, if you have a free port to simply put it as an access port on the management vlan, so that you can plug your PC into the port and be on the management vlan.
b. you dont need two ports to do this, but a Better Idea for the second port i you have another not used, is to make an emergency access port out of it, but one that is OFF the bridge.
In other words if something goes screwy and your configuring the bridge that may make all the associated bridge ports not accessible, simply plug your pc into an off bridge port and you regain access to the router for config. https://forum.mikrotik.com/viewtopic.php?t=181718
I think I alreday tried that, but let me check it again. Just tell me, if I need to link IP address (IP address list) to Ethernet4 port or VLAN interfaces?
Additional question related to SG108E…
I understand how tagging/untagging works, but I am still unsure what to do with VLAN1 on that switch. Since the eth1 on SG108E is “uplink”, should VLAN1 be tagged instead of default value - untagged?
You’re adding VLAN interfaces to get new separate networks, with separate interfaces. So you work with them, same way as if they were physical ethernets. Example:
As for switch, I don’t know this one exactly, but it should be possible to configure VLANs any way you want, if you don’t want VLAN 1 on some ports, simply remove it from there.
Switch.
PVID table - all trunk ports retain default setting of 1, all access or hybrid ports should have a pvid port of the particular vlan being used on that port (namely tagging traffic coming from the dumb device connected to the port and stripping the the vlanID when return traffic leaves the port heading back to the dumb device.
Trunk ports: all vlans going through a trunk port should be TAGGED for that port.
Access port: Vlan traffic going through an access port should be UNTAGGED for that port.
A port member - vlan1 is a port member for all trunk ports, and NOT a member for access ports.
As far as tagging my recollection is for tplink switches vlan1 is never tagged and never untagged. its just a member or its not and the default pvid of a port is 1 unless its an access port.
I will try to see if I can find other information
Vlan 1 on tplink switch is default untagged for all ports.
In theory i would have to change it to tagged, or just put everything blank.
Every non trunk port can have only one untagged vlan (access port), so i can asume this default value has to be changed for vlan1 - from untagged to nothing or tagged.
Additionally, vlan1 on port 1 cannot be untagged as there is no way to pass trough all vlans.
If we check my 1st post with topology, switch configuration should be:
Why are you using publicly routable IP address ranges for your private LANs? At the very least, that would make it difficult or impossible to reach a internet destination within the address ranges you are using. You normally whould be using one of the private IP address ranges. For small networks, that is most commonly 192.168.x y… There are others.
Hi, I managed to solve the vlan issue. Now I finally am able to get all necessary vlans from tplink switch.
It is enough to just create a VLANs under Interface menu, and add IP addresses to those VLANs. I found out that I had a problem with vlan1 (U/T).
However, I would just like to ask how can I “connect” some vlans together. For instance. I would like to access some IPs on 192.168.88.0/24 network from 192.168.100.0/24?
I corrected Firewall rules, but aparently something is missing, as I am not getting responses from those devices. What am I missing?
