VLAN using RB750

samih · August 28, 2012, 6:51am

hello i am using RB750. here is the scenario:
i want to use 3 ports : ether1, ether2 and ether3
ether1 is on vlan 1, ether2 is on vlan 2. and i want vlan 1 and vlan 2 to be separated from each other but i also want vlan 1 and vlan 2 to communicate with ether3

please help.

djdrastic · August 28, 2012, 7:18am

Samih you’re almost always better off putting a smart/intelligent switch in front of the mikrotik and doing vlans on there and trunking down those vlans as tagged down to the mikrotik.Use firewall/routing rules to stop networks from talking to each other.

samih · August 29, 2012, 5:48am

thank you man for you reply.
but i dont have enough budget to add a smart switch.
i know that it can be done with rb750.
any help please.

burkni · August 29, 2012, 3:38pm

Do you want vlan1 and vlan2 to be tagged on ether3? That’s I think the only way it’s actually seperated. You can easily set up your ports so vlan1 is untagged on ether1, vlan2 is untagged on ether2 and vlan1 and vlan2 are both tagged on ether 3. Can’t find it now but I did it on RB750G and I found some info on how to, I shall dig into it again. It is fairly simple when you start looking. If you’re using WinBox you set the port mode in Switch/Port. There you’d set all ports you’re using in this scenario to secure. Can’t find in WinBox where to change the tagging but in terminal it’s like this: You can do the secure part in the same thing.

/interface ethernet switch port
set 0 vlan-header=always-strip vlan-mode=secure
set 1 vlan-header=always-strip vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure

You might have to make some rules too, not sure what I did, would have to look it up.

sirEgghead · August 29, 2012, 8:00pm

/ip firewall filter add disabled=no in-interface=ether1 out-interface=ether2 action=drop
/ip firewall filter add disabled=no in-interface=ether2 out-interface=ether1 action=drop

That will work if you want the 2 to not talk to each other. Or:

/ip firewall address-list add list="LAN1" address=192.168.1.0/24
/ip firewall address-list add list="LAN2" address=192.168.2.0/24

/ip firewall filter add disabled=no src-address-list="LAN1" dst-address-list="LAN2" action=drop
/ip firewall filter add disabled=no src-address-list="LAN2" dst-address-list="LAN1" action=drop

Hope that info is useful.

Thomas

samih · August 30, 2012, 6:45am

thanks burkni for your reply. i searched a lot and i found something of what you had said. anyway i will make the setup like this.
the next step is to make ether1 communicate with ether3 and ether2 communicate with ether3.
can you offer some help pleasee.
thanks

by the way i want the packets going out of ether3 to be tagged with the vlan id of ether1 or ether2.

burkni · August 30, 2012, 8:20am

One question, are you just forwarding the traffic on these vlans through the interfaces or do you need to route from ether1/ether2 to ether3? If I understand you right you’re just forwarding the traffic?
If that is the case then this scenario should work for you:

/interface ethernet switch port
set 0 vlan-header=always-strip vlan-mode=secure
set 1 vlan-header=always-strip vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure

/interface ethernet switch rule
add new-dst-ports=ether1 ports=ether3 switch=switch1 vlan-header=present vlan-id=1
add new-dst-ports=ether2 ports=ether3 switch=switch1 vlan-header=present vlan-id=2
add new-dst-ports=ether3 new-vlan-id=1 ports=ether1 switch=switch1 vlan-header=not-present
add new-dst-ports=ether3 new-vlan-id=2 ports=ether2 switch=switch1 vlan-header=not-present

This is not enough, we have to pass the traffic through and tag the packets:

/interface ethernet switch vlan
add ports=ether3 switch=switch1 vlan-id=1
add ports=ether3 switch=switch1 vlan-id=2
add ports=ether1,ether2 switch=switch1 vlan-id=0

This last line seems to be needed for things to work. This kind of “bridges” the vlans between these interfaces, it does no routing. The vlans are, or should be, completely seperated this way.

samih · August 30, 2012, 8:26am

ok what you understood is the right thing. i want to forward packets from ether1/ether2 to ether3 with with vlan-id tags so i can separate then at ether3.

i did what you wrote but when i insert

/interface ethernet switch rule> add new-dst-ports=ether2 ports=e
ther3 switch=switch1 vlan-header=present vlan-id=1

i got a msg : failure: not supported for this switch
do you know the reason ?? is it related to the license level or what???

burkni · August 30, 2012, 9:05am

This worked on my RB750G, maybe RB750 is different, I wouldn’t think so though. The names I use, ether1 and so on, are the names on the interfaces, it might be different in your case. Check the names or change them to match this. That’s my best bet. You might be able to update the firmware/OS?
Hope this helps. I find it strange if there’s such a big difference between RB750 and RB750G. My router has Level 4 and is up-gradable to v6.x if that helps you troubleshoot this.

samih · August 30, 2012, 9:29am

i checked everything, the naming and others. all of them are the same.

anyway thanks a lot dear.

regards

burkni · August 30, 2012, 10:17am

OK. According to this, rules are not supported on RB750 but it is on RB750G:
http://wiki.mikrotik.com/wiki/Switch_Chip_Features

This one had similar problem:
http://forum.mikrotik.com/t/switch/33206/1

Get RB750G.

hq83 · October 29, 2012, 3:06pm

I need something like this but not exactly the same.
Unable to figure out from the example above. anyone can help?

ether1 - WAN port for ISP vlan10, vlan20, vlan30, vlan40 being tagged by ISP.
ether3 - I wan to forward vlan20, vlan30, vlan40 to this port which will be connected to another router. VoIP and IPTV is being connected to that router.
vlan10 is being use for internet for the other ports.

burkni · November 26, 2012, 10:14am

@hq83 - Which router do you have? Just wondering if your router supports the rules.

hq83 · November 27, 2012, 3:20am

Hi,
I am using rb1100ah