VLAN via switch chip: cannot ping router interface

Good idea Andrew, I’ve had no luck getting everything to work. It’s not a very complicated setup. I’ll try to explain very clearly, do ask if I’m not doing so

I’ve got following devices:

1. A correctly configured Cisco VLAN switch with a VLAN 10 (192.168.0.x) and a VLAN 20.
   VLAN 20 is special because devices in that VLAN will not receive an internal IP, they will and must receive an IP directly from the cable modem. The ISP decides the IP based on the MAC-address of the device.
   note: Normally, the ISP places a switch connected to their cable modem. They then connect their devices to the switch to assure they get an external IP. I’ll use VLAN 20 to serve the same purpose.
2. A Motorola cable modem
3. A simple plain Netgear 5 port gigabit switch
4. Mikrotik Routerboard 450G Ros v4.17

Cisco switch (port 1)-/-/-/-/-/-/- (ether5) Mikrotik (ether 1) --------- Cable modem
|(ether2)
Netgear switch

Extra useful information:
1)-/-/-/ is a trunk line. So the trunk is between port 1 on the Cisco and ether5 on the Mikrotik.
2) The Netgear swith is connected to ether2 on the Mikrotik. Ether2 is in VLAN 10.
3) The cable modem is connected to ether1 on the Mikrotik. It hands out DHCP to the Mikrotiks ether1 port.
What is working right now?:

1. Everything attached to the Netgear (VLAN 10) can ping everything on the Cisco which is also in VLAN 10. VLAN 10 is thus working
2. VLAN 20 is working also. I’ve added rules to the rule table to accomplish this. There is one device in VLAN 20 ATM, and that device has got internet access via a public IP. VLAN 20 is thus also working.

So what is not working then?:

• VLAN 10 devices cannot reach the routers internal IP. This internal IP (192.168.0.251) is assigned to the trunk port (=ether5).
  So VLAN 10 does not have internet access. So no VLAN 10 device on the Cisco switch can ping the router and no VLAN 10 device attached to the Netgear switch attached to ether2 can reach the router.

So that is about the only thing that doesn’t work ATM. Here is my config:


/ip address> print

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.0.251/24   192.168.0.0     192.168.0.255   ether5
 1   192.168.1.254/24   192.168.1.0     192.168.1.255   ether2

/ip dhcp-client> print

Flags: X - disabled, I - invalid
 #   INTERFACE                         USE ADD STATUS        ADDRESS
 0   ether1                            yes yes searching...

note: cable modem is not connected, retrieving an IP from the cable modem is no problem at all:).

/interface ethernet switch vlan> print

Flags: X - disabled, I - invalid
 #   SWITCH                            VLAN-ID        PORTS
 0   switch1                              0            ether2
 1   switch1                             20           ether5
                                                     ether1
 2   switch1                             10           ether5

/interface ethernet switch port> print

Flags: I - invalid
 #   NAME                    SWITCH                        VLAN-MODE     VLAN-HEADER
 0   ether1                  switch1                        fallback     always-strip
 1   ether2                  switch1                        secure      always-strip
 2   ether3                  switch1                        secure      always-strip
 3   ether4                  switch1                        secure      always-strip
 4   ether5                  switch1                        secure      add-if-missing

Not too sure of the above. Ether1 might be set wrongly but the way it is now, is the way that can cause the least trouble:).

/interface ethernet switch rule> print

Flags: X - disabled, I - invalid
 0   switch=switch1 ports=ether5 vlan-header=present vlan-id=20 copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether1

 1   switch=switch1 ports=ether1
     dst-mac-address=00:03:xx:xx:xx:xx/00:03:xx:xx:xx:xx
     vlan-header=not-present copy-to-cpu=no redirect-to-cpu=no mirror=no
     new-dst-ports=ether5 new-vlan-id=20

 2   switch=switch1 ports=ether2 vlan-header=not-present copy-to-cpu=yes
     redirect-to-cpu=no mirror=no new-dst-ports=ether5 new-vlan-id=10

 3   switch=switch1 ports=ether5 vlan-header=present vlan-id=10 copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether2

Rules 0 and 1 make sure the device in VLAN 20 gets a public IP. Those rules seem to work nicely.
Rules 2 and 3 are a failed attempt to for the devices on my Netgear switch (VLAN10) to reach the router (whose internal IP is on ether5).

That’s it:).

Thanks for helping me out!

Cheers,
Jeroen

A very concise description that makes perfect sense.

I think that what you’re missing is putting the cpu port in vlan 0 with ether2:

/interface ethernet switch vlan add disabled=no ports=cpu,ether2 switch= switch1 vlan-id=0

Once this is done then you don’t need a rule to copy ether2’s packets to the cpu.

I still need to play with this a lot more. Mikrotik switching is like no other switch that I’ve come across

Regards

Andrew

haha so true, being concise is my expertise

What you said did work though! I must admit I don’t yet understand why this works. Does the CPU-port only accept untagged packets?

However, to keep it clean I put my IP (192.168.0.251/24) on the trunk port (ether 5). So that’s the only IP configured on the router now.
I then put the ether 5 together with the CPU port in VLAN 0 (ether 2 was already in VLAN 0) and devices attached to ether 5 can now ping the router.

Anyway to my horror, I still think I need a rule . Devices attached to ether 2 can’t ping the IP assigned to ether 5.
I could assign a 2nd IP to ether 2 and that’ll probably work but somehow that feels not right to do.

This switch is really hard to understand:)

Is ether5 the switch master port? I think only the master port bridges across to the cpu.

Andrew

Hi Andrew,
I’ve got some good news to report.

The devices***** in VLAN 10 attached to the Cisco switch can now reach the router (and also have internet).
What I did was as simple as everything but just a lucky shot to be honest:

1)I created a VLAN 10 (with corresponding VLAN ID 10)on the ether5 interface (via “/interface vlan”). Of course I then enabled it (something I tend to forget)
2)I then assigned the 192.168.0.something IP address to the VLAN 10 interface.
***** I connected a laptop, which can send tagged frames, to ether5 and did not actually use a device in VLAN 10 on the Cisco
I couldn’t really put the ether 5 port in VLAN 0 in the menu “/interface ethernet switch vlan”.
Because that would imply that ether 5 would allow receiving untagged frames. Also note following:
In my previous post I said:

I then put the ether 5 together with the CPU port in VLAN 0 (ether 2 was already in VLAN 0) and devices attached to ether 5 can now ping the router.

This is only true if the sending device sends untagged frames to ether 5 (which was allowed because we put ether 5 in VLAN 0 in the VLAN table). Ether 5 would also accept tagged frames (for VLAN 10 and 20) but you will not be able to ping the router then.
Moreover, putting the CPU port in VLAN 0 back when ether 2 had an IP(at the “/interface ethernet switch vlan” menu) wasn’t required. It worked just as well without. Most likely because VLAN ID 0 = untagged, so there is no need to create a VLAN interface on the ethernet port to which an IP address was assigned.


I’m now pondering over how I can get ether2 (=untagged member of VLAN 10/access port) to reach the IP on ether 5 (VLAN 10 interface).
I have tried some obvious things but it’s after 1 am so I’ve called it a day:)


ps: I’ve got no master port configured ATM in the above story.

Update:

So in the previous post I did:

/interface vlan> print

Flags: X - disabled, R - running, S - slave
 #    NAME                  MTU   ARP        VLAN-ID INTERFACE
 0 R  VLAN10                1500  enabled    10      ether5

/ip address print

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.0.250/24   192.168.0.0     192.168.0.255   VLAN10

Above was sufficient to have hosts on the Cisco switch reach the router and the internet.
The problem for ether2 still remained. At this point ether2 is unable to reach members in VLAN10, let alone reach the router.

I’ve managed to create rules to allow communication between ether5 and ether2, thus giving ether2 access to VLAN10.

/interface ethernet switch rule> print

2   switch=switch1 ports=ether5 vlan-header=present vlan-id=10 copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether2,cpu

 3   switch=switch1 ports=ether2 vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether5 new-vlan-id=10

CPU must be specified as a “new-dst-ports” in rule 2. Otherwise ether5 would forward all frames to ether2. If it does so no hosts on the Cisco would be able to reach the ether5 IP and router/internet access would again be broken.

So, at this point (if this config isn’t doing anything it shouldn’t) only ether2 is deprived of internet access because it cannot reach the router.
I’m looking to resolve this now but so far no luck:)

edit: Again I’ve tried several hours to get this working, but the only way I can get ether 2 to reach the IP on VLAN10 (created on ether5) is to bridge ether2 with VLAN10. Which of course it utterly useless as it totallty negates wire speed throughput.

Heck, it seems I can’t reach the CPU port via layer 2 at all.

====>Discussion going on here

I’m “closing” this topic down because it is getting way to complicated to follow. I’ve made some more advances and pinpointed where things go wrong. I do feel I’m very close to a solution but I have not been able to crack the (hopefully) final piece of the puzzle.

I will be staring a new topic with the closest I have to a solution. I’ll post the link to this topic here for those who might stumble up this topic and wonder what ever happened to it.