I really like the MT products and OS but one thing that frustrates me is the sometimes vague explainations to use certain features like VLANs.
I have been trying to create a network as follows;
ROUTER A:
ether1 = VLAN trunk with several VLANS
ether 2,3,& 4 = various Access ports from VLANS
ROUTER B:
same as above. The two routers are connected by the VLAN trunks.
This config seems to work with one exception:
RouterA:
/interface bridge
add l2mtu=1594 name=bridge_1
add l2mtu=1594 name=bridge_2
/interface vlan
add interface=ether1-master-All_VLANS l2mtu=1594 name=vlan2 vlan-id=2
add interface=ether1-master-All_VLANS l2mtu=1594 name=vlan5 vlan-id=5
/ip dhcp-server
add address-pool=pool1 interface=bridge_1 name= dhcp_1
/interface bridge port
add bridge=bridge_1 interface=ether2
add bridge=bridge_2 interface=ether3
add bridge=bridge_1 interface=vlan2
add bridge=bridge_2 interface=vlan5
/ip address
add address=10.0.8.1/24 interface=bridge_1
RouterB:
/interface bridge
add l2mtu=1596 name=bridge_1
add l2mtu=1596 name=bridge_2
add l2mtu=1600 name=bridge_AllVLANS
/interface vlan
add interface=bridge_AllVLANS l2mtu=1596 name=vlan2 vlan-id=2
add interface=bridge_AllVLANS l2mtu=1596 name=vlan5 vlan-id=5
/ip dhcp-server
add address-pool=pool1 interface=bridge_2 name= dhcp_2
/interface bridge port
add bridge=bridge_AllVLANS interface=ether1
add bridge=bridge_1 interface=ether2
add bridge=bridge_2 interface=ether3
add bridge=bridge_1 interface=vlan2
add bridge=bridge_2 interface=vlan5
/ip address
add address=10.0.7.1/24 interface=bridge_2
Here are my 3 questions:
Notice in RouterB I had to attach the VLANS to a bridge instead of ether1 like in RouterA.
Why is this so? It seems to me it should have worked and the few example configurations I have seen show the VLANs under the physical interface on both ends.
I also noticed different l2mtu numbers between the 2 routers, this was defaulted by MK. Why is that?
The configuration almost works. The problem is that I can ping both of the specified IP addresses from either access port. This defeats the purpose of the VLANs. I don’t want one network to access the other. I checked the Routes table and it seems the router automagically puts in routes for the networks to the bridges. How do I isolate the VLANS?
Something looks odd on Router B. You have the VLANs assigned to a bridge and that bridge has no ports assigned…
As regards routing VLANs - yes, since the system is a router it will add routes for all connected interfaces including virtual VLAN interfaces. If you do not want certain traffic to be forwarded you can add filters to the forward chain to get the desired operation.
Ooops! Cut & paste error. I have edited the post to show the Vlan trunk interface for RouterB.
Thanks for the quick reply. The VLAN examples I saw never mentioned having to add filters to the firewall to negate the auto-routes that the router adds. It seems I cant delete the routes. What is the best way to handle this? (Examples are highly appreciated)
You are correct that you should be able to add the VLANs to the Ether 1 interface directly - if it is not already marked as a port on a bridge. If you have problems placing the VLAN interfaces directly on the Ether 1 port after ensuring that the port is not involved in a bridge then it would be useful to know the ROS and hardware version.
As regards blocking the VLAN routing, try adding a filter to the forward chain in IP Firewall with no selection criteria (i.e. no in/out interfaces or IPs specified) and action=drop. At that point no routed traffic will be forwarded between interfaces. Then adjust as necessary. If you want a primarily router function use drop rules with certain selection criteria. If you want a primarily firewall function use a drop all rule (no selection criteria) then add specific rules with selection criteria and action=accept above the “drop all” rule.
I admit that I clipped out certain relavant parts of my config as it does more than I show. I will try to experiment with just the minimum config. If I am still unable to get the functionality when adding the VLANs to the physical port on both sides, I will post with version numbers and hardware. For now RouterA is a RB2011UAS running 5.23 and RouterB is a RB751U-2HnD running 5.24.
Thanks for the filter tip. I will give it a try.
Where would I use the switch chip? I am not picturing what you are suggesting. Please elaborate for me. Later Edit.
I just looked up more info on the switch chip. I noticed that there is some VLAN properties associated with it. Is this what you are talking about?
instead of bridges, using the switch chip and VLAN tags for the access ports?
I didn’t think of that, nor have I seen any examples of others doing that.
How would I go about configuring that?
Thanks
Unfortunately some of the features required to make effective use of the switch chip VLAN functions are only implemented in the 8316 chip support. See: