VLANs

Michal11K · January 4, 2017, 2:16pm

Hi all, I would like to ask you for help with my MikroTik RB951G-2HnD I need to create 3 VLANs (with separete IP range).
I tried to do this (google, youtube manuals, …), but it isn’t working (IP is not attached to PC).
I need to set VLANs like this:

vlan10-admin (id=10) = 10.0.0.0/24
vlan20-trusted (id=20) = 10.0.1.0/24
vlan30-public (id=30) = 10.0.2.0/24

ether1 - WAN
ether2 - all VLANs (will be separated by other conneted MikroTik device - AP)
ether3 - vlan10-admin
ether4 - vlan10-admin
ether5 - vlan20-trusted
wifi - vlan20-trusted
wifi2 - vlan30-public

I think, I have got DHCP and IP Pools setted OK (see attachment).
I think that BRIDGEs setting is what I have wrong.

Thank you very much.

Sob · January 4, 2017, 4:24pm

The red color says “no”.

Other than that, x.x.x.0/24 is network address, choose something other than .0 and .255.

Then it doesn’t sound like you want DHCP relay. It looks like it may be result of going next-next-finish style through DHCP Setup, ignoring errors.

The simplest solution should be to delete all current DHCP related stuff, fix addresses and then try DHCP Setup again.

Also remember that when using bridges, DHCP server must be on main bridge interface, not on slave one.

magchiel · January 4, 2017, 11:16pm

Agree with Sob’s suggestions in above post.

In that case it would be useful to share your bridge config to ensure L2 is in order before worrying about those layers above. A /interface bridge and /interface vlan export would be nice start.

Basically two routes to achieve what you want:

all in software: create logical VLAN interfaces under each physical interface, then bridge corresponding VLAN interfaces together. Addresses, DHCP, hotspots etc go on the bridges.
at least part in hardware: use the switch chip’s VLAN features and the wireless interface’s VLAN attributes, a single bridge to join ethernet and wifi and add logical VLAN interfaces under that bridge. Addresses, DHCP, hotspots etc go on logical VLAN interfaces.

Former may be most transparent for a novice to configure. It’s probably also the route you’ve been trying to take, however ended up selecting the wrong interfaces in the final step.

Latter may have some performance advantages if you’re expecting significant amounts of ethernet traffic that needs to be switched. Personally I also think it’s the most elegant. It is however a little bit more opaque to the novice eye.

shailparmar · January 5, 2017, 3:14pm

First create three vlans

/interface vlan add vlan-id=10 interface=ether2 name=vlan10-admin
/interface vlan add vlan-id=20 interface=ether2 name=vlan20-trusted
/interface vlan add vlan-id=20 interface=ether2 name=vlan30-public

then create bridge for vlans

/interface bridge  add name=bridge-10
/interface bridge  add name=bridge-20
/interface bridge  add name=bridge-30

now add vlans and interfaces to bridges

/in bridge port add bridge=bridge-10 interface=vlan10-admin
/in bridge port add bridge=bridge-10 interface=ether3
/in bridge port add bridge=bridge-10 interface=ether4

/in bridge port add bridge=bridge-20 interface=vlan20-trusted
/in bridge port add bridge=bridge-20 interface=ether5
/in bridge port add bridge=bridge-20 interface=wlan1

/in bridge port add bridge=bridge-30 interface=vlan30-public
/in bridge port add bridge=bridge-30 interface=wlan2

now assign ip address

/ip address add adddress=10.0.0.1/24 interface=bridge-10
/ip address add adddress=10.0.1.1/24 interface=bridge-20
/ip address add adddress=10.0.2.1/24 interface=bridge-30

now add ip pool

/ip pool add name=10 range=10.0.0.2-10.0.0.254
/ip pool add name=20 range=10.0.1.2-10.0.1.254
/ip pool add name=10 range=10.0.2.2-10.0.2.254

last dhcp server

/ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.1
/ip dhcp-server network add address=10.0.1.0/24 gateway=10.0.1.1
/ip dhcp-server network add address=10.0.2.0/24 gateway=10.0.2.1
/ip dhcp-server add name=10 interface=bridge-10 address-pool=10
/ip dhcp-server add name=20 interface=bridge-20 address-pool=20
/ip dhcp-server add name=30 interface=bridge-30 address-pool=30

hope this helps.

Michal11K · January 6, 2017, 11:35pm

Hi, thank you all for help. I was able to set it up (problem was in SWITCH, I did not set ports a vlans - now I have it and it’s working).
But now I have new big issue. I have got trunk port on MT router, there I have got connected another MT router, and I am to able to set it right.

MT Router #1
ether2 - VLAN10, VLN20 VLAN30
→
Connected to ether1 MT Router #2.

How to set router #2 this way

ether1 - input for VLAN10, VLN20 VLAN30
ether2 - VLAN10 (IPs from DHCP on router #1)
ether3 - VLAN20 (IPs from DHCP on router #1)
ether4 - VLAN20 (IPs from DHCP on router #1)

Thank you.

ebemusty · January 11, 2017, 12:56pm

hello everyone
am having the same issue as micheal , i try all i could and all my configuration was right , even updated my router may thats the problem , still my PC is unable to receive IP ADDRESS from my router RB2011UIAS DHCP after configuring VLAN. WHEN I CONNECT MY PC TO ETHER 9 , I RECEIVE NO even with static IP i cant reached the gateway. pls help

interface vlan> print
Flags: X - disabled, R - running, S - slave

NAME MTU ARP VLAN-ID INTERFACE

0 vlan10-admin 1500 enabled 10 ether3
1 vlan20-trusted 1500 enabled 20 ether3
2 vlan30-public 1500 enabled 30 ether3

/interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge-10" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled
arp-timeout=auto mac-address=E4:8D:8C:21:CB:84 protocol-mode=rstp
priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m

1 R name="bridge-20" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled
arp-timeout=auto mac-address=E4:8D:8C:21:CB:84 protocol-mode=rstp
priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m

2 R name="bridge-30" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled
arp-timeout=auto mac-address=E4:8D:8C:21:CB:84 protocol-mode=rstp
priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m

/interface bridge port> print
5 I vlan10-admin bridge-10 0x80 10 none
6 I vlan20-trusted bridge-20 0x80 10 none
7 I vlan30-public bridge-30 0x80 10 none
8 ether9 bridge-10 0x80 10 none
9 I ether10 bridge-20 0x80 10 none

/ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

4 10.0.0.1/24 10.0.0.0 bridge-10
5 10.0.1.1/24 10.0.1.0 bridge-20
6 10.0.2.1/24 10.0.2.0 bridge-30

/ip dhcp-server> print
Flags: X - disabled, I - invalid

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 dhcp1 bridge1 dhcp_pool1 2d
1 10 bridge-10 10 10m
2 20 bridge-20 20 10m
3 30 bridge-30 30 10m

/ip dhcp-server network> print

ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN

0 10.0.0.0/24 10.0.0.1
1 10.0.1.0/24 10.0.1.1
2 10.0.2.0/24 10.0.2.1

/ip pool> print

NAME RANGES

10 10.0.0.2-10.0.0.254
3 20 10.0.1.2-10.0.1.254
4 30 10.0.2.2-10.0.2.254

magchiel · January 14, 2017, 11:38am

Most straightforward would be a pure L2 approach and just configure the switch chip on the second router (provided that there is no additional filtering that you want to do):

/interface ethernet switch port
set ether1 vlan-mode=secure
set ether2 default-vlan-id=10 vlan-mode=secure
set ether3 default-vlan-id=20 vlan-mode=secure
...

/interface ethernet switch vlan
set switch=switch1 vlan-id=10 ports=ether1,ether2
set switch=switch1 vlan-id=20 ports=ether1,ether3
...

Other solutions include DHCP relay and what not, but that’s probably not what you’re looking for.

Your export is not the easiest the read:
-I’d certainly prefer using export instead of print
-using code tags helps

That said I can’t see anything obviously wrong from what you’ve posted. But perhaps I’m missing something. Can you provide:
-/interface export
-/ip address export
-/ip pool export
-/ip dhcp export

Also, are you filtering (e.g. /ip firewall filter)?

Michal11K · January 16, 2017, 11:16am

magchiel:

Michal11K:

How to set router #2 this way

ether1 - input for VLAN10, VLN20 VLAN30
ether2 - VLAN10 (IPs from DHCP on router #1)
ether3 - VLAN20 (IPs from DHCP on router #1)
ether4 - VLAN20 (IPs from DHCP on router #1)

Most straightforward would be a pure L2 approach and just configure the switch chip on the second router (provided that there is no additional filtering that you want to do):
/interface ethernet switch port
set ether1 vlan-mode=secure
set ether2 default-vlan-id=10 vlan-mode=secure
set ether3 default-vlan-id=20 vlan-mode=secure
...

/interface ethernet switch vlan
set switch=switch1 vlan-id=10 ports=ether1,ether2
set switch=switch1 vlan-id=20 ports=ether1,ether3
...
Other solutions include DHCP relay and what not, but that’s probably not what you’re looking for.

ebemusty:

WHEN I CONNECT MY PC TO ETHER 9 , I RECEIVE NO even with static IP i cant reached the gateway.

Your export is not the easiest the read:
-I’d certainly prefer using export instead of print
-using code tags helps

That said I can’t see anything obviously wrong from what you’ve posted. But perhaps I’m missing something. Can you provide:
-/interface export
-/ip address export
-/ip pool export
-/ip dhcp export

Also, are you filtering (e.g. /ip firewall filter)?

Hi, thank you very much. I solved it, using switch chip. The solution with bridging does not work (for me), but SWITCH CHIP is working just fine. Thank you very much.

ebemusty · January 17, 2017, 3:27pm

I WAS ABLE TO LEARN IP ADDRESS ON ETHER9 AND ETHER10 THROUGH DHCP .
THE ISSUE NOW IS , HOW DO I CONFIG INTERVLAN FOR PC ON ETHER9 TO PING PC ON ETHER10 … this my export config , assuming ether 8 is to be use as trunk port

/ip address
add address=192.168.0.254/24 interface=bridge1 network=192.168.0.0
add address=192.168.2.2/24 interface=ether1 network=192.168.2.0
add address=192.168.1.2/24 interface=ether2 network=192.168.1.0
add address=192.168.10.1/24 interface=bridge2-vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=bridge3-vlan20 network=192.168.20.0

interface vlan export 
/interface vlan
add interface=ether9 name="ETHER9=VLAN10" vlan-id=10
add interface=ether10 name="ETHER20=VLAN20" vlan-id=20
add interface=ether8 name=TRUNK vlan-id=30

> interface bridge export
/interface bridge
add name=bridge2-vlan10
add name=bridge3-vlan20
/interface bridge port
add bridge=bridge2-vlan10 interface="ETHER9=VLAN10"
add bridge=bridge3-vlan20 interface="ETHER20=VLAN20"

/ip dhcp-server
add address-pool=dhcp_pool5 disabled=no interface=bridge2-vlan10 name=dhcp2
add address-pool=dhcp_pool6 disabled=no interface=bridge3-vlan20 name=dhcp3

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1

/ip pool
add name=dhcp_pool5 ranges=192.168.10.2-192.168.1
add name=dhcp_pool6 ranges=192.168.20.2-192.168.2

/interface ethernet switch port
set 9 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 10 default-vlan-id=20 vlan-header=add-if-missing vlan-mode=secure

ebemusty · January 17, 2017, 3:31pm

including this

[/code]
/interface ethernet switch vlan
add ports=ether8,ether9 switch=switch2 vlan-id=10
add ports=ether8,ether10 switch=switch2 vlan-id=20
[/code]

magchiel · February 5, 2017, 8:46pm

Don’t know whether you’ve cracked this yet, but provided that you have not set any firewall rules or bridge filters that would block traffic, the default behaviour of the router is that it will route hence no additional settings are needed to to intervlan routing.

That said, your setup looks funky to me. It’s bit of software based VLAN, a bit switch chip based VLAN (which will not communicate with the rest of RouterOS as you haven’t included the CPU as a port). Also, your trunk port looks awkward (VLAN 10 and 20 in switch chip, VLAN 30 in software). The sheer existence of this port also suggests that there is another router at play here, but perhaps you’re confusing the concept of trunk with that of ‘modem uplink’ in which case you should terminate all VLANs on the Mikrotik and just route. I suggest you read up a little bit more on network theory and consult Mikrotik manual.