RouterOS is quite complex so I need some clear looks on the matter:)
Right now I have: Cable_modem → switch port (vlan20) → RB5009_ether1 (WAN)
I need some ports at L2 with the cable modem and that is very simple: just configure another switch port as ‘access vlan20’. Ergo, another untagged switch port in VLAN20. This traffic will never flow across the router.
Now I’d like to change this to Cable_modem → RB5009_ether1 (WAN) AND RB5009_ether5 (LAN) → switch port (VLAN20)
Normally, I would just:
create VLAN20 interface on ether_5 (LAN)
add ether1(WAN) to a bridge, let’s call it WAN-BRIDGE
Bridge VLAN20 with the WAN-BRIDGE
However, with all the options like fast track, L2 HW-acceleration L3 HW-acceleration and what not. I’m not sure this is the right way to do it.
I believe it is also possible to make one bridge with both LAN and WAN interfaces added to it and [insert magic here] Can someone point me to an example of this please?
The way is to have single bridge with all ports members. Then you “partition” your bridge into two logical halves by enabling vlan-filtering and setting different PVIDs to ports of different partitions.
E.g.:
# Create bridge
/interface/bridge
add name=bridge
# Add all ports to same bridge
/interface/bridge/port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
# "partition" bridge into two halves: WAN with VID=100 and LAN with VID=200
# all ports are on "cable side" still untagged/native/whatever
/interface/bridge/port
# first WAN "partition"
set [ find interface=ether1 ] pvid=100
set [ find interface=ether8 ] pvid=100
# then LAN "partition"
set [ find interface=ether2 ] pvid=200
set [ find interface=ether3 ] pvid=200
set [ find interface=ether4 ] pvid=200
set [ find interface=ether5 ] pvid=200
set [ find interface=ether6 ] pvid=200
set [ find interface=ether7 ] pvid=200
#
# Set up interfaces through which CPU will be able to "talk" to networks
/interface/vlan
add name=LAN interface=bridge vlan-id=200
add name=WAN interface=bridge vlan-id=100
# The next part is crucial ... without it, CPU won't be able to "talk to bridge partitions"
/interface/bridge/port
add bridge=bridge tagged=bridge vlan-ids=100
add bridge=bridge tagged=bridge vlan-ids=200
#
# Add LAN IP setup to interface=LAN ... also add LAN interface to LAN interface list ... and add WAN interface to WAN interface list, default firewall confiig relies on this done properly
#
# At the end, enable VLAN filtering to make "bridge partitioning" active
/interface/bridge
set [ find name=bridge ] vlan-filtering=yes
Thank you. Appreciate the thorough response. I’m not completely there with understanding yet. I’ll have to add a DHCP-client to “WAN” interface and a DHCP-server to “LAN” interface as those are the L3 points (nothing special there). However, you talk about interface lists. Can’t you refer to the interface names themselves in firewall rules instead of indirectly via a list? I understand if you have more than one interface in a specific VLAN, lists are a convenience.
ps: I’ve removed the entire default FW-config (and broke IPsec in the process as it doesn’t agree with fast track).
Whatever works for you. I’m a bit of a fan of default firewall filter rules (and I’m pretty convinced that it would make better firewall than many of implementations by “advanced” MT admins on professional-line of devices which don’t have default config). And default firewall setup relies heavily on use of a couple of interface lists. Just one example of why it’s a good thing: if you change (or even add) a WAN interface, if you use interface lists you simply add/change interface list membership (and you’re done). If you use interface in firewall rules, then you have to change (or even add) a number of rules.
It is not advised to modify these defaults if you don’t really know (yet) where your towel is.
There is the risk to be locked out of the device, and BTW the usual advice, particularly with fiddling with VLANs orr complex bridge settings is to have a port taken out of everything (and marked as LAN in interface list) to access/manage the router in case of issues, see: http://forum.mikrotik.com/t/rb5009-in-the-hands-of-a-newbie-gateway-problem/180795/1
What is not clear to me is the fixation with vlan20.
Is this a vlan the ISP provides internet traffic tagged with vlan20
OR
is this just the vlan you setup on the switch to move ISP traffic from the modem to the router.
Regardless, its not the switch that decides anything, the entire DHCP setup and vlan setup is done at the ROUTER and
a trunk port goes to the switch to
a. receive ISP traffic from the modem ( you used vlan20 )
b. to receive the management vlan from the router ( all smart devices should get their IP from the management vlan )
c. to receive any other data vlans the 5009 creates for dispersal on the rest of the switches ports.
Now with the switch behind the router, nothing much has changed except that vlan20 to carry the ISP traffic to the router is no longer required as there is a direct connection.
The management vlan and data vlans are still required on a trunk port to the switch. http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Thanks for the pointers guys. I’ve got it working now in the most optimal configuration.
Anav, it is option number 3, just an arbitrary VLAN. There are now 2 switches in between router and modem. On the first switch, where the modem is connected to, there are also some wired clients. So when I max out my internet (1Gbps download) from a host (or hosts) on upstream SW2, and hosts on SW1 simultaneously communicate with hosts in on upstream SW2 (which can’t be internet traffic in that case), they can in fact exceed the 1G trunk’s bandwidth between SW1 and 2. I left it out of my info as logically it wouldn’t make a difference to the issue at hand.
