Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

First attempt at making VLANs work in Router OS

Locked
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

First attempt at making VLANs work in Router OS

Wed Oct 21, 2015 4:55 am

I've mostly followed the instructions here
http://wiki.mikrotik.com/wiki/Manual:CRS_examples

When I plug into ether24, I expect to get an IP from dhcp_poolUntrusted but I don't get an address. I've gotta be missing something easy.

Also, there seems to be quite a bit of documentation for the CRS series VLANs, but can all of the VLAN commands be used on other devices like the RB2011? I plan on setting up a VLAN trunk between the CRS and the RB2011 when I get this first part figured out.
Thanks,
Gerakon
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether12 ] master-port=ether2
set [ find default-name=ether13 ] master-port=ether2
set [ find default-name=ether14 ] master-port=ether2
set [ find default-name=ether15 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
set [ find default-name=ether17 ] master-port=ether2
set [ find default-name=ether18 ] master-port=ether2
set [ find default-name=ether19 ] master-port=ether2
set [ find default-name=ether20 ] master-port=ether2
set [ find default-name=ether21 ] master-port=ether2
set [ find default-name=ether22 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2
set [ find default-name=ether24 ] comment=Untrusted master-port=ether2

/interface vlan
add interface=ether2 l2mtu=1584 name=vlan30 vlan-id=30
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether24

/ip pool
add name=dhcp_poolUntrusted ranges=172.16.12.100-172.16.12.200
add name=dhcp_poolTrusted ranges=172.16.10.100-172.16.10.150

/ip dhcp-server
add address-pool=dhcp_poolUntrusted disabled=no interface=vlan30 lease-time=8m name=dhcpUntrusted
add address-pool=dhcp_poolTrusted disabled=no interface=ether2 lease-time=12h name=dhcpTrusted

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=30 ports=ether24 sa-learning=yes

/interface ethernet switch vlan
add ports=ether24 vlan-id=30

/ip address
add address=172.16.10.1/24 interface=ether2 network=172.16.10.0
add address=172.16.12.1/24 interface=vlan30 network=172.16.12.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1

add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.12.0/24 dns-server=172.16.12.1 gateway=172.16.12.1
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Wed Oct 21, 2015 5:01 am

Should also mention it is a CRS125-1S-RM running 6.32.2
Top
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: First attempt at making VLANs work in Router OS

Wed Oct 21, 2015 7:22 am

Think you just need to tag vlan 30 back to the cpu.
Code: Select all
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=30
The RB2011 uses different switch programming (more simplistic) but supports VLAN's just fine.
Top
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: First attempt at making VLANs work in Router OS

Wed Oct 21, 2015 7:27 am

Oh, and should add the cpu so it can talk to vlan30 as well:

May need to put in entries for vlan-id 0 as well for the untagged if you decide to secure the other ports as well.
Code: Select all
/interface ethernet switch vlan
add ports=ether24,switch1-cpu vlan-id=30
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Wed Oct 21, 2015 3:53 pm

I added both of those lines and still not getting an IP....

I also tried
Code: Select all
/interface ethernet switch unicast-fdb flush
from the wiki.

This Untrusted network I just want to get access to the internet and not talk to anything else on my trusted networks. I'm just playing with port 24 to learn VLANs, then I'll switch the rest to VLANs as well.

Thanks for the help.
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Mon Oct 26, 2015 1:10 am

Can anyone see what I'm doing wrong?
Top
 
becs
MikroTik Support
MikroTik Support
Posts: 499
Joined: Thu Jul 07, 2011 8:26 am

Re: First attempt at making VLANs work in Router OS

Mon Oct 26, 2015 10:58 am

I agree. The both suggested commands by skuykend should make it work.
Maybe just recheck "/ip dhcp-server network" section because I found it missing in your posted configuration.
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Mon Oct 26, 2015 6:56 pm

Sorry I missed posting that. Here it is. I will reboot over lunch and see if that does anything.

I have also tried 2 different client devices. and neither one showed an IP in Leases on the router or on the windows device.

Otherwise backup the config and reset? I can probably do that tonight.

Code: Select all
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.12.0/24 dns-server=172.16.12.1 gateway=172.16.12.1
Top
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: First attempt at making VLANs work in Router OS

Mon Oct 26, 2015 10:54 pm

You might get a bit further if you make your VLAN testing a bit more VLAN-focused, as there are non-VLAN reasons why a DHCP server might not work. For example, if you do a packet capture on a troublesome port, are you seeing packets being VLAN tagged when they shouldn't be or vice versa?
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Tue Oct 27, 2015 2:59 am

I tried attaching a capture file, but no matter the extension it says invalid extension on the forum when I try to attach it to the post. Even happens with no extension.

The packet capture on port 24 from a second USB NIC on my computer shows broadcasts from devices on the untagged VLAN which seams wrong to me.

Packet captures done on the Mikrotik from both port 24 and vlan30 are completely empty.
Code: Select all
/tool sniffer
set file-limit=10000KiB file-name=cap.cap filter-interface=ether24 memory-limit=10000KiB
Code: Select all
/tool sniffer
set file-limit=10000KiB file-name=cap.cap filter-interface=vlan30 memory-limit=10000KiB

During each packet capture I unplugged and plugged in ether24 to force a dchp request.
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Tue Oct 27, 2015 3:14 am

Sorry, it looks like when I pasted the lines from skuykend it didn't add switch1-cpu to VLAN30. I will test further, but I'm short on time at the moment. Just didn't want anyone to spend more time on this. I am interested in why I was seeing broadcasts from the untagged network....
Top
 
skuykend
Member Candidate
Member Candidate
Posts: 274
Joined: Tue Oct 06, 2015 7:28 am

Re: First attempt at making VLANs work in Router OS

Tue Oct 27, 2015 7:09 am

You should probably upgrade to 6.32.3.
There was a bug where the switch settings that drop invalid vlans wouldn't be retained after a reboot. That could have caused your leakage, so recheck if those settings are now blank.
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Tue Oct 27, 2015 3:18 pm

I get DHCP and internet now works from VLAN30/ether24. Thankyou everyone.

Upgraded to 6.32.3. The drop invalid vlans rule was missing so I put it back. I also put in a firewall rule to drop anything from vlan30 to anything other than wan. When I plug into ether24 and run wireshark I'm still seeing ARPs from the 172.16.10.0 network. I'm assuming that I shouldn't see anything from that network? Here's an updated export.
Code: Select all
# oct/27/2015 08:08:05 by RouterOS 6.32.3

/interface ethernet
set [ find default-name=ether1 ] comment=WAN 
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ]  master-port=ether2
set [ find default-name=ether4 ]  master-port=ether2
set [ find default-name=ether5 ]  master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether12 ] master-port=ether2
set [ find default-name=ether13 ] master-port=ether2
set [ find default-name=ether14 ] master-port=ether2
set [ find default-name=ether15 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
set [ find default-name=ether17 ] master-port=ether2
set [ find default-name=ether18 ] master-port=ether2
set [ find default-name=ether19 ] master-port=ether2
set [ find default-name=ether20 ] master-port=ether2
set [ find default-name=ether21 ] master-port=ether2
set [ find default-name=ether22 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2
set [ find default-name=ether24 ] comment=Untrusted master-port=ether2

/interface vlan
add interface=ether2 l2mtu=1584 name=vlan30 vlan-id=30

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether24


/ip pool
add name=dhcp_poolUntrusted ranges=172.16.12.100-172.16.12.200
add name=dhcp_poolTrusted ranges=172.16.10.100-172.16.10.150
/ip dhcp-server
add address-pool=dhcp_poolUntrusted disabled=no interface=vlan30 lease-time=8m name=dhcpUntrusted
add address-pool=dhcp_poolTrusted disabled=no interface=ether2 lease-time=12h name=dhcpTrusted
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=30
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=30 ports=ether24 sa-learning=yes
/interface ethernet switch vlan
add ports=ether24,switch1-cpu vlan-id=30
/ip address
add address=172.16.10.1/24 interface=ether2 network=172.16.10.0
add address=172.16.12.1/24 interface=vlan30 network=172.16.12.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.12.0/24 dns-server=172.16.12.1 gateway=172.16.12.1



/ip firewall filter
add chain=forward comment="Allow Established Connections Forward" connection-state=established
add chain=input protocol=ipsec-esp src-address-list="VPN Addresses"
add chain=input port=1701,500,4500 protocol=udp src-address-list="VPN Addresses"
add chain=input comment="Allow Established Connections Input" connection-state=established
add action=drop chain=forward dst-address=0.0.0.0/0 log=yes log-prefix=ServerTryingToGetOut src-address=172.16.10.20
add chain=input comment="Allow ICMP" protocol=icmp src-address-list=management-servers
add chain=input comment="Allow Related Connections Input" connection-state=related
add chain=forward comment="Allow Related Connections Forward" connection-state=related
add chain=input comment="Allow Management to connect via 21,22,23,80,443,8291" dst-port=21,22,23,80,443,8291 protocol=tcp src-address-list=management-servers
add action=drop chain=input comment="default configuration" in-interface=ether1
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" dst-port=20561 protocol=udp
add action=drop chain=input comment="block mikrotik discovery" dst-port=5678 protocol=udp
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=input dst-port=21,22,23,80,443,8291 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=forward in-interface=vlan30 log=yes log-prefix="Untrusted attempt - " out-interface=!ether1





/tool sniffer
set file-limit=10000KiB file-name=cap.cap filter-interface=ether23 memory-limit=10000KiB
Top
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: First attempt at making VLANs work in Router OS

Tue Oct 27, 2015 7:20 pm

I'm no expert on this but why would the master port for 24 be a port that is in a different VLAN if you only want one VLAN on that port?
Top
 
gerakon
Member Candidate
Member Candidate
Topic Author
Posts: 105
Joined: Sat May 24, 2014 8:14 am

Re: First attempt at making VLANs work in Router OS

Tue Oct 27, 2015 7:36 pm

It does seem a little counter intuitive, but I think that if you are ever going to trunk all of your VLANs to another device they all need to have the same master port so that the switch chip is handling things instead of the CPU. I plan to trunk all of the VLANs to something like the RB850x2 and have that handle routing between VLANs and the internet when I get a little better with VLANs on Mikrotik.

That is what was suggested in the manual.
http://wiki.mikrotik.com/wiki/Manual:CR ... Based_VLAN

Edit: Feel free to correct me on any of that if I'm wrong, because I very well might be.
Top
Locked

Who is online

Users browsing this forum: baragoon, complexxL9, neki, Pilo2710 and 49 guests
  4. RouterOS
  5. Beginner Basics