CRS328-24P-4S+ VLAN Setup Problem

stonie2oo4 · Sun May 06, 2018 10:17 pm

Hello,

I have some Problems to setup my VLAN config. I hope someone can help me al little.
I have a new CRS328-24P-4S+ with RouterOS 6.42.1.

In my current Test Setup ether1 goes to the Router and ether24 to a PC.
VLAN10 should be for management the switch. This point works in my current setup.
And VLAN20 should be for PCs. This point doesnt work. I got no connection. And I cant figure out why.
I used parts from this manual:
https://wiki.mikrotik.com/wiki/Manual:CRS_Router

Here is my current setup:

/interface bridge
add name=bridge vlan-filtering=no

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether24 pvid=20

/interface vlan
add interface=bridge name=MGMT vlan-id=10
/ip address
add address=192.168.99.2/24 interface=MGMT
/ip route
add gateway=192.168.99.1

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10

/interface bridge vlan
add bridge=bridge tagged=ether1 untagged="ether24" vlan-ids=20

/interface bridge
set bridge vlan-filtering=yes

CZFan · Mon May 07, 2018 12:33 am

Add bridge as tagged for VLAN's 20

stonie2oo4 · Mon May 07, 2018 5:03 pm

Sorry, I dont understand.
Is there a need to have more than one bridge?
And all ports are on this one bridge?

My question is, because when I add a second bridge, i cant add ether1 on this bridge as tagged vlan20 because ether1 is already in the first bridge.

I want to have ether1 as uplink to router and there should be VLAN10, VLAN20, VLAN30 as tagged port.
And ether24 as VLAN20 untagged for a PC.

CZFan · Mon May 07, 2018 7:41 pm

No, what I meant was add bridge as tagged under bridge vlan, but ignore this as I see you will not be using the CRS as a router and as far as I know this is only required when the CRS is being used as both switch and router.

Did you enable vlan filtering, if not, think you need to enable it, but before you do that, make sure you have a backup of the config on your pc as you will lose connectivity to the CRS if vlan not setup properly

stonie2oo4 · Tue May 08, 2018 12:15 am

Yes I enabled VLAN filtering after setup.
After that I can connect to the Switch via VLAN10 (ether1).

But the PC on ether24 who should be on VLAN20 gets no connection.

CZFan · Tue May 08, 2018 1:20 am

I am still learning VLAN's on Mikrotik but would assume you do have access, but layer 2 only. I would think that you will need to add VLAN's 20 to interface vlan and assign it to the bridge

stonie2oo4 · Tue May 08, 2018 3:36 pm

I have tested to add VLAN20 in interface and assign it to the bridge.
But it doesnt work too.
I dont get it what I do wrong.

I have also an older CRS226-24G-2S+ with the old Switch-VLAN config.
I also needed some time to set it up, but in all was it mutch easier.

I dont understand why this setup based on the wiki doesnt work.

CZFan · Tue May 08, 2018 7:11 pm

I think it will be best if we can see full config, post results of export hide-sensitive

stonie2oo4 · Tue May 08, 2018 7:41 pm

# may/08/2018 18:35:53 by RouterOS 6.42.1
# software id = Z205-XFJA
#
# model = CRS328-24P-4S+
# serial number = 8223082D26D9
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=MGMT vlan-id=10
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24 pvid=20
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=10
add bridge=bridge1 tagged=ether1 untagged=ether24 vlan-ids=20
/ip address
add address=10.10.10.2/24 interface=MGMT network=10.10.10.0
/ip cloud
set update-time=no
/ip dns
set servers=10.10.10.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=10.10.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=10.10.10.1
/system routerboard settings
set boot-os=router-os silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

CZFan · Tue May 08, 2018 9:49 pm

I think there is a need for information on your end goal.

The ay I see your current config, packets coming in on port 24 will be tagged and go out tagged to the router on trunk port ether1.

To access the switch from access port, I think you have to set the the bridge pvid to the same as access port pvid, i.e. 20. This will provide layer 2 access to the switch from that port, if you need layer 3 access here, you also need to assign an IP Address to the bridge.

stonie2oo4 · Wed May 09, 2018 12:10 am

I want on ether1 the trunk port to router. Ether1 should be tagged VLAN10 and VLAN20. I want access to switch for management over VLAN10 (ether1). This already works.

Ether24 should be access port VLAN20 and only untagged. But when I put in a PC on ether24, I get no connection.

CZFan · Wed May 09, 2018 1:41 am

Explain "... I get no connection " no connection to what, router or switch? No layer 2 connection or no layer 3 connection, again, to what?

stonie2oo4 · Wed May 09, 2018 10:19 am

Sorry my english is not the best.
I got no connection to both.
In the router I have a dhcp Server for VLAN20, but i get no address when i connect a PC to port24.
Also when I set the IP on the PC manually, I cant ping switch or router. I think I should not be able to ping switch from VLAN20? Because the switch address is only in VLAN10.

DHCP Server works fine, because with my current zyxel switch it works too.
But I want replace my zyxel with the mikrotik.

VLAN10 = Management
VLAN20 = PCs (Internet)

Layer2 or Layer3 I dont no. How can I test it?

CZFan · Wed May 09, 2018 2:21 pm

No problem, not so much a language problem, but limited info problem.

Based on what you described and the document you referenced, I can't see why it is not working, unfortunately I do not have a CRS3xx to play with, so reached my limit here, maybe sindy / sob will chip in if I missed anything.

Just as a test, can you change the following line:

add bridge=bridge1 tagged=ether1 untagged=ether24 vlan-ids=20 to add bridge=bridge1 tagged=bridge1,ether1 untagged=ether24 vlan-ids=20

stonie2oo4 · Wed May 09, 2018 3:59 pm

I already tested it, without improvement.
For my understanding is only needed for my management VLAN10 for access to the switch, when device is used as switch, as in my case.
Only when used as router must bridge also tagged on trunk port.

CZFan · Wed May 09, 2018 5:13 pm

I already tested it, without improvement.
For my understanding is only needed for my management VLAN10 for access to the switch, when device is used as switch, as in my case.
Only when used as router must bridge also tagged on trunk port.

I am in agreement with you 100% (As far as my knowledge goes), just thought worth a test, maybe log a call at support@mikrotik.com, send a full config file and supout file and explain problem.

Will be interesting what they will reply with, so if you do not mind, please update once you have a solution

CZFan · Thu May 10, 2018 12:41 am

On 2nd thought, if your router is a Mikrotik router, post the configuration here so we can double check that

RoadkillX · Thu May 10, 2018 1:49 am

Try this:

- Create bridge1 add ether1 and ether24.
- add vlan 10 tagged ether1
- add vlan 20 tagged ether1 untagged 24
- add interface vlan10 vlan-id 10 interface ether1 (set ip address)
- enable bridge vlan filtering

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether24

/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether1 untagged=ether24 vlan-ids=20

/interface vlan
add interface=ether1 name=VLAN_MGMT vlan-id=10

/ip address
add address=192.168.99.2/24 interface=VLAN_MGMT network=192.168.99.0

i'm asuming your router already accepts incoming tagged frames for vlan10 and 20 and you have dhcp configured on the router. i have this working on a CRS112 but on the switch chip not bridged, i believe when bridges are used the cpu is used.

stonie2oo4 · Sat May 12, 2018 11:47 am

@CZFan
I have sent an email to mikrotik support, maybe they can help me.

I dont want to post my full export, because there are to mutch private stuff

.
Maybe I can post some parts from the export?
Which parts are necessary?

I must remind you that my current setup works till 1-2years without problem, therefore I think the problem is not the router setup.
Thats my current setup:

And that should be my new setup:

I want to have all products from mikrotik. I think its easier for me for management, if it works....

@RoadkillX
I have tested your proposal, but unfortunately it doesnt work too.
Its the same problem. VLAN10 Management works, I have access to the switch, but VLAN20 PC get no Lease from DHCP server.

RoadkillX · Sat May 12, 2018 1:13 pm

Can you check that the switch connected to port24 is not tagging vlan20 across the port since the crs328 expects untagged traffic incoming on ether24. Or on the CRS328 switch ether24 in the vlan bridge from untagged to tagged for vlan20 and see if it works. i really can't see any other problems.

*Have you configured a mgmt vlan interface on the CRS226? Can you reach that ip from the ccr or crs328? you shouldn't be able to since the crs328 is not tagging vlan10 across ether24, try the above.

stonie2oo4 · Sat Jun 02, 2018 8:19 pm

Ok, now it works like in the first post described.
I make a big mistake. I had for testing purpose between the router and the crs328 another switch and I forgot to tag VLAN20 on that switch.
Sorry and thanks for all your help.

emunt6 · Thu Jul 19, 2018 12:45 am

Hi!
According to your setup:
----------------------------------------------------------------
VLAN10: management the switch
VLAN20: should be for PCs

eth1: router (trunk: tagged vlan10 and tagged vlan20)
eth2- eth24: PC (vlan-20: untagged)
----------------------------------------------------------------

Each vlan represent a brXX interface,
Each trunk port need to add vlan interfaces: ethX.XX
One logical trunk interface needed, add every trunk interface here: br0
Add each trunk interface's vlan interface to the brXX to have access: br10,br20

# reset switch config
$> /system reset skip-backup=yes no-defaults=yes

# br0 will be the trunk bridge
$> /interface bridge add comment=TRUNK name=br0 protocol-mode=none vlan-filtering=yes

# br10 will be the vlan10 bridge
$> /interface bridge add comment=VLAN10 name=br10 pvid=10 vlan-filtering=yes

# br20 will be the vlan20 bridge
$> /interface bridge add comment=VLAN20 name=br20 pvid=20 vlan-filtering=yes

# add vlan interface for eth1:  vlan10 tagged + vlan20 tagged: eth1.10, eth1.20
$> /interface vlan add interface=eth1 name=eth1-vlan10 vlanid=10
$> /interface vlan add interface=eth1 name=eth1-vlan20 vlanid=20

# assign eth1 to br0
$> /interface bridge port add bridge=br0 frames-type=admit-only-vlan-tagged interface=eth1

# assign eth1.10 to br10: VLAN10 managment
$> /interface bridge port add bridge=br10 frames-type=admit-only-untagged-and-priority-tagged interface=eth1-vlan10

# assign eth1.20 and (eth2 to eth24) to br20: VLAN20 PCs:
$> /interface bridge port add bridge=br20 frames-type=admit-only-untagged-and-priority-tagged interface=eth1-vlan20
$> /interface bridge port add bridge=br20 frames-type=admit-only-untagged-and-priority-tagged interface=eth2
...
$> /interface bridge port add bridge=br20 frames-type=admit-only-untagged-and-priority-tagged interface=eth24

# add management ip-address - as you want: VLAN10
$> /ip address add address=192.168.10.10/24 interface=br10 network=192.168.10.0

Thats all.

CRS328-24P-4S+ VLAN Setup Problem

CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Re: CRS328-24P-4S+ VLAN Setup Problem

Who is online