MikroTik

Posted: **Tue Jul 17, 2018 4:31 pm**

I'm currently trying and failing to get a simple vlan working between a few Mikrotik devices (Unfortunately I seem to have ended up with a mix of devices which doesn't help). The more I look into it, the more different configuration guides I come across, and the whole lot is just making less and less sense. I'm not even sure if I should be using bridge or switch settings or both anymore.

Currently everything is running on the default untagged VLAN and I need to keep basic connectivity working.

CRS125=[ether1] <----> [ether2]=CSS326=[ether1] <---> [ether2]=RB2011

I'd be happy at this point to just have a vlan10 interface on the CRS125 and RBS2011 and get ping working between them.

The CSS is configured with both ports set to VLAN "enabled", default 1, and an ID 10 entry in the vlan table with both ports ticked. I *think* that should be enough to allow those two ports to pass vlan 10 traffic.

Whats the minimal config to have a vlan10 interface on a CRS125 & RB2011 to allow them to talk to each other? Can I just use bridge VLAN config or do I need to mess with switch settings. The CRS125 seems to have a bunch more switch VLAN options, including a load of dynamic vlan4095 config - Does that need to be modified?

Posted: **Wed Jul 18, 2018 2:55 am**

I guess in terms of how you configure it, it probably depends on what your other requirements are, including routing requirements between the VLAN's.

I have a CRS125 as my core switch, and multiple hAP AC's (mostly Lite with one standard) and one SwOS switch, all running with 3 VLAN;s across them. With the CRS and the hAP AP's I use the switch chip configuration as you get wire speed switching that way. If you do it with VLAN filtering on the bridge then you need to use the CPU and will lose significant performance.

I don't have an RBS2011. It uses Atheros8327 (ether1-ether5+sfp1); Atheros8227 (ether6-ether10) which on paper looks similar to the Atheros 8227 that the hAP AC's Lites have. Having said that, so does the QCA8337 that the hAP AP has and I've just been through a battle getting that working as the config is totally different.

Is this a production or a home config? If it's home then you could dedicate ports at the links to experiment and move the cables around. If it's production then it's a bit harder.

What version of RouterOS are you running as the configs will vary depending on whether before or after v6.41?

I could post some examples from my home configs, but I'm not sure they are production quality and I'm hesitant to do that without undertanding more about the target environment, your goals and the consequences if it doesn't work.

Just as a last note. In terms of the dynamic VLAN 4095, that threw me for a while too, until I noticed on my CRS that the only ports that belonged to it were ports that I didn't have a cable plugged in to. My config has VLAN config for every port though, so your's might vary. What I can tell you for sure is that I haven't had to touch the dynamic VLANS.

Posted: **Wed Jul 18, 2018 11:23 am**

Thanks for the reply.

I assume if the RB2011 has access to both VLANs then routing will *just work*; Not that I actually need it in this instance. All I really need at the moment is a couple of workstations on a separate LAN, with their own gateway address on the RB2011 (which I'll then NAT to a different public IP).

It's in production although it's just our own LAN so it's not the end of the world if it goes down although I'd like to avoid it...

Would be useful to see your VLAN config using the switch chip on the CRS125. Performance isn't a massive concern but if I'm looking into how to get VLANs working on these devices, I may as well learn the best performance option. On the CRS125 all I really need to do is get some ports on VLAN 10, then tag this traffic out ether1. Only minor complication is that ether1 needs to also continue to handle the default VLAN traffic, although I suspect having ether1 fully tagged with 1 or 10 would probably still work. As you mention, it seems only down ports are in the 4095 VLAN.

Everything is running a recent OS. I was quite happy to see the master/slave stuff go, even if I got quite good at it.

Posted: **Wed Jul 18, 2018 12:02 pm**

There is no real difference between the master/slave stuff, when you setup a bridge and put a couple of ports in it with hw accel on that behaves mostly like a master with some slave ports.
When you add a VLAN subinterface to the bridge, the tagged VLAN will appear on all the member ports of the bridge.

Things start to become different when you want to use the new bridge functions to have tagged and untagged member ports of specific VLANs inside your bridge.
However, for a config like you are drawing that is not really necessary, you can take ether2 on the RB2011 out of the bridge and configure it as a standalone port,
with VLAN subinterfaces for the tagged VLANS, just like it always was.

Posted: **Wed Jul 18, 2018 12:58 pm**

At the moment I'm just concentrating on the CRS125 as this is becoming far more of a major undertaking than I expected. I know it's my own lack of routeros understanding, but adding a few access ports and trunks seems far more awkward than anything else I've ever used.

I have a device plugged into port 24 of the smart switch set to vlan10, and port 2 (uplink to CRS) is a member of this vlan - I have a single entry in the vlan table for vlan10 with ports 2 & 24 ticked.

On the CRS everything is currently bridged, with a vlan10 sub-interface on the bridge.
Switch VLAN Table: ether1 is a member of vlan10
Switch Eg. Tag: vlan10 tagged on ether1

This is pretty much what the Trunk/Hybrid wiki pages describe.

The test device has IP 192.168.10.12/24, and the CRS is 192.168.10.11/24.

With the above config I don't see ping requests coming in from the test device at all... unless I enable vlan filtering on the bridge, which doesn't seem to be mentioned in the wiki examples. Regardless, whether I have bridge vlan filtering on or off, no traffic seems to hit the vlan10 sub interface, and I get no ping replies. Is something else required to get the vlan switch ports talking to a local vlan interface or are my settings just completely wrong..

Posted: **Wed Jul 18, 2018 2:35 pm**

You assign IP address/subnet to the VLAN interfaces.
Unless you have firewall rules, this automatically means they are routed.

Posted: **Wed Jul 18, 2018 3:53 pm**

It sounds like you are almost there, but I would avoid the VLAN filtering on the bridge in combination with the switch chip. I think it's one or the other, but someone might come along and correct me any minute

As a starting point I would try to stick to connecting on the CRS first without using the switch. Once you have proven the CRS is doing VLAN's correctly then it is easier to move onto the switch. otherwise you have both the CRS and switch as variables in terms of the way they are handling VLAN's. Can you dedicate an access port on the CRS for test device connectivity?

A good way to check the status of VLAN comunications is to use the mikrotik Torch function on the bridge or the VLAN sub interface. On the bridge you would want to open Torch, stop the capture as changes to the filter only happen when you stop and restart the caputre, click on the vlan checkbox and restart. You will now see all traffic running through the bridge, with the VLAN id shown. When using Torch on the VLAN sub interface, the VLAN field always seems to be blank, but given you are only looking at the sub interface for the VLAN, any traffic going through it is clearly on that VLAN.

The below is a subset of my CRS config, but I think from what you described it is the same as what you are doing. This config is working for me in a home environment, but I am not a netwoking or Mikrotik expert and can make no claims to this being best practice. I'm also very happy to have my mistakes pointed out by others, as I'm sure there are some in there

Also worth noting and you will see from the gateway, the fact that VLAN's 200 & 300 have no assigned IP addresses and the fact that ports 1, 21 and 23 go to a seperate router, that I do no routing on the CRS itself. This is likely to mean that your config is different. although the VLAN config should be the similar.

This is edited slightly to remove complexity around my config that you probably don't ahve and cut down significantly to remove CAPsMAN etc. config, so it is possible that there may be some small mistakes in there, but it will give you the main idea of the approach I have taken.

# jul/17/2018 02:45:04 by RouterOS 6.42.6
# software id = V17F-QGMR
#
# model = CRS125-24G-1S

/interface bridge
add name=bridge1 protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] comment="vlan 100 - Router"
set [ find default-name=ether17 ] comment="Trunk for Testing"
set [ find default-name=ether18 ] comment="Trunk 1"
set [ find default-name=ether19 ] comment="Trunk 2"
set [ find default-name=ether20 ] comment="Trunk 3"
set [ find default-name=ether21 ] comment="vlan 200 - Router"
set [ find default-name=ether22 ] comment="vlan 200 - Access Port"
set [ find default-name=ether23 ] comment="vlan 300 - Router"
set [ find default-name=ether24 ] comment="vlan 300 - Access Port"

/interface vlan
add comment="Internal Zone" interface=bridge1 name=vlan100 vlan-id=100
add comment="Second Zone" interface=bridge1 name=vlan200 vlan-id=200
add comment="Guest Zone" interface=bridge1 name=vlan300 vlan-id=300

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1


/interface ethernet switch egress-vlan-tag
add tagged-ports=ether17,ether18,ether19,ether20,switch1-cpu vlan-id=100
add tagged-ports=ether17,ether18,ether19,ether20,switch1-cpu vlan-id=200
add tagged-ports=ether17,ether18,ether19,ether20,switch1-cpu vlan-id=300

/interface ethernet switch ingress-vlan-translation
add new-customer-vid=100 ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7
    ,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16"
add new-customer-vid=200 ports=ether21,ether22
add new-customer-vid=300 ports=ether23,ether24

/interface ethernet switch vlan
add ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9\
    ,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,\
    ether18,ether19,ether20,switch1-cpu" vlan-id=100
add ports=ether17,ether18,ether19,ether20,ether21,ether22 vlan-id=200
add ports=ether17,ether18,ether19,ether20,ether23,ether24 vlan-id=300

/ip address
add address=192.168.250.20/24 interface=vlan100 network=192.168.250.0

/ip route
add distance=1 gateway=192.168.250.1

Posted: **Wed Jul 18, 2018 4:15 pm**

I think I might actually have it working!!

In the end it seemed to come down to needing the cpu interface adding to the relevant vlans on both ends. I guess routeros won't handle packets destined for addresses assigned to itself over a vlan unless the cpu interface is a member of that vlan. If you're not trying to access the VLAN directly from the router/switch, including the cpu interface probably isn't necessary.

Don't know if anyone can spot any obvious issues with this config -

CRS -

Switch VLAN: vlan10 containing ether1-uplink & switch1-cpu
Switch Eg. Tag: vlan10, tag on ether1 & switch1-cpu (<-- this seems to be important, guess packets need to be tagged going up to the cpu)

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-uplink,switch1-cpu vlan-id=10
/interface ethernet switch vlan
add ports=ether1-uplink,switch1-cpu vlan-id=10

RB2011 -

Switch VLAN: vlan10 containing ether2-uplink & switch1-cpu

/interface ethernet switch vlan
add independent-learning=no ports=ether2-lan-uplink,switch1-cpu switch=switch1 \
    vlan-id=10

When using Torch on the VLAN sub interface, the VLAN field always seems to be blank

I'd expect that as it's basically an access port. Traffic coming into the interface will be stripped and presented untagged. Egress traffic from the vlan interface will get tagged.

MikroTik

VLANS between Mikrotik Devices

VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices

Re: VLANS between Mikrotik Devices