Community discussions

 
florid
newbie
Topic Author
Posts: 28
Joined: Wed Dec 20, 2017 6:27 am

VLAN segregation and bridge setting

Tue Jul 24, 2018 8:28 am

I am using a hex poe router for my home.
sfp interface connect to WAN
eth1-2 is local lan network
eth3-4 connect to IP cams using POE
eth5 is a trunk interface connects to a Cisco AP. Create a vlan interface (vlan80) under eth5. Cisco AP has two VLAN, one is a default vlan, the other is vlan80.

I created a bridge (bridgeLAN) for eth1-2 and eth5, I created another bridge (bridgeIoT) for eth3-4 and vlan80.
sfp interface wan port is not in any bridge.
bridgeLAN and bridgeIoT are using different IP scope and address pools.
Right now everything works fine. Only ports under bridgeLAN shows hardware offloading.
bridgeLAN cannot talk to bridgeIoT which is what I want. If I need to allow hosts in bridgeIoT to talk to bridgeLAN, I need to create firewall rules. So the traffic between two bridges are L3 routing using CPU, right?

After I read wiki couple times, I am not really understand the 'new' bridge and VLAN concept. My questions are:
  • If I want to enable hardware offloading for all LAN ports (eth1-5), only one bridge is allowed to create?
    If I bridge eth1-5, create VLAN interface under that bridge, how can I isolate the traffic between local LAN and local IoT network?
    The WAN port does not need to join any bridge, right?
Many thanks.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN segregation and bridge setting  [SOLVED]

Tue Jul 24, 2018 12:06 pm

If I want to enable hardware offloading for all LAN ports (eth1-5), only one bridge is allowed to create?
Correct

If I bridge eth1-5, create VLAN interface under that bridge, how can I isolate the traffic between local LAN and local IoT network?
Create 2 Vlan's on bridge, one for LAN and another for IoT, then create FW rules to prevent routing between them

The WAN port does not need to join any bridge, right?
Correct
MTCNA, MTCTCE, MTCRE & MTCINE
 
florid
newbie
Topic Author
Posts: 28
Joined: Wed Dec 20, 2017 6:27 am

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 2:40 pm

Thanks, @CZFan
I followed the wiki and thought about the configuration below. Haven't tested in production yet. Would you please help take a look? Appreciate your time.
I want to achieve eth5-ap trunk port leads to Cisco AP which has vlan10 (native) and vlan80. eth1 and eth2 in vlan10, eth3 and eth4 in vlan80.
And I am thinking which port I should connect to will not lock me out during the configuration change.

Code: Select all

/interface bridge
add name=bridge1 vlan-filtering=no

/interface bridge port
add bridge=bridge1 interface=eth5-ap
add bridge=bridge1 interface=eth1-Pi pvid=10
add bridge=bridge1 interface=eth2-nas pvid=10
add bridge=bridge1 interface=eth3-cam1 pvid=80
add bridge=bridge1 interface=eth4-cam2 pvid=80

/interface bridge vlan
add bridge=bridge1 tagged=eth5-ap untagged=eth1-Pi,eth2-nas vlan-ids=10
add bridge=bridge1 tagged=eth5-ap untagged=eth3-cam1,eth4-cam2 vlan-ids=80

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan80 vlan-id=80

/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.80.1/24 interface=vlan80 network=192.168.80.0

/interface bridge set bridge1 vlan-filtering=yes
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 7:19 pm

Looks fine to me, remember that if you have DHCP, etc on the device, you will have to also add the bridge to tagged
MTCNA, MTCTCE, MTCRE & MTCINE
 
mkx
Forum Guru
Forum Guru
Posts: 2930
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 8:25 pm

Looks fine to me, remember that if you have DHCP, etc on the device, you will have to also add the bridge to tagged
Wouldn't it be better to bind such services (e.g. DHCP server) to particular vlan interfaces?
BR,
Metod
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 8:44 pm

Kind of related to this. In my case, both of my routers are used EXCLUSIVELY for routing. Each physical port is either a trunk carrying multiple VLANs to a smart switch, or a specific LAN that is going to a switch. Never does the same LAN appear on more than one physical port.
Is there any reason under this case to use a bridge? I have never created one. Using an RB750r2 and a RG750Gr3.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
mkx
Forum Guru
Forum Guru
Posts: 2930
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 9:07 pm

@k6ccc ... I wouldn't create a bridge in case you described.

In one of my installations I've just the opposite: even physical interface carrying WAN is a part of the bridge. Reason is that ISP provides IPTV via a VLAN and I'm just carrying that VLAN through that particular LAN. The WAN gets its own VLAN and is terminated in the router itself.

So yes, one has to consider needs and possibly implement the least complicated of solutions.
BR,
Metod
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 10:49 pm

Thanks mkx. That was what I thought...
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
mkx
Forum Guru
Forum Guru
Posts: 2930
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN segregation and bridge setting

Tue Jul 24, 2018 11:26 pm

I might add ... I see bridge as a sort of switch. That view somehow helps me to decide which interfaces belong to it and which don't.

If one needs to switch (forward unfiltered and unchanged) traffic between interfaces (either physical or VLAN or any other), then it makes sense to create a bridge (or two). If traffic needs to be routed/filtered, then use of bridge would be counter-productive as one would have to prevent bridge from forwarding packets "behind rouer's back". Sure there are ways of doing it, but why bother?

When considering dilemma: to create single bridge or more of them, it should be noted that currently only one bridge can have HW offload active. Using second (third, ...) bridge comes with performance penalty and due to that it's better to separate traffic by using VLANs. That might be a bit messy if one isn't used to VLANs. Plus current implementation of VLAN-related bridge settings in ROS is IMHO slightly confusing. Use of several bridges would be a more straight-forward way of solving certain tasks and will become feasible when the performance limitation will get removed.
BR,
Metod
 
User avatar
xvo
Member
Member
Posts: 416
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: VLAN segregation and bridge setting

Wed Jul 25, 2018 1:38 am

I am using a hex poe router for my home.
sfp interface connect to WAN
eth1-2 is local lan network
eth3-4 connect to IP cams using POE
eth5 is a trunk interface connects to a Cisco AP. Create a vlan interface (vlan80) under eth5. Cisco AP has two VLAN, one is a default vlan, the other is vlan80.

I created a bridge (bridgeLAN) for eth1-2 and eth5, I created another bridge (bridgeIoT) for eth3-4 and vlan80.
sfp interface wan port is not in any bridge.
bridgeLAN and bridgeIoT are using different IP scope and address pools.
Right now everything works fine. Only ports under bridgeLAN shows hardware offloading.
bridgeLAN cannot talk to bridgeIoT which is what I want. If I need to allow hosts in bridgeIoT to talk to bridgeLAN, I need to create firewall rules. So the traffic between two bridges are L3 routing using CPU, right?

After I read wiki couple times, I am not really understand the 'new' bridge and VLAN concept. My questions are:
  • If I want to enable hardware offloading for all LAN ports (eth1-5), only one bridge is allowed to create?
    If I bridge eth1-5, create VLAN interface under that bridge, how can I isolate the traffic between local LAN and local IoT network?
    The WAN port does not need to join any bridge, right?
Many thanks.
Hex poe doesn't support hw-offloading on bridge with vlan filtering enabled.
So it may sound strange, but in your situation it can be better to leave things as they are - bridgeLAN will have hw offloading and bridgeIoT will have vlan filtering.
The other possibility is to build the configuration not based on /bridge menu, but on the /switch menu - QCA8337 switch chip itself is vlan capable.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN segregation and bridge setting

Wed Jul 25, 2018 1:48 am

Looks fine to me, remember that if you have DHCP, etc on the device, you will have to also add the bridge to tagged
Wouldn't it be better to bind such services (e.g. DHCP server) to particular vlan interfaces?

Yes, you must bind DHCP, etc services to the relevant vlan, but you must also provide access to the CPU for these services which you do by adding the bridge as tagged else the services won't work
MTCNA, MTCTCE, MTCRE & MTCINE
 
florid
newbie
Topic Author
Posts: 28
Joined: Wed Dec 20, 2017 6:27 am

Re: VLAN segregation and bridge setting

Wed Jul 25, 2018 2:37 am

Thanks CZFan and xvo
The reason I am looking for HW offloading is my two IP cams have constant traffic (15Mbps) from vlan80 to NAS (NAS only has one NIC and not support trunk interface) in vlan10. The Cams are physically installed outside of my house so I want to put them in a separated 'untrusted' vlan.
HEX POE CPU usually around 5%-8% in current setup.

I want to see if enable HW offloading on all ports will reduce CPU a little bit.

I know create different bridges is quite straight forward for the logical network segregation. The bridge VLAN concept is a bit confusing. If HEX POE does not support HW offloading when enable bridge vlan filtering, then I just listen to xvo's suggestion - leave the current setup.

Thank you all for your suggestion and comments. :)
 
mkx
Forum Guru
Forum Guru
Posts: 2930
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN segregation and bridge setting

Wed Jul 25, 2018 11:32 am

Looks fine to me, remember that if you have DHCP, etc on the device, you will have to also add the bridge to tagged
Wouldn't it be better to bind such services (e.g. DHCP server) to particular vlan interfaces?
Yes, you must bind DHCP, etc services to the relevant vlan, but you must also provide access to the CPU for these services which you do by adding the bridge as tagged else the services won't work
I'm confused again. In my installation where I use a few VLANs, my bridge doesn't know anything about VLANs. Indeed I configure most of things in /interface ethernet switch part, including VLANs, so my bridge is actually a dummy switch. I just create vlan interfaces for any VLAN I need to have L3 access from router CPU (and I make sure switch-cpu is also member of given VLAN).

As @florid already created vlan10 and vlan80 interfaces (and set IP addresses to them), I guess he could also bind DHCP server(s) to the very same interface(s) and it should work?
BR,
Metod
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN segregation and bridge setting

Wed Jul 25, 2018 8:27 pm

Looks fine to me, remember that if you have DHCP, etc on the device, you will have to also add the bridge to tagged
Wouldn't it be better to bind such services (e.g. DHCP server) to particular vlan interfaces?
Yes, you must bind DHCP, etc services to the relevant vlan, but you must also provide access to the CPU for these services which you do by adding the bridge as tagged else the services won't work
I'm confused again. In my installation where I use a few VLANs, my bridge doesn't know anything about VLANs. Indeed I configure most of things in /interface ethernet switch part, including VLANs, so my bridge is actually a dummy switch. I just create vlan interfaces for any VLAN I need to have L3 access from router CPU (and I make sure switch-cpu is also member of given VLAN).

As @florid already created vlan10 and vlan80 interfaces (and set IP addresses to them), I guess he could also bind DHCP server(s) to the very same interface(s) and it should work?

If you remove the switch-cpu (in switch vlan config) or bridge (in bridge vlan config) from your vlan config, DHCP, etc services will stop working on the Vlan's if DHCP service / server is running on this device
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
nichky
Long time Member
Long time Member
Posts: 526
Joined: Tue Jun 23, 2015 2:35 pm

Re: VLAN segregation and bridge setting

Thu Jul 26, 2018 1:50 am

florid, on wich MikroTik have you got this configuration?
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
florid
newbie
Topic Author
Posts: 28
Joined: Wed Dec 20, 2017 6:27 am

Re: VLAN segregation and bridge setting

Thu Jul 26, 2018 2:11 am

florid, on wich MikroTik have you got this configuration?
i am using hex poe rb960pgs. The configuration is not exported from the device. But I drafted according to wiki page. I planned to have the experts check the configuration before implementing change to my router. Right now it is not necessary as I will just keep the existing setup.

Who is online

Users browsing this forum: No registered users and 34 guests