Community discussions

 
User avatar
TheFox21
just joined
Topic Author
Posts: 12
Joined: Sat Mar 30, 2019 11:37 pm
Location: Vienna, Austria
Contact:

Multiple VLANs with one Router as Default Gateway in each VLAN

Wed Apr 17, 2019 8:22 pm

Hi,

I have a basic understanding how VLANs work. I have some problems to set up my hEX correctly. I'm running a Mikrotik hEX (MT7621) with RouterOS 6.44.2.

How can I put the hEX as a default gateway into multiple VLANs?

For example, I have two VLANs. VLAN 10 and VLAN 11. VLAN 10 uses 192.168.10.0/24. VLAN 11 uses 192.168.11.0/24. Now I want to have the hEX to be 192.168.10.1 as gateway in VLAN 10, and 192.168.11.1 as gateway in VLAN 11. I'm using ether1 as internet gateway over WAN. ether2 and ether3 should forward both VLANs 10 and 11. On ether2 and ether3 are switches connected, which are working correctly.

I tried to put ether2 and ether3 into a bridge named "bridge1", enabled VLAN filtering (as described in the Wiki tutorial), assigned the bridge vlan ports, and the VLANs worked perfectly for the two switches which are connected to ether2 and ehter3. The hEX forwared all normal frames and VLAN frames as expected. Now I also wanted to have the hEX itself reachable via VLANs as a default gateway. But since the bridge can only have one PVID it sends the frames only into either one or the other VLAN. This works to have the hEX in VLAN 10. But then it's not reachable via VLAN 11, or vice-versa.

I also tried to add one VLAN interface assigned to ether2 and VLAN 10, added other VLAN interface assigned to ether3 and VLAN 10, and put the both VLAN interfaces into a bridge, the same for VLAN 11, but that did also not work.

How can I achieve this?
 
MasterXP
just joined
Posts: 24
Joined: Fri Jun 12, 2009 9:05 am

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Thu Apr 18, 2019 10:11 am

Hi friend,

The configuration at the MK depends of the config you has in your switch.

If you switch are configure at access port, at the mikrotik you don't has to do nothing, just add the IP address and mask in the interfaces (ether2 and ether 3).

If you're switch ports are configured as trunk, then you just need to add VLAN Interface bellow Ether2(remember to specific the VLAN ID), the you just need to add the ip address at the VLAN Sub-Interface (not at the Ether2)... the repeat the steps for ether 3
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Thu Apr 18, 2019 10:19 am

Vlan on MT is some complicated. There are may post on the forum here with example.
What you request can be done. Look at this Visio, it's some what you do request.
viewtopic.php?t=138232#p681516

Vlan 1 runs untaged in the bridge, and vlan 20 run tagged. Both with its on Default GW
10.10.1.1 for VLAN1
10.10.20.1 for VLAN20
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
WeWiNet
Member Candidate
Member Candidate
Posts: 157
Joined: Thu Sep 27, 2018 4:11 pm

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Thu Apr 18, 2019 10:37 am

When you say "hex reachable via VLAN" what do you mean? Which services or functions?
The router itself can be accessed on L3/IP level, and can be reached from whatever subnet as long as you have set up access IP addresses etc. correctly.
Except if you set it up as switch only, but you say its a gateway so above should be true.

Maybe you can provide more information what you want to achieve and what actually fails?
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 :-) !!!
 
User avatar
TheFox21
just joined
Topic Author
Posts: 12
Joined: Sat Mar 30, 2019 11:37 pm
Location: Vienna, Austria
Contact:

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Thu Apr 18, 2019 7:02 pm

I have got one modem (from my ISP) in bridge mode which is my gateway to the Internet. This is connected to Port 1 on the hEX.

I also have two swiches and one Mikrotik hEX. Let's call the switches Switch A and Switch B. Switch A is connected to hEX on Port 2 and Switch B is connected to Port 3. hEX Port 4 and 5 are disabled.

The two swiches are configured as Port-based VLANs. There are multiple devices connected to both swiches. Those devices are separated into VLAN 10 and VLAN 20. Both switches handle both VLANs. It's mixed.

I want to achieve that the hEX forwards all VLAN frames within my local network which it does already very good by using just Port 2 and Port 3 in a bridge without any VLAN configuration.

Now I want to have the hEX as a router in both VLANs available. So that the devices within the VLANs not only can communicate to each other but also can use the hEX as a default gateway to the Internet.

For this purpose hEX should be 192.168.10.1 in VLAN 10 and 192.168.11.1 in VLAN 11.

Further I want hEX to be my DHCP server in each VLAN. So it must not only forward all VLAN 10 and 11 frames from Port 2 to 3 and from 3 to 2 but it must also have its own IP address in each VLAN reachable.

@WeWiNet
When you say "hex reachable via VLAN" what do you mean? Which services or functions?
I mean for example DHCP or DNS. So that the hEX itself is also part of the VLANs.
whatever subnet as long as you have set up access IP addresses etc. correctly.
This is the problem. I don't know how to set it up correctly. As I said in my first post, I have tried several ways, but nothing seams to work. When I just create a Bridge and add Port 2 and Port 3 to this bridge, then turn on the VLAN filtering on this bridge, the bridge can only be available in one of the two VLAN at the same time. This is because I can put only one single VLAN ID into the PVID field. But I want hEX to be able to communicate to both VLANs.

If I set the PVID on the bridge interface it can only communicate to this one VLAN. When I set the PVID on the ethernet interface (Port 2, Port 3) they can only communicate to one VLAN. So I need Port 2 and Port 3 not also tagged but also untagged to be able to communicate to both VLANs and also forward frames from Port 2 to Port 3 and from Port 3 to Port 2.
 
anav
Forum Guru
Forum Guru
Posts: 2964
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Thu Apr 18, 2019 7:33 pm

Without a diagram what you are asking seems overly complicated/confusing.........
A clearer set of requirements without any discussion of solution would be useful.
I need users from group A to do this
I need users from group B to do this
and any other requirements without discussion of vlans or equipment.
Until the use cases are clear, any design attempt is going to bog down.
As the next poster states, once done, the config should be a snap.
Last edited by anav on Fri Apr 19, 2019 5:15 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Fri Apr 19, 2019 2:47 pm

I have got one modem (from my ISP) in bridge mode which is my gateway to the Internet. This is connected to Port 1 on the hEX.

I also have two swiches and one Mikrotik hEX. Let's call the switches Switch A and Switch B. Switch A is connected to hEX on Port 2 and Switch B is connected to Port 3. hEX Port 4 and 5 are disabled.

The two swiches are configured as Port-based VLANs. There are multiple devices connected to both swiches. Those devices are separated into VLAN 10 and VLAN 20. Both switches handle both VLANs. It's mixed.

I want to achieve that the hEX forwards all VLAN frames within my local network which it does already very good by using just Port 2 and Port 3 in a bridge without any VLAN configuration.

Now I want to have the hEX as a router in both VLANs available. So that the devices within the VLANs not only can communicate to each other but also can use the hEX as a default gateway to the Internet.

For this purpose hEX should be 192.168.10.1 in VLAN 10 and 192.168.11.1 in VLAN 11.

Further I want hEX to be my DHCP server in each VLAN. So it must not only forward all VLAN 10 and 11 frames from Port 2 to 3 and from 3 to 2 but it must also have its own IP address in each VLAN reachable.

@WeWiNet
When you say "hex reachable via VLAN" what do you mean? Which services or functions?
I mean for example DHCP or DNS. So that the hEX itself is also part of the VLANs.
whatever subnet as long as you have set up access IP addresses etc. correctly.
This is the problem. I don't know how to set it up correctly. As I said in my first post, I have tried several ways, but nothing seams to work. When I just create a Bridge and add Port 2 and Port 3 to this bridge, then turn on the VLAN filtering on this bridge, the bridge can only be available in one of the two VLAN at the same time. This is because I can put only one single VLAN ID into the PVID field. But I want hEX to be able to communicate to both VLANs.

If I set the PVID on the bridge interface it can only communicate to this one VLAN. When I set the PVID on the ethernet interface (Port 2, Port 3) they can only communicate to one VLAN. So I need Port 2 and Port 3 not also tagged but also untagged to be able to communicate to both VLANs and also forward frames from Port 2 to Port 3 and from Port 3 to Port 2.


You statements are incorrect. I have numerous routers in the field (as do others I'm sure) where there are multiple VLANs being filtered over the bridge. What makes you think this is only filtering a single VLAN at a time? You need to post your configuration with hide-sensitive option to show your work.

This isn't very complicated and should take about 5 minutes to configure.
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Multiple VLANs with one Router as Default Gateway in each VLAN

Fri Apr 19, 2019 7:50 pm

What you are doing is very similar to what I am doing and it's not at all complicated. I am curious why you want two VLANs if part of your statement is that devices on one VLAN can communicate with devices on the other VLAN. If everything on both VLANs can communicate with each other, why separate them? In my case, for example on my Router #1, I have one internet connection, and seven LANs. Three of those have a dedicated port into the switch, and the other four are on a VLAN trunk port. For the most part, none of the VLANs can communicate with each other. Certain devices have privilege to do so and are specifically allowed to access certain other LANs. However, all but one LAN have access to the internet. All that takes is these firewall rules:
add action=accept chain=forward comment=\
    "Allow outbound traffic from .101 to Cable internet" in-interface=\
    E2-p4_101 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .102 to Cable internet" in-interface=\
    VLAN_102 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .103 to Cable internet" in-interface=\
    E3-p6_103 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .104 to Cable internet" in-interface=\
    VLAN_104 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .105 to Cable internet" in-interface=\
    VLAN_105 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow outbound traffic from .106 to Cable internet" in-interface=\
    VLAN_106 out-interface=E1-p2_Cable_Internet
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .101 LAN" out-interface=E2-p4_101 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .102 LAN" out-interface=VLAN_102 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .103 LAN" out-interface=E3-p6_103 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .104 LAN" out-interface=VLAN_104 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .105 LAN" out-interface=VLAN_105 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .106 LAN" out-interface=VLAN_106 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .151 LAN" out-interface=VLAN_151 \
    src-address-list=Privileged
add action=accept chain=forward comment=\
    "Allow privileged PCs access to .211 LAN" out-interface="E5 to Router 2" \
    src-address-list=Privileged
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"
and this NAT rule:
add action=masquerade chain=srcnat comment="Masquerade for cable" \
    out-interface=E1-p2_Cable_Internet
And yes, there are lots of ways to accomplish this. I make no promise that the way I did it is best...
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: No registered users and 5 guests