Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Post Reply
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 4:23 pm

Hi again,

So I’m around here quite sometimes. I still learning and facing a lot of problem with my own decision and tried to solve most of them.

I have a hAP ac. My ISP give me 2 VLANs, VLAN35 for internet with pppoe and VLAN2502 for IPTV. I have 2 TVs.

Here is my config at the moment.
Code: Select all
# may/20/2019 17:55:28 by RouterOS 6.44.3
# software id = 
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=channel11
/interface bridge
add admin-mac=CC:2Dxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether3 ] comment=PC_NAS
set [ find default-name=ether5 ] comment=cAP
/interface vlan
add interface=ether1 name=vlan35 vlan-id=35
/caps-man datapath
add bridge=bridge name=datapath1
/interface pppoe-client
add add-default-route=yes comment=PPPOE disabled=no interface=vlan35 \
    name=pppoe-out user=xxxx
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=cAP_sec
/caps-man configuration
add channel=channel11 datapath=datapath1 mode=ap name=cfg1 security=cAP_sec \
    ssid=lilw3
/caps-man interface
add channel=channel11 configuration=cfg1 datapath=datapath1 disabled=no \
    l2mtu=1600 mac-address=64:D1xxxx master-interface=none name=cAP \
    radio-mac=64:D1xxxx radio-name=64D1xxxxx security=cAP_sec
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=lilw5ghz \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=lilw2ghz \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    comment=2ghz disabled=no distance=indoors installation=indoor mode=\
    ap-bridge security-profile=lilw2ghz ssid=lilw2 wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX comment=5ghz disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=lilw5ghz ssid=lilw \
    wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 comment=2ghz
set wlan2 comment=5ghz
/interface wireless manual-tx-power-table
set wlan1 comment=2ghz
set wlan2 comment=5ghz
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=100.10.10.2-100.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
    defconf
/caps-man access-list
add action=accept allow-signal-out-of-range=5s disabled=no interface=cAP \
    signal-range=-75..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=5s disabled=no interface=cAP \
    signal-range=-120..-76 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn \
    master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out list=WAN
/interface wireless access-list
add allow-signal-out-of-range=5s interface=all signal-range=-79..120
add allow-signal-out-of-range=5s authentication=no forwarding=no interface=\
    all signal-range=-120..-80
/ip address
add address=100.10.10.1/24 comment=defconf interface=bridge network=\
    100.10.10.0
add address=192.168.1.3/24 comment="GPON interface" disabled=yes interface=\
    ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server network
add address=100.10.10.0/24 comment=defconf dns-server=100.10.10.1 gateway=\
    100.10.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=100.10.10.1 name=router.lan
/ip firewall address-list
add address=xxxxx comment="WAN-IP for HAIRPIN" list=\
    WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=in_
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: HAIRPIN NAT" \
    dst-address=100.10.10.0/24 ipsec-policy=out,none src-address=\
    100.10.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=transmission dst-port=xxxx \
    in-interface-list=WAN log-prefix=tor_ protocol=tcp to-addresses=\
    100.10.10.5 to-ports=xxxx
add action=dst-nat chain=dstnat comment="NAS out" dst-address-list=WAN-IP \
    dst-port=xxxx log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="NAS root settings" dst-address-list=\
    WAN-IP dst-port=80 log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="NAS smb" dst-address-list=WAN-IP \
    dst-port=445 log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
    to-ports=445
add action=dst-nat chain=dstnat comment="Transmission out" dst-address-list=\
    WAN-IP dst-port=xxxx log-prefix=tor_ protocol=tcp to-addresses=\
    100.10.10.5 to-ports=xxxx
add action=src-nat chain=srcnat comment="access GPON" dst-address=192.168.1.1 \
    to-addresses=192.168.1.2
/ip ssh
set forwarding-enabled=remote
/ip upnp
set enabled=yes
/ipv6 address
add from-pool=pool6dhcp interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out pool-name=pool6dhcp \
    prefix-hint=::/64 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system scheduler
add interval=5m name=noip_update on-event=noip_changeip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/18/2019 start-time=07:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether4
Now I want to have IPTV. I created VLan2502 on ether1. I can bridge VLan2502 with ether3 and connect to settop box for IPTV (it works). But since I don’t want to waste 1gbps port of ether3. I upgraded EA3500 to LEDE firmware run as “managed” switch with 5 LAN ports and connect to ether3 of mikrotik.

I’ve been reading a lot of trunk ports and think this maybe what I need. I think that I’ll make ether3 as trunk ports. So I create 2 VLan e3-35 and e3-2502 on ether3. Then I bridge e3-35 to main bridge for internet access. Create bridge VLan2502 with e3-2502 and e1-2502 for IPTV.

On LEDE switch I create VLan35 and tagged CPU0 and the port WAN (now is LAN5 and connect to mikrotik ether3) untagged 3 other LAN1,2,3 and have internet access. Then create VLan2502, tagged WAN and untagged LAN4. Connect my set top box to LAN4 but it’s not working. No traffic go through e3-2502. I assume my config for switch is correct since I can connect to internet with my PC and NAS connect to switch. In this switch, LAN5 act as trunked port.

So my question is can WAN with multiple VLan will work with trunk port for IPTV on mikrotik?

I’m sorry if my explanation is not clear, just tell me which part you want for more detail.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 5:53 pm

How about posting config which includes vlan 2502?
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 6:18 pm

Yes, here it is.
Code: Select all
# may/20/2019 17:55:28 by RouterOS 6.44.3
# software id = 
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=channel11
/interface bridge
add admin-mac=CC:2Dxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether3 ] comment=PC_NAS
set [ find default-name=ether5 ] comment=cAP
/interface vlan
add interface=ether1 name=e1-vlan2502 vlan-id=2502
add interface=ether1 name=e1-vlan35 vlan-id=35
add interface=ether3 name=e3-vlan2502 vlan-id=2502
add interface=ether3 name=e3-vlan35 vlan-id=35
/caps-man datapath
add bridge=bridge name=datapath1
/interface pppoe-client
add add-default-route=yes comment=PPPOE disabled=no interface=vlan35 \
    name=pppoe-out user=xxxx
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=cAP_sec
/caps-man configuration
add channel=channel11 datapath=datapath1 mode=ap name=cfg1 security=cAP_sec \
    ssid=lilw3
/caps-man interface
add channel=channel11 configuration=cfg1 datapath=datapath1 disabled=no \
    l2mtu=1600 mac-address=64:D1xxxx master-interface=none name=cAP \
    radio-mac=64:D1xxxx radio-name=64D1xxxxx security=cAP_sec
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=lilw5ghz \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=lilw2ghz \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    comment=2ghz disabled=no distance=indoors installation=indoor mode=\
    ap-bridge security-profile=lilw2ghz ssid=lilw2 wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX comment=5ghz disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge security-profile=lilw5ghz ssid=lilw \
    wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 comment=2ghz
set wlan2 comment=5ghz
/interface wireless manual-tx-power-table
set wlan1 comment=2ghz
set wlan2 comment=5ghz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge_vlan2502 interface=e1-vlan2502
add bridge=bridge_vlan2502 interface=e3-vlan2502
add bridge=bridge interface=e3-vlan35
add bridge=bridge_vlan2502 interface=*11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=100.10.10.2-100.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
    defconf
/caps-man access-list
add action=accept allow-signal-out-of-range=5s disabled=no interface=cAP \
    signal-range=-75..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=5s disabled=no interface=cAP \
    signal-range=-120..-76 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn \
    master-configuration=cfg1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out list=WAN
/interface wireless access-list
add allow-signal-out-of-range=5s interface=all signal-range=-79..120
add allow-signal-out-of-range=5s authentication=no forwarding=no interface=\
    all signal-range=-120..-80
/ip address
add address=100.10.10.1/24 comment=defconf interface=bridge network=\
    100.10.10.0
add address=192.168.1.3/24 comment="GPON interface" disabled=yes interface=\
    ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server network
add address=100.10.10.0/24 comment=defconf dns-server=100.10.10.1 gateway=\
    100.10.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=100.10.10.1 name=router.lan
/ip firewall address-list
add address=xxxxx comment="WAN-IP for HAIRPIN" list=\
    WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=in_
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: HAIRPIN NAT" \
    dst-address=100.10.10.0/24 ipsec-policy=out,none src-address=\
    100.10.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=transmission dst-port=xxxx \
    in-interface-list=WAN log-prefix=tor_ protocol=tcp to-addresses=\
    100.10.10.5 to-ports=xxxx
add action=dst-nat chain=dstnat comment="NAS out" dst-address-list=WAN-IP \
    dst-port=xxxx log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="NAS root settings" dst-address-list=\
    WAN-IP dst-port=80 log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
    to-ports=xxx
add action=dst-nat chain=dstnat comment="NAS smb" dst-address-list=WAN-IP \
    dst-port=445 log-prefix=tor_ protocol=tcp to-addresses=100.10.10.5 \
    to-ports=445
add action=dst-nat chain=dstnat comment="Transmission out" dst-address-list=\
    WAN-IP dst-port=xxxx log-prefix=tor_ protocol=tcp to-addresses=\
    100.10.10.5 to-ports=xxxx
add action=src-nat chain=srcnat comment="access GPON" dst-address=192.168.1.1 \
    to-addresses=192.168.1.2
/ip ssh
set forwarding-enabled=remote
/ip upnp
set enabled=yes
/ipv6 address
add from-pool=pool6dhcp interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out pool-name=pool6dhcp \
    prefix-hint=::/64 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system scheduler
add interval=5m name=noip_update on-event=noip_changeip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/18/2019 start-time=07:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether4
I don't know if it possible to forward stream from e1-vlan2502 to e3-vlan2502 or not. But if I bridge ether3 to vlan2502, it's just working
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 6:34 pm

Just a question: does IPTV set-top box expect its data tagged or untagged (my ISP delivers IPTV multicasts via VLAN and set-top boxes expect them tagged as well).

Other than that ... since all ports except ether1 are bridged, you can not configure vlans on ether3 the way you did. You'll have to play with bridge vlan-filtering to make things work as you wish, there's nice tutorial about it available. It should be fairly easy for you to get things right as you already have PPPoE over VLAN ...
After you get your grip on VLAN configuration according to the linked tutorial, you'll want to covert the setup to fully HW-offloaded setup, hAP ac has CPU which is not the fastest on the block but has a decent switch chip.
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 6:44 pm

As far as I play around with ONU modem, I found that I just need to tag vlan 2502 and mapping LAN ports on the ONU for IPTV to works. So it expects tagged data. I prefer this configuration with ONU, but since last topic about 100Mbps internet. I has ordered a 1Gbps ONU and it only has 1 port. This is why I need to figure this out before the ONU come.

May I ask, will vlan-filtering in bridge consume much CPU? It just a home network so I try to keep my CPU low. Thanks for the tutorial, I inspect it now. Need to learn a lot of this network stuff.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 7:48 pm

May I ask, will vlan-filtering in bridge consume much CPU? It just a home network so I try to keep my CPU low. Thanks for the tutorial, I inspect it now. Need to learn a lot of this network stuff.
I don't know how things will work on your hAP ac. When I did tests on my RB951G (has slower CPU) it could do Gbps "switching" between two ports, but CPU load was high (if I remember right it was around 90%). The very same device can do HW-offloaded switching with no notable CPU load. And my use case is similar to yours. I could have copy-pasted my config for you, but then you wouldn't learn how to "catch the fish" :-)
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 7:59 pm

May I ask, will vlan-filtering in bridge consume much CPU? It just a home network so I try to keep my CPU low. Thanks for the tutorial, I inspect it now. Need to learn a lot of this network stuff.
I don't know how things will work on your hAP ac. When I did tests on my RB951G (has slower CPU) it could do Gbps "switching" between two ports, but CPU load was high (if I remember right it was around 90%). The very same device can do HW-offloaded switching with no notable CPU load. And my use case is similar to yours. I could have copy-pasted my config for you, but then you wouldn't learn how to "catch the fish" :-)
Thank you again, I will try to figure tomorrow. I might have fish or might hungry tomorrow :-) the new ONU expect to come today but I think it late again. I need to take some rest.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 9:49 pm

Wow, so no other special requirements for the ISP IPTV other than VLAN tagging?
That is progressive thinking!! Bell Fibe and others in the US require special CoS type prioritization of the data at the initial handshake which is a killer requirement.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Fri May 24, 2019 11:21 pm

Wow, so no other special requirements for the ISP IPTV other than VLAN tagging?
My ISP wants users to register set-top boxes (maps MAC addresses to user name) to provision play lists. Most channels are available for multicast subscription so with a good VLC playlist one can watch also channels which user doesn't pay for. There are a few notable exceptions, seems like they have to enable routing of those multicast groups to user's internet pipe semi-manually.
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Sat May 25, 2019 7:22 am

Hey,

Thanks for the suggestion of VLAN filtering. It great but it would eat CPU a lot, like 40%. I can stream IPTV now, but lost internet access over the ether3 trunk. I think I can play around with my LEDE router for internet to work again, but you know what, my kid need me babysitting him and I was too lazy or busy to look after the internet and my baby. So I found a video about VLAN filtering here: https://www.youtube.com/watch?v=VvxJzfdz47Q. Babysitting him and watching youtube. I found that I missing the PVID in bridge ports. It is ridiculously that I missing this thing since I'm only add bridge in the interface, not in the Bridge itself in winbox so I missed that configuration and I didn't even check that in Bridge Port too.

it would be:
Code: Select all
/interface bridge
add name=bridge-vlan2502
/interface bridge port
add bridge=bridge-vlan2502 interface=e1-vlan2502 pvid=2502
add bridge=bridge-vlan2502 interface=e3-vlan2502 pvid=2502
add bridge=bridge interface=e3-vlan35 pvid=35
and in LEDE just need to tagged both vlan and untagged access port. Everything working as what I tend to make trunk port. So basically, it can passing stream and internet on WAN with multiple VLAN and passing to trunk port. Just need the correct PVID. Now, I just need my 1Gbps ONU deliver so I can test the maximum bandwidth.

Sometimes, too exhausted lead your mind to do stupid things. After a rest, everything solved. Thank you for your support. You are the best in this community, mkx.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Sat May 25, 2019 11:19 am

Not exactly the solution I had in my mind. But it works for you and that's what is important.
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Sat May 25, 2019 9:00 pm

Yeah it works, but not perfect. I will still looking into VLAN filtering because right now I experience lagging with IPTV when network have traffic over 30Mbps.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11593
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Sat May 25, 2019 9:46 pm

While lagging IPTV, what's hEX's CPU load? If it's not much more than about 50%, then cause for problems might be somewhere else ...
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Sun May 26, 2019 6:55 am

I monitor in Profile, and I see CPU around 20%, networking 10%, other process around 5% or less. Still not figure out where problems happen.
Top
 
lilw
newbie
Topic Author
Posts: 38
Joined: Sun Jan 21, 2018 5:31 pm

Re: Can WAN with multiple VLAN will work with trunked port for Internet and IPTV?

Mon May 27, 2019 3:05 pm

Ok, I just realize that this lagging causing because of the hardware limitation, it is because of the 100mbps port and my internet is 100mbps too, so it causing bottleneck when all of the bandwidt of internet is used, there is nothing left for IPTV streaming.
Top
Post Reply

Who is online

Users browsing this forum: bratislav, seriosha, Valerio5000 and 51 guests
  4. RouterOS
  5. Beginner Basics