Community discussions

 
User avatar
k6ccc
Member
Member
Topic Author
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Using RouterOS as a switch

Fri Sep 13, 2019 9:02 pm

This is likely an easy one, but I have EXCLUSIVELY used Mikrotik routers as routers and never as a switch. Each LAN or VLAN on the routers connects directly to a CSS326 switch. I have run into a situation where I have run out of ports on one of my CSS326 switches and have an immediate need for a couple more ports. If I was not in a hurry, I would just order another switch. I do have a RB750r2 that had been replaced with a RB750Gr3 a while ago and is therefore spare, and should be able to be configured to operate as a switch. Below is a drawing of the intended layout.

Under normal circumstances, ports 2 - 5 will have VLAN 2 connect to each other. That will be at least 99% of the traffic. VLAN 1 will connect to all five ports (although will not likely ever be used). Untagged traffic from ports 2 through 5 is also not expected to ever be used, but will each be assigned to a VLAN (VLAN 302 - 305 for ports 2 - 5 respectively) and sent to the CSS326 via the trunk port 1. VLAN 101 on Port 1 will be for management.

I can handle the firewalling for keeping the VLANs apart, etc. I just need to know how to make the router play switch. I could do this in SwitchOS in a heartbeat - if I was using a switch...

Image

In case you are wondering, AREDN is an amateur radio data network.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
Amm0
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Using RouterOS as a switch

Sat Sep 14, 2019 9:37 am

May not be that simple...

But generic, "modern" approach to accomplish your configuration using ROS is to use a single bridge, enable "VLAN Filtering" on it, add all the ethernet ports with a correct VLAN(PVID) set on each bridge port, and finally add all the VLAN in use to the VLAN tab along with the ports you want tagged/untagged. Since changing the bridge setting might cause you to lose IP access, you'll want to connect to the ROS using MAC address in Winbox to do the configuration – otherwise you'd have a catch-22 on the VLAN tagging since it needs to be set in a few place to work. See https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering for the details.

With ROS's "bridge hardware offline", the RouterOS will "act like a switch" – that is packets are passed at/near line rate of the ethernet connection. But since the specific switching features varies by model/chipset/CPU, the VLAN tagging features may vary with it the potential speed also vary. The specific documentation for the switching features is here, including what "switch features" are available on the various ROS hardware: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features. So...you mention the RB750Gr3, and if we check the switch port wiki page, you'd find it has the MT7621 chip – that chip doesn't support "VLAN tables" in hardware, so hardware offloading won't be enabled BUT it also has a powerful CPU, it doesn't matter. Now, that RB750r2 has the Atheros8227 chipset, and that does support "VLAN Tables", so you can get 100Mb/s with your VLANs on that one – now I won't recommend using the "Switch" menu, but it describes what "switching features" are available on the hardware in pretty good detail.

The cool part is ROS will "do the right thing" if you use bridge, if your configuration is possible to use a hardware switch chip, it will. Otherwise, the VLAN tagging scheme will all just work, but without switch chip support, the traffic has to flow through the CPU, so it can't operate at full ethernet speed – but still do all the tagging stuff you need.
 
User avatar
k6ccc
Member
Member
Topic Author
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Using RouterOS as a switch

Sat Sep 14, 2019 11:47 pm

Thanks for the reply.
I had assumed that I needed to build a bridge, and played with that last night for a couple hours without any success. I can see the traffic coming in from the three AREDN nodes with Torch, but nothing going out. I'm sure it's easy for most people that have used a bridge in ROS, but as I said, I have never used a ROS based device as a switch - exclusively as a router.
I'm doing this on a RB750r2, not the RB750Gr3. When I upgraded my primary router from the 750r2 to the 750Gr3, the 750r2 became spare. Therefore intending to use the 750r2 for this specific switching application.
I have some partial success. Realizing that I had lots of leftovers from a couple years ago when this RB750r2 was my primary router, I just did a configuration reset - yes, I have a backup and export so I can put selected pieces back in... Connected a laptop to port 2 and connected via WinBox. Created VLAN 101 and put that on port 1 and gave it the correct IP address, and disabled the firewall rule that blocked access to the router from port 1, and wala, I can access the router from VLAN 101. Plugged the three AREDN nodes into ports 3, 4, & 5 and was a little surprised that the default bridge is passing VLAN tagged traffic. So for the time being, my immediate goal is accomplished - getting the three AREDN nodes talking to each other via VLAN 2.

But generic, "modern" approach to accomplish your configuration using ROS is to use a single bridge, enable "VLAN Filtering" on it, add all the ethernet ports with a correct VLAN(PVID) set on each bridge port, and finally add all the VLAN in use to the VLAN tab along with the ports you want tagged/untagged.


This is where I'm losing it. Do you mean the VLAN tab under bridge, the VLAN tab under Bridge Port, or the VLAN tab under interface? I think I tried all of those last night in various combinations and none worked. As for the PVID, am I giving it the PVID for the desired VLAN for untagged traffic, or something else. Are VLANs in the bridge the same as VLANs on an interface? This is so easy in SwitchOS...
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
dadoremix
Member Candidate
Member Candidate
Posts: 116
Joined: Sat May 14, 2011 11:31 am

Re: Using RouterOS as a switch

Sun Sep 15, 2019 12:18 am

Make bridge
Put eth1,2,3,4 in that bridge
That is. Done

I dont know what dude is writing up
 
Amm0
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Using RouterOS as a switch

Sun Sep 15, 2019 3:39 am

True, if he doesn't need to add or strip VLAN tags, that work: bridge all ports. But from his diagram looks like port 2's untagged traffic should be tagged with 302 vlan, and available as 302 on ether1, same for ether2-5.

If you want to "change" the VLAN ID between ports, it would look something like this. Not sure below is exactly right, but I think it's pretty close based on the diagram... you can do the same config in winbox or webfig too
/interface bridge
add 0 vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether2 pvid=302
add bridge=bridge interface=ether3 pvid=303
add bridge=bridge interface=ether4 pvid=304
add bridge=bridge interface=ether5 pvid=305
add bridge=bridge interface=ether1
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=302
add bridge=bridge tagged=ether1 untagged=ether3 vlan-ids=303
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=304
add bridge=bridge tagged=ether1 untagged=ether5 vlan-ids=305
add bridge=bridge tagged=ether1 vlan-ids=101
add bridge=bridge untagged=ether1 tagged=ether2,ether3,ether4,ether5 vlan-ids=1
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=2
 
User avatar
k6ccc
Member
Member
Topic Author
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Using RouterOS as a switch

Sun Sep 15, 2019 5:48 am

Amm0 is correct. Essentially what I currently have is what dadoremix suggested. While that does allow VLAN 2 to communicate between ports 2 - 5, but that does not allow for the additional parts of the plan. I will be working with Amm0's suggestions shortly.

Thanks
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: No registered users and 44 guests