x
Re: Basic VLAN Setup
I have not tested, but i would try something like:
Code: Select all
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes
/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=50 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add vlan-id=20
add vlan-id=30
add vlan-id=40
add vlan-id=50
/interface ethernet switch vlan
add ports=switch1-cpu,ether2 vlan-id=20 learn=yes
add ports=switch1-cpu,ether3 vlan-id=30 learn=yes
add ports=switch1-cpu,ether4 vlan-id=40 learn=yes
add ports=switch1-cpu,ether5 vlan-id=50 learn=yes
/interface vlan
add interface=bridge1 vlan-id=20 name=VLAN20
add interface=bridge1 vlan-id=30 name=VLAN30
add interface=bridge1 vlan-id=40 name=VLAN40
add interface=bridge1 vlan-id=50 name=VLAN50
/ip address
add address=192.168.20.1/24 interface=VLAN20
add address=192.168.30.1/24 interface=VLAN30
add address=192.168.40.1/24 interface=VLAN40
add address=192.168.50.1/24 interface=VLAN50
## Create DHCP Server for every VLANRe: Basic VLAN Setup
Assuming that your other firewalls are handling routing, etc. and the CRS is just being a switch then https://wiki.mikrotik.com/wiki/Manual:C ... s_ports.29 for the access ports, and the incremental changes https://wiki.mikrotik.com/wiki/Manual:C ... d_ports.29 for the AP hybrid port.
Re: Basic VLAN Setup
I assume all of the interface ports can be part of the same bridge? I saw one example online that was creating separate bridges, just wondering if this is necessary for some reason.
Definitely go with single bridge. Use of multiple bridge is a) old school and b) not hardware accelerated ... Mind that on CRS1xx you need to do VLAN config in /interface ethernet to have it HW-accelerated (if done in /interface bridge then it's done by CPU and can't be wirespeed).
Re: Basic VLAN Setup
The wiki examples tend to be command-line, but making the equivalent changes through Winbox is fine. Note that many of the examples expect there to be no configuration present - if you try running the commands on a device with a default configuration you will likely get errors about ports already being members of a bridge, for example.
VLAN/switch configuration can easily leave you unable to access the device if you make a mistake - using safe mode, MAC (rather than IP) communications on a port you are not currently changing, or a serial console on devices which support it are options.
Many blogs and videos are either outdated (as RouterOS evolves with different / better ways of implementing things), or are less than optimal / just plain wrong (they may have worked for the author in their specific case but could cause issues in more general cases).
VLAN/switch configuration can easily leave you unable to access the device if you make a mistake - using safe mode, MAC (rather than IP) communications on a port you are not currently changing, or a serial console on devices which support it are options.
Many blogs and videos are either outdated (as RouterOS evolves with different / better ways of implementing things), or are less than optimal / just plain wrong (they may have worked for the author in their specific case but could cause issues in more general cases).
Re: Basic VLAN Setup
Please make a simple network diagram it will help...
Re: Basic VLAN Setup
Nothing obvious to stop communications, if you configure a VLAN directly on DEV-PC and connect it directly to FW1 without the CRS does it work?
There are a few minor points but nothing affecting your immediate issue...
As you are just using the CRS as a switch the default configuration 'WAN' and 'LAN' interface lists are not really relevant, either
/interface list member
add interface=ether1 list=LAN
add ...
/interface list
add name=WAN
add name=LAN
or remove /interface list and /interface list member entirely.
The IP address should be bound to the parent interface, not a child member
/ip address
add address=10.0.83.20/24 comment=defconf interface=bridge network=10.0.83.0
The /interface vlan and switch1-cpu references under /interface ethernet switch vlan are only required for any VLANs which need to communicate with the CPU directly, if VLANs are passing through these are not required. Typically you would have either untagged or one tagged VLAN for management access.
There are a few minor points but nothing affecting your immediate issue...
As you are just using the CRS as a switch the default configuration 'WAN' and 'LAN' interface lists are not really relevant, either
/interface list member
add interface=ether1 list=LAN
add ...
/interface list
add name=WAN
add name=LAN
or remove /interface list and /interface list member entirely.
The IP address should be bound to the parent interface, not a child member
/ip address
add address=10.0.83.20/24 comment=defconf interface=bridge network=10.0.83.0
The /interface vlan and switch1-cpu references under /interface ethernet switch vlan are only required for any VLANs which need to communicate with the CPU directly, if VLANs are passing through these are not required. Typically you would have either untagged or one tagged VLAN for management access.
Re: Basic VLAN Setup
I have not tested, but i would try something like:
Code: Select all/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether3 hw=yes add bridge=bridge1 interface=ether4 hw=yes add bridge=bridge1 interface=ether5 hw=yes /interface ethernet switch ingress-vlan-translation add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes add ports=ether4 customer-vid=0 new-customer-vid=40 sa-learning=yes add ports=ether5 customer-vid=0 new-customer-vid=50 sa-learning=yes /interface ethernet switch egress-vlan-tag add vlan-id=20 add vlan-id=30 add vlan-id=40 add vlan-id=50 /interface ethernet switch vlan add ports=switch1-cpu,ether2 vlan-id=20 learn=yes add ports=switch1-cpu,ether3 vlan-id=30 learn=yes add ports=switch1-cpu,ether4 vlan-id=40 learn=yes add ports=switch1-cpu,ether5 vlan-id=50 learn=yes /interface vlan add interface=bridge1 vlan-id=20 name=VLAN20 add interface=bridge1 vlan-id=30 name=VLAN30 add interface=bridge1 vlan-id=40 name=VLAN40 add interface=bridge1 vlan-id=50 name=VLAN50 /ip address add address=192.168.20.1/24 interface=VLAN20 add address=192.168.30.1/24 interface=VLAN30 add address=192.168.40.1/24 interface=VLAN40 add address=192.168.50.1/24 interface=VLAN50 ## Create DHCP Server for every VLAN
I am curious why would create a new bridge1 and not use the existing bridge?
Re: Basic VLAN Setup
Check my #2 post and use the sa-learning and learn values...
Re: Basic VLAN Setup
I am not sure why this was the problem, switch1-cpu just gives access to CPU, needed or not i don't see why it caused a problem...I removed switch1-cpu from switch vlan and everything is working as expected.
-
-
carlabreto2
just joined
- Posts: 3
- Joined:
Re: Basic VLAN Setup
I have not tested, but i would try something like:
Code: Select all/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 hw=yes add bridge=bridge1 interface=ether3 hw=yes add bridge=bridge1 interface=ether4 hw=yes add bridge=bridge1 interface=ether5 hw=yes /interface ethernet switch ingress-vlan-translation add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes add ports=ether4 customer-vid=0 new-customer-vid=40 sa-learning=yes add ports=ether5 customer-vid=0 new-customer-vid=50 sa-learning=yes /interface ethernet switch egress-vlan-tag add vlan-id=20 add vlan-id=30 add vlan-id=40 add vlan-id=50 /interface ethernet switch vlan add ports=switch1-cpu,ether2 vlan-id=20 learn=yes add ports=switch1-cpu,ether3 vlan-id=30 learn=yes add ports=switch1-cpu,ether4 vlan-id=40 learn=yes add ports=switch1-cpu,ether5 vlan-id=50 learn=yes /interface vlan add interface=bridge1 vlan-id=20 name=VLAN20 add interface=bridge1 vlan-id=30 name=VLAN30 add interface=bridge1 vlan-id=40 name=VLAN40 add interface=bridge1 vlan-id=50 name=VLAN50 /ip address add address=192.168.20.1/24 interface=VLAN20 add address=192.168.30.1/24 interface=VLAN30 add address=192.168.40.1/24 interface=VLAN40 add address=192.168.50.1/24 interface=VLAN50 ## Create DHCP Server for every VLAN
I had the same problem, try what this user indicates and it has served me wonderfully
Re: Basic VLAN Setup
Yeah, I couldn't begin to guess I don't really know this architecture. But I tested adding it back and as soon as I did it stopped working again.I am not sure why this was the problem, switch1-cpu just gives access to CPU, needed or not i don't see why it caused a problem...I removed switch1-cpu from switch vlan and everything is working as expected.
Thanks.
All I can think of is including the switch1-cpu port as a member of multiple VLANs without tagging traffic on that port is doing something weird, if you did want CPU access to the VLANs it should be
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether5,ether7 vlan-id=20
add tagged-ports=switch1-cpu,ether5,ether7 vlan-id=30
add tagged-ports=switch1-cpu,ether5,ether7 vlan-id=40
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether2
add customer-vid=0 new-customer-vid=30 ports=ether3
add customer-vid=0 new-customer-vid=40 ports=ether4
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether5,ether7 vlan-id=20
add ports=switch1-cpu,ether3,ether5,ether7 vlan-id=30
add ports=switch1-cpu,ether4,ether5,ether7 vlan-id=40
Re: Basic VLAN Setup
Yeah, I couldn't begin to guess I don't really know this architecture. But I tested adding it back and as soon as I did it stopped working again.
As others mentioned, switch shouldn't be doing that. So I'm guessing some other config is causing it. But one can't do any more guessing without you posting complete config (/export hide-sensitive) ... yes, we need to see complete config because config is complex thing and one part affects the rest of it ... even if it is not obvious.
Re: Basic VLAN Setup
Nice to clarify that @mkx...As others mentioned, switch shouldn't be doing that.
My logic was saying that this could not be causing a problem but i also had my doubts...
Re: Basic VLAN Setup
My guess: if you add switch1-cpu interface to vlan members (in /interface ethernet switch vlan), then you should also set it as tagged (/interface ethernet switch egress-vlan-tag ... who knows what is default, probably untagged ...
Re: Basic VLAN Setup
Trying to understand a little more i took a look again at the wiki...
https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
So, it says that when we give access to the CPU e.g from eth2 for management purposes or whatever other reason we would do it like:
So far so good...
But then it says that the packets that will be send back FROM the CPU will not get tagged unless we add as tagged member the switch to the eggess:
So to my understanding, the ingress traffic from the dev PC was getting tagged as soon as it entered the Access Port eth2, everything good so far...
Then the traffic because the switch1-cpu was added as member to /interface ethernet switch vlan was forced( ? ) to go through the CPU and since it was not tagged in the eggress /interface ethernet switch egress-vlan-tag that traffic was finally leaving the switch untagged thus making it unable to communicate with the next switch ?
If that's the reason why would the traffic go through the CPU at the first place ?Acess to CPU is needed for L3 services...
As the OP said, removing the switch1-cpu from the /interface ethernet switch vlan solved the problem...
If my thinking above is wrong, what did the switch1-cpu port caused and the VLAN switching did not work?
https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
So, it says that when we give access to the CPU e.g from eth2 for management purposes or whatever other reason we would do it like:
Code: Select all
/interface ethernet switch vlan
add ports=ether2,switch1-cpu vlan-id=99But then it says that the packets that will be send back FROM the CPU will not get tagged unless we add as tagged member the switch to the eggess:
Code: Select all
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,switch1-cpu vlan-id=99Then the traffic because the switch1-cpu was added as member to /interface ethernet switch vlan was forced( ? ) to go through the CPU and since it was not tagged in the eggress /interface ethernet switch egress-vlan-tag that traffic was finally leaving the switch untagged thus making it unable to communicate with the next switch ?
If that's the reason why would the traffic go through the CPU at the first place ?Acess to CPU is needed for L3 services...
As the OP said, removing the switch1-cpu from the /interface ethernet switch vlan solved the problem...
If my thinking above is wrong, what did the switch1-cpu port caused and the VLAN switching did not work?
Who is online
Users browsing this forum: filou59, GoogleOther [Bot] and 51 guests