Community discussions

MikroTik App
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Vlaning

Fri Mar 19, 2021 10:50 pm

I have a home network lab that I play around with various routers. I have a 750Gl that I would like to setup as a bridge router between my home network an another router sitting on port 2. Then ports 3,4,5 will be on separate vlans serviced by the back end router. On the back end router I have one Ethernet with 3 vlans, 10, 100, 200. Vlan 10 is the NAT'd interface, to the back end routers wan vlan (10), Vlan's 100 and 200 3 ,4, 5.. So to net it out. Port 1 Wan, Port 2 a Trunk with vlan 10, 100, 200, vlan 10 routes to wan, vlans 100, 200 to port 3, and 4. Then I can decide what to do with port 5.

Any suggestions are welcome. Here is a pastebin https://pastebin.com/aPKz3HXj of the current configuration.
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Vlaning

Sat Mar 20, 2021 12:35 am

There is a good primer on Mikrotik VLANs viewtopic.php?t=143620 and there are skeleton examples in the help pages https://help.mikrotik.com/docs/display/ ... NFiltering
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Sat Mar 20, 2021 7:12 pm

There is a good primer on Mikrotik VLANs viewtopic.php?t=143620 and there are skeleton examples in the help pages https://help.mikrotik.com/docs/display/ ... NFiltering
Thanks for the pointer. I ended up using this youtube video https://www.youtube.com/watch?v=Rj9aPoyZOPo and it got me close. On port 2 I have an external Opnsense router with 3 vlans, 10=wan 100=home 200=guest. I setup an IP address and DHCP server on the Microtik router vlan wan(10) but the Opnsense router is not getting a dhcp address on the vlan10 interface. I have Microtik port 3 set to home(100) and Microtik port 4 set to guest(200) and they both are getting the proper subnet IPs from the port 2 Opnsense external router.

An observation, if I set an ip address on the home interface (192.168.1.205) but can't ping it from a system on the home vlan (100). Same goes for the wan (10) if I set a static IP on my Opnsense router's vlan 10 interface. So I am missing something. Here is a pastebin https://pastebin.com/Ds1mEk4T of my config. Thanks again for any ideas.
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Vlaning  [SOLVED]

Sat Mar 20, 2021 8:12 pm

OK, if you are using hardware VLAN switching see https://help.mikrotik.com/docs/display/ ... upExamples and https://wiki.mikrotik.com/wiki/Manual:Switch_Router. I can't comment on the video (I'm not going to waste time watching it), but many third-party videos and guides are either outdated, not optimal, or just incorrect.

Under /interface vlan you should reference the parent bridge (BR1), not the child interfaces (ether2).

For traffic from the switch chip to the CPU you have to include the switch1-cpu port in the configuration under /interface ethernet switch vlan. If you are just switching traffic between ports you do not need /interface vlan entries for them - the home and guest entries are likely redundant in your setup.

Other than that the current settings are ether2: 10,100,200 tagged; ether3: 100 untagged; ether4: 200 untagged & 100 tagged.

As noted in the documentation "For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port."

You have configured the DHCP server on ether1, there is none on the "wan" VLAN.

If the Mikrotik is really connected to 108.20.x.x public address having firewall rules would be a good idea.
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Sat Mar 20, 2021 8:21 pm

thanks, I have some errands to run. when I get back I'll digest and try your suggestions.
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Sun Mar 21, 2021 2:46 am

Its working for the most part now with just 2 minor things to make this project compete.

I think the key was adding switch1-cpu to each vlan.

A few comments on your prior suggestions

The /interface vlan entries are needed to add IP addresses and dhcp server to the vlans.

ether1 has a dhcp client and gets an IP address from my external network (IE simulated WAN).

I changed the names of vlan 10 and 100 for clarity, 10 is OpnsenseWan 100 is OpnsenseLan

The issue I have now is I can ping the switch ip I setup on OpnsenseLan (192.168.1.205) from the Opnsense router on ether2 but can't ping it from the client (192.168.1.36) on ether3. The client on ether3 can ping the Opnsense lan ip of 192.168.1.254. I also need to setup a management vlan to complete this. Pastebin of the current config https://pastebin.com/0pC9bz0E

Any idea why ping isn't working from the client on ether3 (vlan 100) to the OpnsenseLan ip of 192.168.1.205?
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Vlaning

Sun Mar 21, 2021 4:10 am

The /interface vlan entries are still incorrectly attached to ether2.
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Sun Mar 21, 2021 6:11 am

The /interface vlan entries are still incorrectly attached to ether2.
Just to verify

add interface=ether2 name=OpnsenseLan vlan-id=100
add interface=ether2 name=OpnsenseWan vlan-id=10

should be

add interface=BR1 name=OpnsenseLan vlan-id=100
add interface=BR1 name=OpnsenseWan vlan-id=10

??
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Vlaning

Sun Mar 21, 2021 1:35 pm

Yes. Many old guides refer to ether2 which was applicable when using the old master-port switch configuration in RouterOS 6.40.x and earlier. With current versions you should use the bridge, the interface aspect of the bridge is the CPU end of the connection to the switch1-cpu port of the switch chip.
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Mon Mar 22, 2021 2:30 am

Yes. Many old guides refer to ether2 which was applicable when using the old master-port switch configuration in RouterOS 6.40.x and earlier. With current versions you should use the bridge, the interface aspect of the bridge is the CPU end of the connection to the switch1-cpu port of the switch chip.
Thank you for all your guidance. I will have to read more to understand your above statement. Things are working and I can get to the 750gl via the wan vpn IP. I think there is an issue with the lan IP conflicting with the Opnsense router. I'll do some more testing later this week. Anyway here is the pastebin https://pastebin.com/YRqZ5L0bof my final config unless you see something I should change.
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Mon Mar 22, 2021 3:45 pm

Getting to the WAN and LAN IP addresses is still an issue from systems that do not have a tagged interface. Time to read some more.
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Vlaning

Mon Mar 22, 2021 4:40 pm

You haven't provided a diagram of your setup and how you would like it to work. With multiple network interfaces on devices you often end up with triangular routes, traffic in one direction goes via a third device, e.g. A -> B but B -> C -> A, firewall connection tracking can see these incomplete connections as invalid and block them, or the third device may not have the appropriate routes.

Currently on the Mikrotik anything to the 108.20.117.0/24 subnet will egress via OpnsenseWan, similarly 192.168.1.0/24 via OpnsenseLan, everything else will egress via the default route added by the DHCP client on ether1.
 
xtree
just joined
Topic Author
Posts: 13
Joined: Wed Dec 24, 2014 1:56 pm

Re: Vlaning

Mon Mar 22, 2021 5:43 pm

After going back and closely reading the Switch Router manual https://wiki.mikrotik.com/wiki/Manual:Switch_Router I figured out the issue. But first my network diagram as you asked.

Port 1 - Wan port to external network (no vlan) set as a DHCP client. In my case I added it to my guest network that has an IP address range of 192.168.200.0/27 (srcnat masquerade)
Port 2 - VLAN trunk port with VLAN IDs of 10, 100, 200. This is where the Opnsense system sits
Port 3+4 VLAN 100
Port 5 - Floater for testing VLANs 10 and 200 ( I change the VLAN ids here as needed )

Now to the simple fix: In /interface ethernet switch port I had switch1-cpu set to disable once I set it to secure I could ping the IP addresses on the same vlan.

The all working config - https://pastebin.com/WR7C7tmC

Again a big thanks for all your links and descriptions. I would never have gotten this to work without your guidance. Let me know if you still have any questions.

Who is online

Users browsing this forum: giguard, igi, ivanusevanton, patterno and 20 guests