Community discussions

MikroTik App
 
Andrewdo
just joined
Topic Author
Posts: 4
Joined: Mon Mar 29, 2021 3:26 pm
Location: South Africa, Krugersdorp

Multiple VLAN on Single Port

Mon Mar 29, 2021 3:50 pm

Hi guys,

I have a CRS328-24P-4S and I cannot for the life me figure out the VLAN's.

I do not have any other switches comming into the Mikrotik. I am running RouterOS and not SwitchOS as I use the firewall capabilities.

My current network is running off a Ubiquity Access Point with no VLAN and I would like to seperate network traffic using VLAN's as per below:

1) WLAN1 - 192.168.16.0/24 - No VLAN currently (would like to add a VLAN 100)
2) WLAN2 (Guest) - 192.168.168.0/24 - VLAN 999

I have configured the bridge without VLAN filtering for the time being.

1) I have then added in the ports, but this is also were I get confused, if I add the physical port to the bridge it asks for a pvid, but I cannot add more than one pvid (do I need to add a pvid here? Or do I just leave it at deault?)
2) The bridge is configured as follows:

/interface bridge
add comment="Internal LAN" name=LAN-Bridge
/interface bridge port
add bridge=LAN-Bridge interface=ether1
add bridge=LAN-Bridge interface=ether2
add bridge=LAN-Bridge interface=ether3
add bridge=LAN-Bridge interface=ether4
add bridge=LAN-Bridge interface=ether5
add bridge=LAN-Bridge interface=ether6
add bridge=LAN-Bridge interface=ether7
add bridge=LAN-Bridge interface=ether8
add bridge=LAN-Bridge interface=ether9
add bridge=LAN-Bridge interface=ether10
add bridge=LAN-Bridge interface=ether11
add bridge=LAN-Bridge interface=ether12
add bridge=LAN-Bridge interface=ether13
add bridge=LAN-Bridge interface=ether14
add bridge=LAN-Bridge interface=ether17
add bridge=LAN-Bridge interface=ether18
add bridge=LAN-Bridge interface=ether19
add bridge=LAN-Bridge interface=ether20
add interface=ether24 (Not part of the bridge, this plugs into a internet router)
add bridge=LAN-Bridge interface=ether16
add bridge=LAN-Bridge interface=ether22
add bridge=LAN-Bridge interface=ether15
add bridge=LAN-Bridge interface=ether21 multicast-router=disabled

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=LAN-Bridge tagged=sfp-sfpplus1,sfp-sfpplus2,LAN-Bridge untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23 \
vlan-ids=100
add bridge=LAN-Bridge tagged=sfp-sfpplus1,sfp-sfpplus2,IOT_v999 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23 \
vlan-ids=999
add bridge=LAN-Bridge tagged=sfp-sfpplus1,sfp-sfpplus2,LAN-Bridge untagged=ether14,ether15 vlan-ids=200
add bridge=LAN-Bridge tagged=sfp-sfpplus1,sfp-sfpplus2,LAN-Bridge untagged=ether14,ether15 vlan-ids=300


3) When I enable VLAN filtering my DHCP server running on the Mikrotik no longer hands out IP addresses and so I cannot get and IP on the IOT VLAN, the 192.168.1.0/24 traffic continues to work.

I am not sure if I actually even need to tag the ports because as mentioned I do not have any upstream or downstream switches at this point.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple VLAN on Single Port

Tue Mar 30, 2021 2:04 pm

Okay I am confused by your network.
Is the switch acting as a router or a switch?
A network diagram would be helpful.

What is the purpose of using firewall rules on a switch?? assuming its not acting as a router?

Also for vlan filtering you should follow this guide.......
viewtopic.php?f=23&t=143620
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple VLAN on Single Port

Tue Mar 30, 2021 7:12 pm

My current network is running off a Ubiquity Access Point with no VLAN and I would like to seperate network traffic using VLAN's as per below:

1) WLAN1 - 192.168.16.0/24 - No VLAN currently (would like to add a VLAN 100)
2) WLAN2 (Guest) - 192.168.168.0/24 - VLAN 999

I have configured the bridge without VLAN filtering for the time being.

1) I have then added in the ports, but this is also were I get confused, if I add the physical port to the bridge it asks for a pvid, but I cannot add more than one pvid (do I need to add a pvid here? Or do I just leave it at deault?)
When talking about VLANs: there is no such thing as untagged VLAN. The only untagged thing about VLANs is access port, which converts untagged frames on ingress to tagged frames (that's what PVID setting is about) and vice-versa on egress (ROS does it automatically for ports with PVID set unless you manually configure it otherwise). And it can't distinguish untagged frames from untagged frames.

Which means: if you want to have two WiFi SSIDs running off single AP, then AP has to tag at least one of SSIDs with appropriate VLAN tags, but preferably both (next step you'll want to make is separate management VLAN).
 
Andrewdo
just joined
Topic Author
Posts: 4
Joined: Mon Mar 29, 2021 3:26 pm
Location: South Africa, Krugersdorp

Re: Multiple VLAN on Single Port

Wed Mar 31, 2021 9:29 pm

Okay I am confused by your network.
Is the switch acting as a router or a switch?
A network diagram would be helpful.

What is the purpose of using firewall rules on a switch?? assuming its not acting as a router?

Also for vlan filtering you should follow this guide.......
viewtopic.php?f=23&t=143620
Basically I just have the Mikrotik (CRS328)running routerOS, port 24 is plugged into a Mikrotik which does a PPoE connection.

All Ubiquiti AP’s and devices connect to the CRS328.
 
Andrewdo
just joined
Topic Author
Posts: 4
Joined: Mon Mar 29, 2021 3:26 pm
Location: South Africa, Krugersdorp

Re: Multiple VLAN on Single Port

Wed Mar 31, 2021 9:41 pm

My current network is running off a Ubiquity Access Point with no VLAN and I would like to seperate network traffic using VLAN's as per below:

1) WLAN1 - 192.168.16.0/24 - No VLAN currently (would like to add a VLAN 100)
2) WLAN2 (Guest) - 192.168.168.0/24 - VLAN 999

I have configured the bridge without VLAN filtering for the time being.

1) I have then added in the ports, but this is also were I get confused, if I add the physical port to the bridge it asks for a pvid, but I cannot add more than one pvid (do I need to add a pvid here? Or do I just leave it at deault?)
When talking about VLANs: there is no such thing as untagged VLAN. The only untagged thing about VLANs is access port, which converts untagged frames on ingress to tagged frames (that's what PVID setting is about) and vice-versa on egress (ROS does it automatically for ports with PVID set unless you manually configure it otherwise). And it can't distinguish untagged frames from untagged frames.

Which means: if you want to have two WiFi SSIDs running off single AP, then AP has to tag at least one of SSIDs with appropriate VLAN tags, but preferably both (next step you'll want to make is separate management VLAN).
I did configure the one SSID to use 999 as the Vlan, but when I enabled VLAN filtering I no longer received DHCP address on VLAN 999 or on the SSID without VLAN. Right now I need one network to run without VLAN (192.168.16.0/24) at the moment. This will however be set to VLAN 100 and will become the management VLAN / Local Network.

Will double check the UniFi AP side.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Multiple VLAN on Single Port

Thu Apr 01, 2021 1:22 am

You are missing the bridge interface under bridge vlan table for vlan 999, need to add bridge as tagged interface
 
Andrewdo
just joined
Topic Author
Posts: 4
Joined: Mon Mar 29, 2021 3:26 pm
Location: South Africa, Krugersdorp

Re: Multiple VLAN on Single Port

Thu Apr 01, 2021 7:37 am

You are missing the bridge interface under bridge vlan table for vlan 999, need to add bridge as tagged interface
I have configured VLAN 999 on the bridge now as a tagged port and will try re-enable VLAN filtering again, question though is as previously mentioned I have a IP range of 192.168.16.0 which currently does not have VLAN associated, will traffic still flow with the current configuration until I can move this range to a VLAN?

Who is online

Users browsing this forum: BioMax, Fogga, itvisionpk, mszru and 46 guests