Community discussions

MikroTik App
 
nagypeter56
just joined
Topic Author
Posts: 4
Joined: Thu Apr 15, 2021 10:48 pm

VLAN without vlan, but...

Fri Apr 16, 2021 9:15 pm

Hey Guys,

I am pretty-pretty new to this Mikrotik-RouterOS (hell) thing. I followed /viewtopic.php?t=143620 with the Router config (and some of switch), but I have some struggle doing it to my setup. I just bought an RB4011 to replace my EdgeRouter X, and I want to do the following.
(In terminal it seems easier just to copy-paste some config lines - what is the best way to create config? I use VSCode w/ some plugins to highlight the lines and ctrl-c-v to terminal if it seems good.. but not good).

So the basic setup would be like this:

2+1 VLANs:
[*] IOT_VLAN (20)
[*] CAM_VLAN (30)
[*] BASE_VLAN (1 or 99? whatever, I want to have access from this in my whole network, without tagging, just plug in a device and access everything)

RB4011 -> ether2-7-> unmanaged switches -> pc/etc and UAP-AP-LR -> IOT_VLAN/BASE_VLAN.
RB4011 -> ether8-10 -> camera VLAN (works, I guess)

But if I plug *something* in ether2-7, I want to have BASE_VLAN, without tagging (or... it can be tagged, but I want to access the CAM and IOT from that), and if I access my wifi with IOT, I want to have IOT_VLAN (20) tagging, if I access the basic wifi, I would like to have BASE_VLAN. Before, it worked like a charm with ER-X and UAP's, but with this Mikrotik device I'm stuck. Really-really stuck. I read around 5634 posts, watched more tutorials in this few days than a 10 series show, but I cannot figure it out how this VLAN tagged-untagged works. I already resetted the router 14 times, the config could be wrong, already configured 100 times the WinBox and the WebFig, so this way, I just want to have this basic setup for my home usage. I have around 70 devices, right now the camera is still in an other router, and I bought this to replace that router and the ERX. This device just seems powerful enough. My networking knowledge seems lame, but I am likely to learn more in this (I'm a sw dev, maybe that should be a good thing if you regretting to answer).

Only thing I could manage is the ether8-10 ports, which would be the CAM_VLAN, where the pvid=30. I guess, it works. I have a separete laptop for this testing, and may be a UAP for testing the IOT and base tagging, but that is not working. The plan was that I just configure this mikrotik, plug out from ER-X, plug in to mikrotik, and everything would be working.

Somebody help me with this, right now I am struggling in this simple (?) setup. Is this simple? Or this is like a big enterprise vlan-tagging-untagging-managing-switching thing? I'd like to have this just home usage..

Oh, I just forgot the firewall rules.. Maybe in an other topic (or if I have to do some fw rules, that's ok, but I don't want to access from IOT to BASE, except dns), right now, I am happy if this works for me. I would really love a simple (maybe around 20 lines of config after resetting to default) that would work in this setup. Somebody is lovingly do that for me? I would buy a beer, or a coffee (if you are an antialcoholic), or anything, but my time and stress level is out of control right now.

Thanks.
 
nagypeter56
just joined
Topic Author
Posts: 4
Joined: Thu Apr 15, 2021 10:48 pm

Re: VLAN without vlan, but...

Mon Apr 19, 2021 10:52 am

On this 2-3 days, I have been playing around with the device, and still no luck.

Basically what I need is (I guess): ether2-7 should be Hybrid Ports (if I understand correctly), where some devices can join without vlan tag, and the UAPs as well, where the UAP can send vlan tag for IOT (20).
For the CAM (ether8-10) should be port based vlan, where the NVR and the cameras will get 30 pvid automatically, without the need of sending vlan tag, so the router should add the 30 tag.

btw, I want to access from ether2-7 the CAM_VLAN and the IOT_VLAN as well, only with some FW rules.

Almost figured out what the untagged-tagged ports are in the bridge setup, but couldn't manage it, the reset config counters is around 30 at this time :D

Am I correct, that I don't need trunk ports?
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: VLAN without vlan, but...  [SOLVED]

Mon Apr 19, 2021 12:43 pm

I personally use bridge filtering stuff only for switches, so I'm describing how I'd do this for your router:

- Put all ports which carry all VLANs including untagged traffic into a bridge0 (eth2-7).
- Put all ports whose incoming data should be tagged with CAM_VLAN into another bridge1 (eth8-10).
- Create VLAN-interfaces for all your VLANs on top of bridge0 (IOT_VLAN, CAM_VLAN)
- Add the CAM_VLAN interface to bridge1. This will cause all untagged traffic to bridge1 end up with a CAM_VLAN tag on bridge0 ports.

This should be it.

Edit: I've read your linked topic and I think that using bridge filtering is more elegant, although it's more complicated.
See https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table for an example. What you want is a Trunk/Access Port setup with eth8-10
being access ports and 2-7 being trunk ports.

Then you create the VLAN interfaces on top of the bridge to route between the VLANs and internet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN without vlan, but...

Mon Apr 19, 2021 3:20 pm

This is the definitive guide for vlan bridge filtering.
viewtopic.php?f=23&t=143620

Here is an example for hybrid.
HomeLAN is vlan10 (where admin resides and also thus managment vlan - all devices should get an IP from vlan20)
ether2 is going to a UAP (vlan10 and vlan20 and vlan30 - hybrid port)
ether3 is going to a managed switch (trunk port carrying vlan10, vlan20-guest, vlan30-iot)
ether4 is going to admin PC (access port)
ether5 is going to managed switch (trunk port carrying vlan10,20,50)

/interface bridge port
add bridge=bridge-one interface=ether2 pvid=10
add bridge=bridge-one interface=ether3 frame-types=allow only vlan tagged ingress-filtering=yes
add bridge=bridge-one interface=ether4 pvid=10 frame-types=only allow priority and untagged frames ingress-filtering=yes
add bridge=bridge-one interface=ether5 frame-types=allow only vlan tagged ingress-filtering=yes

/interface bridge vlan
add bridge=bridge-one tagged=bridge-one,ether3,ether5 untagged=ether2,ether4 vlan-ids=10
add bridge=bridge-one tagged=bridge-one,ether2,ether3,ether5 vlan-ids=20
add bridge=bridge-one tagged=bridge-one,ether2,ether3 vlan-ids=30
add bridge=bridge-one tagged=brdige-one,ether5 vlan-ids=50

NOTE there are two ways to config the bridge vlan (in that the router will automatically assign untagged rules based on the PVID settings above and will activate them when required, however I like to manually insert them anyway while making the config and thus clearly articulated (not hidden) when checking the config - easier for me to visually cross-check)

Option/interface bridge vlan
add bridge=bridge-one tagged=bridge-one,ether3,ether5 vlan-ids=10 {This is the only line that had untagged frames so this is the only line that has two possibilities to config}
add bridge=bridge-one tagged=bridge-one,ether2,ether3,ether5 vlan-ids=20
add bridge=bridge-one tagged=bridge-one,ether2,ether3 vlan-ids=30
add bridge=bridge-one tagged=brdige-one,ether5 vlan-ids=50
 
nagypeter56
just joined
Topic Author
Posts: 4
Joined: Thu Apr 15, 2021 10:48 pm

Re: VLAN without vlan, but...

Tue Apr 20, 2021 12:15 pm

I personally use bridge filtering stuff only for switches, so I'm describing how I'd do this for your router:

- Put all ports which carry all VLANs including untagged traffic into a bridge0 (eth2-7).
- Put all ports whose incoming data should be tagged with CAM_VLAN into another bridge1 (eth8-10).
- Create VLAN-interfaces for all your VLANs on top of bridge0 (IOT_VLAN, CAM_VLAN)
- Add the CAM_VLAN interface to bridge1. This will cause all untagged traffic to bridge1 end up with a CAM_VLAN tag on bridge0 ports.

This should be it.
Wow, I have read before, that creating 2 bridge wouldn't be so good, but I tried it, and... it... works!!! Without messing with the vlan filtering, and stuff, it just works, I have 2 VLANs with the base bridge. It may be not the elegant way, but if it can work in the long term, without having any issue (does this have any issue? - I just need gigabit), it's awesomeness :) Thanks.
Now I am messing with the FW rules, to block the connections, but that's a different story.

Here is my config, if someone is in the same situation as me:
/interface bridge
add admin-mac=08:55:31:D1:52:7D auto-mac=no comment=defconf name=bridge
add name=bridge0
add name=bridge1
/interface vlan
add interface=bridge0 name=CAM_VLAN vlan-id=3
add interface=bridge0 name=IOT_VLAN vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=IOT_POOL ranges=192.168.20.5-192.168.20.50
add name=CAM_POOL ranges=192.168.3.5-192.168.3.50
add name=BASE_POOL ranges=192.168.99.5-192.168.99.50
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=CAM_POOL disabled=no interface=bridge1 name=CAM_DHCP
add address-pool=BASE_POOL disabled=no interface=bridge0 name=BASE_DHCP
/interface bridge port
add bridge=bridge0 comment=defconf interface=ether2
add bridge=bridge0 comment=defconf interface=ether3
add bridge=bridge0 comment=defconf interface=ether4
add bridge=bridge0 comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge0 comment=defconf interface=ether7
add bridge=bridge1 comment=defconf interface=ether8 pvid=3 tag-stacking=yes
add bridge=bridge1 comment=defconf interface=ether9 pvid=3 tag-stacking=yes
add bridge=bridge1 comment=defconf interface=ether10 pvid=3 tag-stacking=yes
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge1 interface=CAM_VLAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=IOT_VLAN list=VLAN
add interface=CAM_VLAN list=VLAN
add interface=bridge0 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 interface=IOT_VLAN network=192.168.20.0
add address=192.168.3.1/24 interface=CAM_VLAN network=192.168.3.0
add address=192.168.99.1/24 interface=bridge0 network=192.168.99.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.1.118
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/system clock
set time-zone-name=Europe/Budapest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(Removed some fw rules from it, and there is the system configured bridge port, but it's useful only for ether6, as that would remain my "admin port" if I mess up again, without the need of restoring the system... Need to configure a little, but for start to have some VLAN capabilities, it works)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN without vlan, but...

Tue Apr 20, 2021 2:44 pm

Thats the point, having one bridge and a clear set of vlans as per the provided reference, firewall rules become very easy.
The config is all inter related so design cannot be done in isolation.
 
nagypeter56
just joined
Topic Author
Posts: 4
Joined: Thu Apr 15, 2021 10:48 pm

Re: VLAN without vlan, but...

Tue Apr 20, 2021 3:08 pm

Thats the point, having one bridge and a clear set of vlans as per the provided reference, firewall rules become very easy.
The config is all inter related so design cannot be done in isolation.

I couldn't manage it with 1 bridge unfortunately, everytime I got an issue with it. One time I had almost success, but with tagged-untagged issue, the CAM and BASE couldn't talk to each other with IOT vlan (firewall was disabled) - yeah, I know, it was because my no-skill in routeros and may be in network overall, but if there is a simpler solution, than vlan (multiple bridges), I tried it, and have success less than 1 hour (the vlan filtering was hitting my head and struggled as said in my first post). Already spent arount 20 hours of configuring this device, and got tired of it. Your answer was OK, but not enough to get it to work for me, may be because of the unifi's VLAN, or port based vlan, whatever, with this solution, it's great (I guess, already replaced the ERX), and also have an "admin port", which is great as well, easily (with bridge named "bridge")
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN without vlan, but...

Tue Apr 20, 2021 6:33 pm

No worries, if it works for you, thats what counts.
If and when you want to do it the more standard way let me know.

Who is online

Users browsing this forum: MrRobotdev and 56 guests