Community discussions

MikroTik App
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

MAC VLAN on CRS354-48G

Thu Apr 22, 2021 10:22 pm

Hello,
I think I have a rather simple scenario/question but even though I need help with it.
I want to realize the following:
- 3 VLANs (e.g. 101, 102, 103)
- a number of 60 Devices, 20 per each VLAN
- devices should be identified by MAC
- no matter on what port a device is connected to, it shall be "moved" to the (pre-configured) VLAN.
- means every port (despite a trunk port where the router is connected to) shall provide the correct vlan untagged to the device
- 1 port is a trunk port where all 3 VLANs are configured tagged - here will the router be connected to.

The scenario is a bit simplified to make explanation easier but that's the essence of it.
:-)

To be honest: I'm a bit confused by reading about all these (multiple) switch chips, CPU, HW offloading etc. and that I should plan my infrastructure according to what the switch device might be able to do.

It would be very nice if someone could provide some basic hints if such an approach is basically possible with this device and how I need to start/proceed.

Thanks in advance!
HF
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MAC VLAN on CRS354-48G

Fri Apr 23, 2021 7:29 pm

Not sure what you are asking is easily accomplished.
When one sets a static IP address on the router, it is effectively set by mac address.
There is no functionality that I am aware of to do what you ask???
Be advised, anyone can change their mac address quite easily.

In other words, you may have some requirements that are interesting but not explained in sufficient detail to provide a tenable solution.
You are predisposing the solution which is not necessarily helpful.

Describe the scenario you have (network available - physical equipment and connections between them - aka a network diagram) and the set of requirements what users are supposed to be doing and any limitation on them. WITHOUT ANY WORD OF ROUTER< SWITCH PORT ETC............
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Sat Apr 24, 2021 11:27 am

Hello Anav,

thanks for your reply.
Sorry for not being clear enough. I will try to describe my idea better.
I have some personal computers PCs, some Media Computers (AV-Receivers, Playstation etc.) and Devices for house automation.
I also use a OPNSense as (I should not say but:) Router/FW. It's doing DHCP, DNS etc.

I want to separate "Home-PCs" from "Media-PCs" and "House automation" (by VLAN).
When I move Media-PC from living room to another location and connect it to the LAN port there I want the Device to stay in "it's network/VLAN".
Same applies for devices of the other categories.

I know that MACs can be faked but that's not a considerable risk in my environment. If I would tend to address this I would think about adding RADIUS to the game but not yet.
:-)

In professional/business environments there is often a dedicated NAC system used to realize/control such a setup. But I thought I could get at least the basic idea transported to my home without spending several k€.

Hopefully I was able to explain it better even if I didn't manage to skip some networking terms completely - sorry for that.

Thanks and best regards,
HF
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MAC VLAN on CRS354-48G

Sat Apr 24, 2021 1:49 pm

Quick question, where you are plugging in your media laptop, is it a cable jack in the wall or is into switches etc?
Do the switches have multiple ports and are they managed switches that can read vlan tags?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: MAC VLAN on CRS354-48G

Sat Apr 24, 2021 4:15 pm

Did you read this part of CRS3xx switch manual? I think that as a CRS3xx owner you should read it and understand every bit (OK, byte) of the whole document.
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Sun Apr 25, 2021 3:42 pm

Hello mkx,

yes of course, I did.
This doc describes basically the configuration of a trunk port.
This hits in my setup just in one single aspect: the one trunk port where I want to connect the OPNSense/Router.
As I described already I want the separate OPNSense do the routing between VLANs. I don't want to let the CRS do this job.
What I was asking for here is the other part of the configuration: being able to assign mac-specific VLAN to a device no matter on what port (except trunk) I connect it to.

BR,
HF
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: MAC VLAN on CRS354-48G

Sun Apr 25, 2021 4:21 pm

The linked document describes just every switching aspect of CRS3xx, there are many sections (port-based VLANs included, trunk port is one of possible port-based VLAN modes).

Sure, you need to confugure trunk towards your router. But I was thinking specifically about this part:
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200

I'm guessing (I don't have a CRS3xx to try) that you could enumerate all access ports (i.e. ports other than trunk towards router) in ports=... entity (plural form implies you can set more than one port there, e.g. ports=ether2,ether3,ether4,...). src-mac-address would be set to MAC address of your device and new-vlan-id would be set to VLAN ID appropriate for that device.
Each port would probably need PVID set for random devices still getting some sort of connectivity.

Or am I missing your goal completely?
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: MAC VLAN on CRS354-48G

Sun Apr 25, 2021 5:48 pm

Whilst switch rules would map unicast traffic to specific VLANs any broadcast/multicast traffic would not be, likely breaking things.

As you are using OPNsense which appears to support RADIUS https://docs.opnsense.org/manual/how-to ... adius.html you have everything needed to implement 802.1x https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x which can permit access based on MAC or credential/certificate.
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Mon Apr 26, 2021 6:13 pm

Hello mkx,

thanks again for your answer.
...
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
I'm guessing (I don't have a CRS3xx to try) that you could enumerate all access ports (i.e. ports other than trunk towards router) in ports=... entity (plural form implies you can set more than one port there, e.g. ports=ether2,ether3,ether4,...). src-mac-address would be set to MAC address of your device and new-vlan-id would be set to VLAN ID appropriate for that device.
I thought the same until I was reading of the several "switch chips" topics. As far as I understood (maybe I'm wrong) this meant that I can do this (on wire speed switch perfomance) only on these ports connected to the same switch chip.
If I want to do it for all the 47 ports It needs to be done (somehow) using the CPU.
I have no idea what exactly does this mean but I'm wondering why there are several how-to's and posts pointing out exactly this topic.

So honestly, I'm a bit confused. That's why I was posting my question.

BR,
HF
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: MAC VLAN on CRS354-48G

Mon Apr 26, 2021 6:20 pm

Block diagram of CRS354-48G indicates that this unit has a single switch chip ...

Image


There are other (mostly mid-priced) MT devices which have two (or more) switch chips and with those several limits apply. So when studying some tutorials it's important to understand differences in hardware and how those affect the end result. CRS3xx devices on the other hand are MT's top-line and (almost) no restrictions apply.
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Mon Apr 26, 2021 6:44 pm

Hello,

hopefully I don't do a double post. Had to restart FF because of an update...:-(
Whilst switch rules would map unicast traffic to specific VLANs any broadcast/multicast traffic would not be, likely breaking things.
Means DHCP discover packets won't make it to the DHCP instance of the according VLAN?
Uuuhhh, would be a problem ideed.
As you are using OPNsense which appears to support RADIUS https://docs.opnsense.org/manual/how-to ... adius.html you have everything needed to implement 802.1x https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x which can permit access based on MAC or credential/certificate.
Honestly, I didn't consider RADIUS yet. It's a new topic for me, lack of knowledge yet.
But I will have a look for sure.

Only risk I see (besides the knowledge part) is the fact that if the server or the OPNSense VM is failing, the whole network is down.
I can't even reach the server from my usual working console pc anymore.
Right?!

Thanks and best regards,
HF
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Mon Apr 26, 2021 7:02 pm

Hello Metod,

you are right. I've seen the diagram but didn't realize the one switch chip only. *rollingeyes*
Thought about the 6 small chips...but yes, my fault.

And yes, the PVID needs to be set as (kind of) default VLAN ID. In my setup that would be for the "Unknown devices" VLAN with limited access only.
I will give it a try.

Thanks again!

BR,
HF
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Tue Apr 27, 2021 7:19 pm

Hi Anav,
Quick question, where you are plugging in your media laptop, is it a cable jack in the wall or is into switches etc?
Do the switches have multiple ports and are they managed switches that can read vlan tags?
I have "wall plugs" in all the rooms. All are connected to patch panels in basement where it will be patched to the CSR3xxx switch.
No additional switches (for the sake of simplification right now).

Finally, there will be one exception: One stupid small 8-port switch connecting some AV-components but this I thought to realize using port-based VLAN on one designated port of the CRS.
But really as an exception.

BR,
HF
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: MAC VLAN on CRS354-48G

Tue Apr 27, 2021 7:49 pm

Whilst switch rules would map unicast traffic to specific VLANs any broadcast/multicast traffic would not be, likely breaking things.
This is not entirely the case, but I find the MAC based VLAN support problematic in other ways and we have not used it.

The way MikroTik wants it configured is to make the same port untagged on multiple VLANs simultaneously - for every single VLAN that you may want to use MAC VLAN to map to. So egress from the port to the device is handled by this - it receives untagged data from three different VLANs at the same time. The switch rule takes care of ingress only as far as I am aware, so it results in the device being able to receive traffic on multiple VLANs untagged at once, but only be able to reply on one.

For obvious reasons this is not a good solution to MAC based VLAN. You could have situations where you do not want the device receiving broadcasts or multicasts for the wrong VLAN if it will cause strange things to happen. For instance with IPv6 you could potentially get a stray router advertisement from the wrong VLAN and end up getting an IP on that VLAN that doesn't work.

AFAIK, this mac-based VLAN support is the only reason that they implemented the "untagged=" setting under bridge/vlan in the first place, which otherwise does not have a purpose as the pvid= setting for the port handles both ingress and egress traffic.
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Wed Apr 28, 2021 5:00 pm

Hi,

maybe I didn't describe it to the point.
This is not entirely the case, but I find the MAC based VLAN support problematic in other ways and we have not used it.

The way MikroTik wants it configured is to make the same port untagged on multiple VLANs simultaneously - for every single VLAN that you may want to use MAC VLAN to map to. So egress from the port to the device is handled by this - it receives untagged data from three different VLANs at the same time.
No, it doesn't (AFAIK).
Only one device is connected at a time.
That's the main scenario.
The trunk port to the router gets of course packets for different VLANs but this port runs in tagged mode.

Does this make more sense now?

BR,
HF
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: MAC VLAN on CRS354-48G

Wed Apr 28, 2021 5:48 pm

Does this make more sense now?
No, this does not agree with the example configuration MikroTik posted on their wiki.

First they have this, which is clear:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether7 hw=yes
Then they have this block, which makes port ether7 untagged on egress for three VLANs simultaneously (VLAN 200, 300, 400):
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200,300,400
With the line above, anything connected to ether7 see any packets on VLANs 200, 300, and 400 as untagged traffic. It is theoretically the same as having this:
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=400
Nothing is present yet to give bidirectional communication - the traffic flow is working egress only at this point. Then the rules are added:
/interface ethernet switch rule
add switch=switch1 ports=ether7 src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF new-vlan-id=200
add switch=switch1 ports=ether7 src-mac-address=84:37:62:DF:04:20/FF:FF:FF:FF:FF:FF new-vlan-id=300
add switch=switch1 ports=ether7 src-mac-address=E7:16:34:A1:CD:18/FF:FF:FF:FF:FF:FF new-vlan-id=400
These rules are used to handle MAC VLAN on port ether7 but they apply to ingress traffic only. That is why ether7 has to be made to receive untagged packets from multiple VLANs simultaneously - it is a workaround to the problem of how to get it to receive packets from the correct VLAN.

So what does this mean if you have MAC A4:12:6D:77:94:43 when you are connected to ether7? If you send a packet, it will get VLAN 200 tagged by the rule. You will also receive any broadcasts and multicasts and other flooded packets that come from VLAN 200, with no tag. However, you will also receive broadcasts from VLANs 300 and 400 on that device with no tag on those packets. So there is some vlan "leaking" that happens as a result to the workaround of MikroTik's implementation of this feature.
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Wed Apr 28, 2021 6:12 pm

No, this does not agree with the example configuration MikroTik posted on their wiki.
Yes, you are right. It's not exactly the example described in the manual. That's one reason why I posted my question/setup/example here.
In the meantime I tried to configure the switch (trying again to understand the configuration scheme) but I'm not done yet.
Obviously I'm still missing something...
One remark: I had to remove the ports from the default "bridge" first, Hence I couldn't find out how to do it in command line I used the WebGUI - sorry for that ;-)
Afterwards I did:
/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether13 hw=yes pvid=999
add bridge=bridge1 interface=ether14 hw=yes pvid=999
add bridge=bridge1 interface=ether15 hw=yes pvid=999
add bridge=bridge1 interface=ether16 hw=yes pvid=999
add bridge=bridge1 interface=ether17 hw=yes pvid=999
add bridge=bridge1 interface=ether18 hw=yes pvid=999
add bridge=bridge1 interface=ether19 hw=yes pvid=999
add bridge=bridge1 interface=ether20 hw=yes pvid=999
add bridge=bridge1 interface=ether21 hw=yes pvid=999
add bridge=bridge1 interface=ether22 hw=yes pvid=999
add bridge=bridge1 interface=ether23 hw=yes pvid=999
add bridge=bridge1 interface=ether24 hw=yes pvid=999

/interface bridge vlan    
add bridge=bridge1 tagged=ether13 untagged=ether21,ether22,ether23,ether24 vlan-ids=104,105

/interface ethernet switch rule    
add switch=switch1 ports=ether21 src-mac-address=B8:27:eb:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=104
add switch=switch1 ports=ether22 src-mac-address=B8:27:eb:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=104
add switch=switch1 ports=ether23 src-mac-address=B8:27:eb:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=104
add switch=switch1 ports=ether24 src-mac-address=B8:27:eb:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=104
    
add switch=switch1 ports=ether21 src-mac-address=18:60:24:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=105
add switch=switch1 ports=ether22 src-mac-address=18:60:24:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=105
add switch=switch1 ports=ether23 src-mac-address=18:60:24:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=105
add switch=switch1 ports=ether24 src-mac-address=18:60:24:11:11:11/FF:FF:FF:FF:FF:FF new-vlan-id=105
VLAN id 999 is the default port VLAN (for fallback or "unknown" devices)
I used two VLAN 104 and 105 for my example.
I connected one device to port 23, the other to port 24.
I also tried to circumvent possible broadcast issues by configuring fixed IP-address according to the VLANs ip-range.
Than I tried to ping the VLAN gateway (what is the routers VLAN interface).
Port 13 is the trunk port that should forward tagged packets to the router.

You will guess it: I failed.
Means it doesn't work.
Sniffing on Ports 13 and 23/24 shows packets but none of it has a VLAN ID set.
I would expect at least VLAN IDs on port 13.

What did I miss or is it simply a totally wrong approach?

Thanks and best regards,
HF

EDIT: I recognized that the display of sniffed packets in Mikrotiks WebGUI doesn't show VLAN tag even if it is present.
I was trying to ping from router's VLAN IF to the client with the static IP and captured with wireshark on the host of OPNSense VM as well as on the switch itself but this time to a pcap file.
Both show the VLAN tag 105 .
The Packet view in WebGUI doesn't. Maybe it's a bug...

Anyway, I don't get it to work to just ping the fixed IPs of each device nor vice versa.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: MAC VLAN on CRS354-48G

Thu Apr 29, 2021 5:07 am

One remark: I had to remove the ports from the default "bridge" first, Hence I couldn't find out how to do it in command line I used the WebGUI - sorry for that ;-)
You have two bridges then? Hardware acceleration can only work in one bridge on a router - are you setting hw=no on the remaining bridge ports that connect to the other bridge to prevent that from using the hardware acceleration for itself?

For a switch like that you are generally best off using only one bridge on the device.
 
hansfranz
just joined
Topic Author
Posts: 12
Joined: Mon Apr 19, 2021 6:54 pm

Re: MAC VLAN on CRS354-48G

Fri Apr 30, 2021 8:51 pm

Hi mducharme,
You have two bridges then? Hardware acceleration can only work in one bridge on a router - are you setting hw=no on the remaining bridge ports that connect to the other bridge to prevent that from using the hardware acceleration for itself?
For a switch like that you are generally best off using only one bridge on the device.
I tried today with one switch, followed the basic approach described in manual.
Checking the configuration in the WebGUI looked good as far as I understand it.
Unfortunately I didn't succeeded. Seems that the ports that should apply/remove VLAN tags according to the connected MAC address do not do anything in this regards.

So finally I give up, return the switch and admit that I'm not smart enough to use such a device.
Sure, I'm operating a network with nearly 100 switches (Extreme Networks), NACs, Firewalls etc. incl. (MAC authentication & VLAN assignment).
But even working in such an environment didn't prepare me for the challenges one is facing when buying a Mikrotik device.

Anyway, thanks again to all the other guys here who tried to help me.

I wish you all the best.
Best regards, over and out,
HF

Who is online

Users browsing this forum: No registered users and 18 guests