Community discussions

MikroTik App
 
Abdisirat
just joined
Topic Author
Posts: 24
Joined: Fri May 15, 2020 9:56 pm

VLANS & Management VLAN

Tue Jul 13, 2021 6:54 pm

Hi there!
I am new to Mikrotik and would like to be assisted in my configs. I really like the Mikrotik capability.
I have two WAN connections and 4 VLANS. 3 VLANS 10,20 and 30 are on the Switch ether 2,3 and respectively. VLAN 40 is on ether 3 of the R1. VLAN 99 is the management VLAN.
The problem I have is that I cannot ping the gateway for any of the VLANS e.g. hosts on 10.10.10.0/24 cannot ping 10.10.10.1.
I cannot connect to the Switch using the 10.99.99.2 as the ping says error.
I have exported the current configs for both the Router and the Switch and would appreciate to be guided.

ROUTER (R1)
# jul/13/2021 18:34:40 by RouterOS 6.48.3
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=combo1 ] comment=ISP1
set [ find default-name=ether1 ] comment=ISP2
/interface vlan
add interface=ether2 name=vlan10-Cust.1 vlan-id=10
add interface=ether2 name=vlan20-Cust.2 vlan-id=20
add interface=ether2 name=vlan30-Cust.3 vlan-id=30
add interface=ether3 name=vlan40-HOME vlan-id=40
add interface=ether2 name=vlan99-MGMT vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.20.20.2-10.20.20.254
add name=dhcp_pool2 ranges=10.30.30.2-10.30.30.254
add name=dhcp_pool3 ranges=10.40.40.2-10.40.40.254
add name=dhcp_pool4 ranges=10.99.99.2-10.99.99.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10-Cust.1 lease-time=1d \
name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20-Cust.2 lease-time=1d \
name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan30-Cust.3 lease-time=1d \
name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=bridge lease-time=1d name=\
dhcp4
add address-pool=dhcp_pool4 disabled=no interface=vlan99-MGMT lease-time=1d \
name=dhcp5
/queue tree
add max-limit=30M name=Cust.1-UPLOAD packet-mark=Cust.1-UPLOAD parent=global
add max-limit=30M name=Cust.1-DOWNLOAD packet-mark=Cust.1-DOWNLOAD parent=global
add max-limit=7M name=Cust.2-UPLOAD packet-mark=Cust.2-UPLOAD parent=global
add max-limit=7M name=Cust.2-DOWNLOAD packet-mark=Cust.2-DOWNLOAD parent=global
add max-limit=7M name=Cust.3-UPLOAD packet-mark=Cust.3-UPLOAD parent=global
add max-limit=7M name=Cust.3-DOWNLOAD packet-mark=Cust.3-DOWNLOAD parent=global
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=vlan40-HOME
add bridge=bridge interface=ether2
/ip address
add address=10.10.10.1/24 interface=vlan10-Cust.1 network=10.10.10.0
add address=10.20.20.1/24 interface=vlan20-Cust.2 network=10.20.20.0
add address=10.30.30.1/24 interface=vlan30-Cust.3 network=10.30.30.0
add address=10.40.40.1/24 interface=vlan40-HOME network=10.40.40.0
add address=10.99.99.1/24 interface=vlan99-MGMT network=10.99.99.0
/ip dhcp-client
add comment=ISP1 disabled=no interface=combo1
add comment=ISP2 disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.20.20.0/24 gateway=10.20.20.1
add address=10.30.30.0/24 gateway=10.30.30.1
add address=10.40.40.0/24 gateway=10.40.40.1
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=Cust.1-UPLOAD \
passthrough=yes src-address=10.10.10.0/24
add action=mark-packet chain=prerouting new-packet-mark=Cust.2-UPLOAD \
passthrough=yes src-address=10.20.20.0/24
add action=mark-packet chain=prerouting new-packet-mark=Cust.3-UPLOAD \
passthrough=yes src-address=10.30.30.0/24
add action=mark-packet chain=postrouting dst-address=10.30.30.0/24 \
new-packet-mark=Cust.3-DOWNLOAD passthrough=yes
add action=mark-packet chain=postrouting dst-address=10.20.20.0/24 \
new-packet-mark=Cust.2-DOWNLOAD passthrough=yes
add action=mark-packet chain=postrouting dst-address=10.10.10.0/24 \
new-packet-mark=Cust.1-DOWNLOAD passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=masquerade chain=srcnat src-address=10.20.20.0/24
add action=masquerade chain=srcnat src-address=10.30.30.0/24
add action=masquerade chain=srcnat src-address=10.40.40.0/24
add action=masquerade chain=srcnat src-address=10.99.99.0/24
/ip route
add distance=1 gateway=192.168.200.1 routing-mark=To_ISP1
add distance=1 gateway=192.168.0.1 routing-mark=To_ISP2
/ip route rule
add src-address=10.10.10.0/24 table=To_ISP1
add src-address=10.20.20.0/24 table=To_ISP2
add src-address=10.30.30.0/24 table=To_ISP2
add src-address=10.40.40.0/24 table=To_ISP1


SWITCH (S1)
# jan/02/1970 10:30:54 by RouterOS 6.48.3

/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
ether1,ether2,ether3,ether4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4 vlan-id=10
add ports=ether1,ether2,ether3,ether4 vlan-id=20
add ports=ether1,ether2,ether3,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99
/ip address
add address=10.99.99.2/24 interface=vlan99 network=10.99.99.0
/ip firewall filter
add action=accept chain=forward in-interface=all-vlan out-interface=all-vlan
/ip route
add distance=1 gateway=10.99.99.1
/system identity
set name=S1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Wed Jul 14, 2021 2:36 pm

Suggest you read through this link and revise your setup. Not much is done correctly

viewtopic.php?f=23&t=143620
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLANS & Management VLAN

Wed Jul 14, 2021 9:36 pm

Switch and Router models ?

Also many information around in the Mikrotik wiki...
 
Abdisirat
just joined
Topic Author
Posts: 24
Joined: Fri May 15, 2020 9:56 pm

Re: VLANS & Management VLAN

Thu Jul 15, 2021 5:53 am

Switch and Router models ?

Also many information around in the Mikrotik wiki...
Router - CCR1009-7G-1C-PC
Switch - CRS112-8P-4S-IN
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLANS & Management VLAN

Sun Jul 18, 2021 9:05 pm

Switch and Router models ?

Also many information around in the Mikrotik wiki...
Router - CCR1009-7G-1C-PC
Switch - CRS112-8P-4S-IN
CRS112 does not suppport Bridge VLAN filtering along with VLANs...
So you should use the old way of VLANs...

Examples here : https://wiki.mikrotik.com/wiki/Manual: ... mples#VLAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Mon Jul 19, 2021 2:27 am

But the CCR1009 does so you should use the link provided for that device.
 
Abdisirat
just joined
Topic Author
Posts: 24
Joined: Fri May 15, 2020 9:56 pm

Re: VLANS & Management VLAN

Thu Jul 22, 2021 8:56 pm

But the CCR1009 does so you should use the link provided for that device.
thank you guys..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Thu Jul 22, 2021 9:54 pm

For the switch this is a decent guide......
https://www.youtube.com/watch?v=Rj9aPoyZOPo
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: VLANS & Management VLAN

Fri Jul 23, 2021 2:15 am

But the CCR1009 does so you should use the link provided for that device.
Have to be careful with this one.

The CCR1009-8G has a switch chip on 1-4.

The CCR1009-7G does not.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Fri Jul 23, 2021 3:19 am

Why do you waste our time with that post,
a. the 8G must be an old model as its not on the website
b. if you read the posts and specifically post #4 clearly states a 7G model.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: VLANS & Management VLAN

Fri Jul 23, 2021 3:41 am

Because of the way the sequence of posts went.

The post prior to the one I quoted said

"CRS112 does not suppport Bridge VLAN filtering along with VLANs...
So you should use the old way of VLANs..."

Yours directly following says

"But the CCR1009 does so you should use the link provided for that device."

You makes it sound like it supports bridge vlan filtering in hardware.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLANS & Management VLAN

Fri Jul 23, 2021 4:57 am

I think anav did not clearly communicate what he (probably) meant:

The CRS112 does not have hardware support for bridge VLAN filtering, and the CPU in that device is quite weak, so using bridge VLAN filtering on it is not really practical, and you are best off setting up VLANs using the CRS1xx/2xx switch chip method.

The CCR1009 also doesn't have hardware support for bridge VLAN filtering, but the CPU in that device is quite powerful by comparison, and so it can handle it. Furthermore, since the currently available CCR1009 models do not have a switch chip, there is no other way of setting up VLANs that can be hardware offloaded, and therefore there is no disadvantage to using bridge VLAN filtering on those devices (i.e. any other method will not reduce CPU usage and the load on the device).
Last edited by mducharme on Fri Jul 23, 2021 5:08 am, edited 1 time in total.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: VLANS & Management VLAN

Fri Jul 23, 2021 5:05 am

That I agree with and understand. But the way it was written above could have been misconstrued by someone newer to mikrotik. And I was fearful he was referring to the older hardware that did have a switch chip in it. While the newer version does not. Which of course did not require such a poor reply.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Fri Jul 23, 2021 5:53 pm

Thanks charming mud guy!

As for the drive by poster this is not a fear problem its a literacy problem on your part..............
Why you read my post without the OPs post is mind boggling.
Switch and Router models ?

Also many information around in the Mikrotik wiki...
Router - CCR1009-7G-1C-PC
Switch - CRS112-8P-4S-IN
I also own the CCR1009-7G and run about 15 vlans in bridge filtermode.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: VLANS & Management VLAN

Fri Jul 23, 2021 6:04 pm

I read what he had wrote, and am familiar with what he has. What I was fearful of was that you may of confused it with the older model with the switch chip when you made your suggestion. I have seen this on the forum several times(Not you specifically, but the model). Unfortunately, without personally knowing you, we cannot possibly know exactly whats going through your mind. I also have about 25 of the same model as him in the field, mixed along with about 200 or so others.

This forum is here to help people, and its very easy to get tunnel vision on subject matters. Just trying to help clarify for other readers. Berating people is not necessary, nor helpful.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Fri Jul 23, 2021 8:02 pm

Stop making excuses, you simply needed to state that you had missed what the OP wrote period.
Instead of making a million excuses that dont fly.
You invented shit that doesnt exist, so I am simply informing you to stop making problems that are not there.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLANS & Management VLAN

Mon Jul 26, 2021 9:08 pm

You can use the CCR with Software VLANs as well...
In general you can create VLANs either in hardware or in Software...
There are 3 ways you can do that, 1. Bridge VLAN Filtering ( it will consume CPU resources for devices that do not support it ), 2. Switch Chip VLANs ( for devices with Switch Chip, old methodm configuration depends on the switch chip model ) 3. Software VLANs ( /Interface VLAN )
It all depends on what you need to accomplish...

For example, lets say you have a CCR1009 and a CRS 328 switch, you can create VLANs on the Switch using Bridge VLAN Filtering, and on the CCR the Port ( Trunk ) connected with the CRS328 would be done in Software .. So you could create your VLANs on the SFP Port of the CCR1009 under /interface VLAN and connect it to the Trunk port of the CRS328...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Mon Jul 26, 2021 10:54 pm

Zach you are blowing my mind LOL.
Please write a user article explaining software vlans!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANS & Management VLAN

Mon Jul 26, 2021 10:59 pm

There are 3 ways you can do that, 1. Bridge VLAN Filtering ( it will consume CPU resources for devices that do not support it ), 2. Switch Chip VLANs ( for devices with Switch Chip, old methodm configuration depends on the switch chip model ) 3. Software VLANs ( /Interface VLAN )
Actually there are two ways (numbers 1. and 2. above) to securely pass VLAN-tagged frames between two bridged/switched ports.

The third variant mentioned above (as number 3.) is complementary to any of methods 1. or 2. when ROS (router, switch, ...) needs to take part in a particular VLAN (as a L3 entity).
Use of method 3. in sense of passing VLAN-tagged frames between ports is more of an abuse. However before mehod 1. came to ROS, it was the only way of dealing with VLAN-tagged frames on devices without switch chips. It does offer some other possibilities for hacks (such as changing VLAN ID when passing traffic between ports ... which is not possible with method 1. and only a few switch chip models can do it when using method 2.).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANS & Management VLAN

Mon Jul 26, 2021 11:04 pm

For @anav:

/interface vlan
add name=e1v100 interface=ether1 vlan-id=100
add name=e2v100 interface=ether2 vlan-id=100
/interface bridge
add name=bridge_v100
/interface bridge port
add bridge=bridge_v100 port=e1v100
add bridge=bridge_v100 port=e2v100
add bridge=bridge_v100 port=ether3

Frames tagged with VID 100 can now pass between etehr1 and ether2, ether3 is untagged member of that VLAN.

Translation to bridge vlan-filtering config:

/interface bridge
add name=bridge_v100 vlan-filtering=yes
/interface bridge port
add bridge=bridge_v100 port=ether1
add bridge=bridge_v100 port=ether2
add bridge=bridge_v100 port=ether3 pvid=100
/interface bridge vlan
add bridge=bridge_v100 tagged=ether1,ether2 untagged=ether3 vlan-ids=100
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLANS & Management VLAN

Tue Jul 27, 2021 1:32 am

@mkx i dont mean between ports of the same device...

If you have a Router and a Switch, lets say the switch is a CRS so you apply VLANs with Bridge filtering method, on the router side ( no switch chip ), why is it bad or wrong to create your Vlans directly on the interface that connects these two ? Without any Bridge interface or anything..

There are even wiki examples doing it that way...
I dont see why you believe its wrong...
Why would i apply Bridge Vlan filtering since i dont need it in my Router ???

So, that way, Vlans do not use neither a switch chip nor the Bridge Filtering method.. So, how would you call it?

By the way there is a nice MUM presentation explaining exactly that, there is the Vlans in Software terms, the Vlans in Bridge ( Bridge Filtering ), and the Hardware Vlans (switch chip )...
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: VLANS & Management VLAN

Tue Jul 27, 2021 4:09 am

On my ccr1009 I found zero difference performance wise when (using it as a router on a stick) between assigning vlans to the interface vs a bridge.

In my case everything is coming in on one interface, so vlan filtering really isn't a concept here as the router would handle it all anyway.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANS & Management VLAN

Tue Jul 27, 2021 8:47 am

If you have a Router and a Switch, lets say the switch is a CRS so you apply VLANs with Bridge filtering method, on the router side ( no switch chip ), why is it bad or wrong to create your Vlans directly on the interface that connects these two ? Without any Bridge interface or anything..

I'm not saying the usage you described in quoted text is bad. I'm saying it's not third way of doing it but rather complementary ... the switch chip and bridge vlan-filtering ways are for passing VLAN-tagged traffic between ports. But these two ways don't allow router to interact with those VLAN subnets. The use of vlan interfaces (your third way) allows router to actually interact with configured VLANs (but doesn't allow traffic between ports) and its use is mandatory for this functionality (it is not possible to do it differently unless one wants interaction with single VLAN in which case bridge could be configured with PVID set). However, it is possible to abuse this functionality to pass traffic between ports.

In short: third way is actually different functionality than first and second way.

As @biomesh found out: when bridge functionality is not needed, it's not necessary to use bridge at all. In fact there might be some (very minor) performance reduction if bridge was used in this case because every frame would need to pass bridge logic even though bridge would not add anything to overall functionality. VLAN filtering is done already by vlan interfaces and additional filtering offered by bridge does not add anything.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Tue Jul 27, 2021 4:15 pm

Hi Mkx,
thanks for the clear but sickening example.
I like things simple and finally felt comfortable with vlan filtering and you just broke an MTUNA certified rule, bridge ports are not vlans.
now I know nothing is sacred and my belief system is utterly destroyed LOL.
forgive me if I never read this thread again!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANS & Management VLAN

Tue Jul 27, 2021 11:19 pm

I can see your MT legacy doesn't go far, @anav (or you started to forget). The example I wrote used to be called "bridge per VLAN" and was only way of dealing with VLANs on devices without switch chips (or only fraction of ports were switched) before ROS 6.42. It is necessary to unearth such ugly memories, you know ... Those who do not remember the past are condemned to repeat it. ;-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANS & Management VLAN

Wed Jul 28, 2021 1:40 am

Yes before my time or probably when I got my first hex and was trying to figure out if was a magic box that put an evil spell on me. I wasnt worrying about vlans and chips.........
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLANS & Management VLAN

Wed Jul 28, 2021 8:53 pm

ok @mkx thanks for your reply...

The only reason i tend to configure a router like that is when i do not actually need the Bridge interface... So if i dont need it why would i create it in the first place...
If something changes it is not a big deal to create a Bridge and configure my VLANs...

Now in terms of performance, i agree that when using a Bridge there might be a little performance drop...
In short: third way is actually different functionality than first and second way.
The way you explained it, i will have to agree...

If i had to pass traffic between ports then i would ofcorse configure it with Bridge Filtering.
 
Abdisirat
just joined
Topic Author
Posts: 24
Joined: Fri May 15, 2020 9:56 pm

Re: VLANS & Management VLAN

Thu Jul 29, 2021 6:48 pm

For the switch this is a decent guide......
https://www.youtube.com/watch?v=Rj9aPoyZOPo
Thanks Anav... The guide was very helpful and my issue was resolved.
loving Mikrotik..and Kudos to Maher

Who is online

Users browsing this forum: GoogleOther [Bot], loloski, Netstumble and 43 guests