First-time MikroTik user here, trying to set up a few VLANs between a (RouterOS) hAP ac^3 (wired and wireless), and a (non-MT) managed switch.
I have got the switch configured OK, and some traffic is exchanged with the hAP, but I am seeing two problems:
* the switch on the hAP doesn't seem to honour the PVIDs I gave it;
* when I set the switch mode to secure (or enable VLAN filtering on the bridge), all connections from the switch drop.
I've tried Bridge VLAN Filtering, with and without hardware offloading, then realised that I should use the switch chip, but still had no success, and pretty much the same outcome.
The hAP ac^3 has an Atheros 8327, which should support hardware VLAN switching [0].
# Objective
I want a few VLANs (management, trusted, untrusted, work, ...) distributed over the router's ethernet interfaces and wireless networks (all as access), and a separate switch (connected via a trunk to the router, and all other ports as access).
Code: Select all
┌────────────────────── trunk, vlan 1, 2, 3, 10, 20
│
isp │ ┌───┬───────────── access, vlan 10
│ │ │
│ │ │ │ ┌──────── access, vlan 1 (management)
│ │ │ │ │
│ │ │ │ │
┌───┼────▼────▼───▼────▼──────┐
│ │ ether2 3 4 5 │ vlan 3 and 20 also on dedicated
│ ┌─┼──┬────┬────┬────┬────┐ │ Wi-Fi networks served by the hAP,
│ │ │ │ │ │ │ │ │ say, wl-3 and wl-20
│ │ │ │ │ │ │ │ │ │
│ └────┴──┼─┴──┼─┴────┴────┘ │
│ ether1 │ │ │
└─────────┼────┼──────────────┘
│ │
│ │ ┌────────────────────────── vlan 20
│ │ │
│ ┌─┴─┐ │ ┌───────────────────── vlan 10
│ │ A │ │ │
│ └───┘ │ │ ┌──────────────── vlan 3
│ │ │ │
│ │ │ │
│ │ │ │ ┌────── vlan 2
│ │ │ │ │
│ │ │ │ │
┌────┼───────────────▼────▼────▼─────────▼────┐
│ │ if2 if3 if4 if5 if6 if7 if8 │
│ ┌─┼──┬────┬────┬────┬────┬────┬────┬────┐ │
│ │ │ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │ │ │ │ │
│ └────┴────┴────┴──┼─┴──┼─┴──┼─┴────┴────┘ │
│ if1 │ │ │ │
└────────────────────┼────┼────┼──────────────┘
│ │ │
│ │ │
┌───┐ │ │ │ ┌───┐
│ B ├───────────┘ │ └─────────────┤ D │
└───┘ │ └───┘
│
│
│
│
┌─┴─┐
│ C │
└───┘
* VLANs are created on the router, each with one DHCP server and a dedicated IP range
* The original `dhcp` server for 192.168.88.0/24 is still on on the `bridge1` interface, for management access and not to lock myself out just yet, but will eventually need to go
* I haven't gotten to dealing with Wi-Fi yet, so Wi-Fi is (mercifully) still on served by the `bridge1` DHCP server
* Good: The trunk and access ports on the switch seem to work, and devices connected there (B, C, D) get IP addresses from the DHCP server on their dedicated VLAN
* Bad: The device connected directly to ether3 on the router (A) gets an IP address from the default DHCP server (192.168.88.0/24), rather than from VLAN 10 as expected
* Bad: setting the switch port to any `vlan-mode` but `disabled` ends up dropping all traffic, including from the switch, regardless of the `vlan-header` (be it `leave-as-is`, as recommended for the Ath8327 [3], or any other value)
# Already read
* viewtopic.php?t=143620
* viewtopic.php?t=172178
* https://www.youtube.com/watch?v=Rj9aPoyZOPo
* https://www.reddit.com/r/mikrotik/comme ... &context=3
* https://wiki.mikrotik.com/wiki/Manual:B ... _switching
# Already tried
1. I first went with the Bridge VLAN filtering [1], and all seems to work with tagged traffic from the switch. Device A on ether3 was however not getting an IP address from the expected DHCP server for that VLAN. I Then turned `vlan-filtering=yes`. Oddly enough, one doing this, the VLAN table started showing `current-tagged` and `current-untagged` with the VLANs served by the switch, as expected. But a few minutes later, all traffic had died, devices behind the switch did not have internet access, and the “current” entries in the VLAN table were empty.
2. I tried disabling hardward off-loading on the bridge, to no avail (same outcome)
3. I realised I should use the switch chip rather than the bridge VLAN filtering, so I disable the bridge entries, and followed the example for trunk/access with a switch chip instead [3]. The outcome was identical: traffic tagged from the switch as expected, but something fishy for ether3, and as soon as I set `vlan-mode` to `secure` on the `ether` interfaces, traffic stops flowing, even from the switch.
# What now?
I'm at wits' end, so here I am. I'm not sure what might be amiss, nor how to debug this further. I have tried to use the packet sniffer in the tools, to look at the traffic, but it while it can show some packets, most of the metadata is empty apart from protocol, which is most often 4 or “2048 (ip)” (so, 802.1q EtherType for ipv4).
A couple of thoughts, but not sure if that might be linked:
* The original `dhcp` server on `bridge1` might have been racing with the one on the vlan serving ether3 and 4. I disabled it, but device A then did not get any IP address.
* `bridge1` includes the Wi-Fi networks, too, could this be messing up the switch filtering?
* `/export hide-sensitive file=2021-08-25.rsc`
Code: Select all
# aug/25/2021 14:35:26 by RouterOS 6.48.3
# software id = V30H-QYIG
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:BB:2D:8F auto-mac=no comment="CPU port" name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=wl-3-2g ssid=MikroTik-BB2D93 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=australia disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge name=wl-3-5g ssid=\
MikroTik-BB2D94 wireless-protocol=802.11 wps-mode=disabled
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=XXX
/interface vlan
add interface=bridge1 name=vl-dmz vlan-id=2
add interface=bridge1 name=vl-management vlan-id=1
add interface=bridge1 name=vl-trusted vlan-id=3
add interface=bridge1 name=vl-untrusted vlan-id=10
add interface=bridge1 name=vl-work vlan-id=20
/interface wireless
add disabled=no hide-ssid=yes mac-address=2E:C8:1B:BB:2D:96 master-interface=\
wl-3-5g name=wl-iot-5g ssid=wl-10 vlan-id=10 wps-mode=disabled
/interface ethernet switch port
set 2 default-vlan-id=10
set 3 default-vlan-id=10
set 4 default-vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name=iot supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=2E:C8:1B:BB:2D:93 master-interface=wl-3-2g \
name=wl-guest-2g security-profile=guest ssid=guest vlan-id=10 \
wps-mode=disabled
add disabled=no mac-address=2E:C8:1B:BB:2D:94 master-interface=wl-3-5g \
name=wl-guest-5g security-profile=guest ssid=guest vlan-id=10 \
wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=2E:C8:1B:BB:2D:95 master-interface=\
wl-3-2g name=wl-iot-2g security-profile=iot ssid=10 vlan-id=10 \
wps-mode=disabled
/ip pool
add comment=defconf name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dp-management ranges=192.168.1.10-192.168.1.254
add name=dp-dmz ranges=192.168.2.10-192.168.2.254
add name=dp-trusted ranges=192.168.3.10-192.168.3.254
add name=dp-untrusted ranges=192.168.10.10-192.168.10.254
add name=dp-work ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp
add address-pool=dp-dmz disabled=no interface=vl-dmz name=dh-dmz
add address-pool=dp-trusted disabled=no interface=vl-trusted name=dh-trusted
add address-pool=dp-untrusted disabled=no interface=vl-untrusted name=dh-untrusted
add address-pool=dp-work disabled=no interface=vl-work name=dh-work
add address-pool=dp-management disabled=no interface=vl-management name=dh-management
/user group
add name=admin policy="local,ssh,reboot,read,write,policy,password,web,sniff,s\
ensitive,api,!telnet,!ftp,!test,!winbox,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge1 comment=defconf interface=wl-3-2g
add bridge=bridge1 comment=defconf interface=wl-3-5g
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge1 comment="1 tagged ether2 untagged ether5" disabled=yes \
tagged=ether2 untagged=ether5 vlan-ids=1
add bridge=bridge1 comment="2 tagged ether2" disabled=yes tagged=ether2 \
vlan-ids=2
add bridge=bridge1 comment="3 tagged ether2 untag 3-2g" disabled=yes \
tagged=ether2 untagged=wl-3-2g vlan-ids=3
add bridge=bridge1 comment="10 tagged ether2 untagged 3,4" disabled=yes \
tagged=ether2 untagged=ether3,ether4 vlan-ids=10
add bridge=bridge1 comment="20 tagged ether2" disabled=yes tagged=ether2 \
vlan-ids=20
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether2,ether5 switch=switch1 \
vlan-id=1
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=2
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=3
add independent-learning=yes ports=ether2,ether3,ether4 switch=switch1 \
vlan-id=10
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=20
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=\
192.168.88.0
add address=192.168.2.1/24 interface=vl-dmz network=192.168.2.0
add address=192.168.1.1/24 interface=vl-management network=192.168.1.0
add address=192.168.3.1/24 interface=vl-trusted network=192.168.3.0
add address=192.168.10.1/24 interface=vl-untrusted network=192.168.10.0
add address=192.168.20.1/24 interface=vl-work network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 next-server=\
192.168.88.1 ntp-server=192.168.88.1
add address=192.168.1.0/24 gateway=192.168.1.1 next-server=192.168.1.1 \
ntp-server=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1 next-server=192.168.2.1 \
ntp-server=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1 next-server=192.168.3.1 \
ntp-server=192.168.3.1
add address=192.168.10.0/24 gateway=192.168.10.1 next-server=192.168.10.1 \
ntp-server=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1 next-server=192.168.20.1 \
ntp-server=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox disabled=yes
/ipv6 address
add address=::1 comment="change to vl-management" from-pool=isp interface=\
bridge1
add address=::1 from-pool=isp interface=vl-management
add from-pool=isp interface=vl-dmz
add from-pool=isp interface=vl-trusted
add from-pool=isp interface=vl-untrusted
add from-pool=isp interface=vl-work
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=isp request=prefix
/ipv6 firewall filter
add action=accept chain=forward comment="forward related,established in" \
connection-state=established,related in-interface-list=WAN \
out-interface-list=LAN
add action=drop chain=forward comment="forward nothing else in" \
in-interface-list=WAN
/system identity
set name=hapac3
/system leds
set 0 interface=ether1 leds=led1 type=interface-activity
set 1 leds=poe-led type=poe-fault
set 2 interface=vl-management leds=led2
set 3 interface=vl-dmz leds=led3
set 4 interface=vl-trusted leds=led4
add interface=vl-untrusted leds=led5 type=interface-activity
/system ntp client
set enabled=yes mode=broadcast
/system ntp server
set enabled=yes
/tool graphing interface
add
/tool graphing resource
add allow-address=127.0.0.1/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3
# References
[0] https://help.mikrotik.com/docs/display/ ... troduction
[1] https://help.mikrotik.com/docs/display/ ... ccessPorts
[2] https://help.mikrotik.com/docs/display/ ... sportsetup
[3] https://help.mikrotik.com/docs/display/ ... cessPorts)