Community discussions

MikroTik App
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Another vlan question

Tue Aug 31, 2021 5:06 pm

It seems no matter what I do nothing is going to work WRT vlans. I could really use some help getting in the right direction.

Here's a (very brief) layout of my network
Image

Export here
https://pastebin.com/YmuJGJ43

So far devices on the wired vlan can get IP, DNS, Subnet, and Default gateway. From there they can go no further. They can not ping the gateway nor can they browse via internet. Wireless clients can do the same but that's another issue for another forum. I'm pretty sure I've missed a tiny detail but I'm about of time to spend messing with this before school gets back in full swing.

Any help would be appreciated.
Last edited by forsquirel on Tue Aug 31, 2021 5:49 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Another vlan question

Tue Aug 31, 2021 5:16 pm

Link to your export doesn't work.

Just a general remark: avoid using VLAN ID 1 as tagged VLAN. In ROS, VLAN ID is used as implicit default all over the place and if one doesn't catch all the occurrences, things misbehave in most random ways. Avoid for untagged as well, if link between two devices is untagged (or hybrid with some tagged VLANs and single untagged), then VLAN ID used for untagged can be different on both end (although it can be confusing as hell when comparing configurations).

Hmmm .. the problems you're describing might be due to setting router's LAN address with subnet mask omitted (i.e. 192.168.88.1versus 192.168.88.1/24).
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Tue Aug 31, 2021 5:52 pm

Link to your export doesn't work.
Its fixed
Just a general remark: avoid using VLAN ID 1 as tagged VLAN. In ROS, VLAN ID is used as implicit default all over the place and if one doesn't catch all the occurrences, things misbehave in most random ways. Avoid for untagged as well, if link between two devices is untagged (or hybrid with some tagged VLANs and single untagged), then VLAN ID used for untagged can be different on both end (although it can be confusing as hell when comparing configurations).
Not tagging vlan1 breaks everything on the switch
Hmmm .. the problems you're describing might be due to setting router's LAN address with subnet mask omitted (i.e. 192.168.88.1versus 192.168.88.1/24).
in the address list? nope. its got the subnet mask
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Tue Aug 31, 2021 6:41 pm

Your config is confused LOL.

So its clear you only have one vlan and its being put on etherport 5.
Not sure why you need a vlan then??
The problem is you think you can send untagged vlan data on ethernet 2 and at the same time send the bridge subnet traffic on ethernet 2.
So do pray tell what device do you have on the other end of ethernet two that will be able to pick out two streams of untagged data???
or vice versa how will the router know where incoming traffic is supposed to go...............???

Where did you get the idea you had to UNTAG bridges???

As was noted you have a configuration for interface bridge vlans that includes vlan1, which you didnt define so it needs to be removed.
(if you need another vlan use 20 or something but you need to define it ....................

Finally you have disabled ethernet 2,3,4 and spf1 so you should not have any traffic.

Suggest you read this article and try again.........
viewtopic.php?f=23&t=143620
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Another vlan question

Tue Aug 31, 2021 7:12 pm

As @anav said: your VLAN setup is a mess. For example:
/interface bridge vlan
add bridge=bridge comment=guest tagged=ether5 untagged=ether2,bridge vlan-ids=10
add bridge=bridge tagged=ether5 untagged=bridge,ether2 vlan-ids=1

While ROS doesn't blurp, you can't have two VLANs untagged at the same time over any port. Yet in your case both bridge and ether2 are supposed to carry untagged frames both for VALN ID 1 and VLAN ID 10. In egress direction that's not a problem, but how is bridge supposed to know which untagged ingress frames should go to VLAN 1 and which to VLAN 10? At the same time both ether2 and bridge ports (yes, bridge is a port of self as well) are not explicitly configured with PVID on ingress ... that's where implicit default configuration of PVID=1 comes into play (that's what I was talking about).

So really: read through tutorial from @anav's post and then start from scratch. My recommendation: start from blank config, first get L2 (bridge, VLANs, ...) done then add L3 (IP) stuff (this part you'll mostly copy-paste from existing config, only change a few interface names).

And ... if you decide to follow my advice of not using VLAN ID 1 explicitly anywhere, you can (easily?) change config appropriately on switch as well. Switch configuration should not be the reason not to make things on router better.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Tue Aug 31, 2021 7:17 pm

I have multiple vlans on my network that feed a TP eap2245, and eap 660Hd and switches from MT, TPLINK, DLINK, NETGEAR etc............and unmanaged ones too.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Tue Aug 31, 2021 8:04 pm

Your config is confused LOL.


So its clear you only have one vlan and its being put on etherport 5.
Not sure why you need a vlan then??
no point in setting up the 4 vlans I need if even 1 doesn't work.
The problem is you think you can send untagged vlan data on ethernet 2 and at the same time send the bridge subnet traffic on ethernet 2.
So do pray tell what device do you have on the other end of ethernet two that will be able to pick out two streams of untagged data???
or vice versa how will the router know where incoming traffic is supposed to go...............???
Its just there incase I need to plug in and fix something
Where did you get the idea you had to UNTAG bridges???

Who knows? The last time I asked a question it sat in limbo with zero responses. This is what I've had to work with, the forums are, how you say, scatterbrain to say the least and trying to make sense of the mess it is. Its just what I ended up with.

As was noted you have a configuration for interface bridge vlans that includes vlan1, which you didnt define so it needs to be removed.
(if you need another vlan use 20 or something but you need to define it ....................
If I remove it I can't send anything to the switch.

Finally you have disabled ethernet 2,3,4 and spf1 so you should not have any traffic.
port 2 isn't disabled

Suggest you read this article and try again.........
viewtopic.php?f=23&t=143620
Oh look, that article. Yeah I've read it. I've copied and pasted it. It still doesn't work.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Tue Aug 31, 2021 8:07 pm

As @anav said: your VLAN setup is a mess. For example:
/interface bridge vlan
add bridge=bridge comment=guest tagged=ether5 untagged=ether2,bridge vlan-ids=10
add bridge=bridge tagged=ether5 untagged=bridge,ether2 vlan-ids=1

While ROS doesn't blurp, you can't have two VLANs untagged at the same time over any port. Yet in your case both bridge and ether2 are supposed to carry untagged frames both for VALN ID 1 and VLAN ID 10.
How do trunk ports work?
So really: read through tutorial from @anav's post and then start from scratch. My recommendation: start from blank config, first get L2 (bridge, VLANs, ...) done then add L3 (IP) stuff (this part you'll mostly copy-paste from existing config, only change a few interface names).

And ... if you decide to follow my advice of not using VLAN ID 1 explicitly anywhere, you can (easily?) change config appropriately on switch as well. Switch configuration should not be the reason not to make things on router better.
It's a network in service. I can't bring it down to put it back up.

Honestly, the answers I've gotten kinda make sense about this forum.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Tue Aug 31, 2021 9:24 pm

Correct, my bad ether 2 was not disabled.
However, my help here has ended, I am but a lowly home owner and
not a network admin so you know best.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Tue Aug 31, 2021 9:33 pm

Correct, my bad ether 2 was not disabled.
However, my help here has ended, I am but a lowly home owner and
not a network admin so you know best.
People might be more willing to listen if you didn't come across as a tad bit arrogant.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Another vlan question

Tue Aug 31, 2021 10:49 pm

How do trunk ports work?
In Mikrotik world, trunk ports are ports carrying (one or) multiple tagged VLANs and none untagged VLANs. Ports carrying some tagged and (exactly) one untagged VLANs are called hybrid ports.

It's a network in service. I can't bring it down to put it back up.
Changing network topology (adding VLANs into the mix is exactly that) is like repkacing car's wheel. Kind of hard to do it while driving on a highway, much easier when car is parked at a curb or even in a garage. Specially if you don't know exactly what needs to be done.

Honestly, the answers I've gotten kinda make sense about this forum.
Not sure what exactly do you mean with this.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Tue Aug 31, 2021 11:20 pm


Changing network topology (adding VLANs into the mix is exactly that) is like repkacing car's wheel. Kind of hard to do it while driving on a highway, much easier when car is parked at a curb or even in a garage. Specially if you don't know exactly what needs to be done.
And yet in other ecosystems you can. I've done it in OpenWRT without having to dismantle the system.

Honestly, the answers I've gotten kinda make sense about this forum.
Not sure what exactly do you mean with this.
This place doesn't get the best reputation on other forums/sites.

There's being helpful, and then there's being rude. I get that tone is hard to interpret through forum posts but it goes a long way to make your post presentable and understandable without sounding like a know it all.

edit: I came here with a legitimate question. I've searched this site up and down reading posts. A lot of them end up the same way, read this post and get back. Assuming everyone who asks a question understands the completely terminology and ecosystem is a bit naive.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Another vlan question

Wed Sep 01, 2021 8:04 am

I'm sorry you got bad feedback from this forum. As you noticed, there are some super-helpful members of forum and then there are ... the rest :wink:
... read this post and get back.

The problem for helpful forum members is that there are plenty of users coming with (almost) identical questions. As you wrote, they might even not realize they have the same question as others which already received usable and extensive answers and the helpful forum members get fed up answering same questions all over again. So they resort to pointing to the most usable threads dealing with same (or very similar) questions. It might seem rude to the question poster, but how does this differ from copy-pasted answer? Other than the feeling of not getting due attention some question poster might get?

Assuming everyone who asks a question understands the completely terminology and ecosystem is a bit naive.
Well, if some poster comes and uses all the right buzzwords, I tend to assume that user knows the meaning of buzzwords. And if that user doesn't indicate he's coming from another ecosystem (where buzzwords might have slightly different meaning), why should I care explaining what exactly those buzzwords mean in MT ecosystem? After all, one writing a post should explain all the circumstances that might affect the meaning of question and if question poster doesn't do it, why should answer poster?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Wed Sep 01, 2021 2:50 pm

Let me clear, if you are actually a qualified networking IT manager and you actually read the article I linked, then you would have understood it and your config would not have been so sloppy.
I am extremely patient with new homeowners learning the ropes, I have less time for snotty nosed arrogant I think I am gods gift to the world Network guy with obviously some useless certification.
Most folks actually come here with an open mind, it seems, but in your case, if it doesnt behave or config like openwrt there must be something wrong with RoS - Cry me a river!!

Also, a real IT guy would have fixed the config posted it for review and it would be close to correct based on the excellent feedback support provided thus far.
But NOOOOOOOOOO, just a lot of whining........
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Wed Sep 01, 2021 7:15 pm

Let me clear, if you are actually a qualified networking IT manager and you actually read the article I linked, then you would have understood it and your config would not have been so sloppy.
I'm not an IT person. Never said I was.

I am extremely patient with new homeowners learning the ropes, I have less time for snotty nosed arrogant I think I am gods gift to the world Network guy with obviously some useless certification.
Most folks actually come here with an open mind, it seems, but in your case, if it doesnt behave or config like openwrt there must be something wrong with RoS - Cry me a river!!
When did I say that? I mentioned OpenWRT once.
Also, a real IT guy would have fixed the config posted it for review and it would be close to correct based on the excellent feedback support provided thus far.
But NOOOOOOOOOO, just a lot of whining........
This right here is what I'm talking about. I'm sorry I can't be as perfect as you but one day I hope that maybe, just maybe, I will.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Wed Sep 01, 2021 7:31 pm

Then my bad for some wrong assumptions.

Quote: " It's a network in service. I can't bring it down to put it back up." Implies you are in charge of a network to me.
Quote: " that article tried it copied pasted it didnt work............no you didnt work, the article is excellent
Quote: " And yet in other ecosystems you can. I've done it in OpenWRT without having to dismantle the system." in this case your responding/challenging one of the most knowledgeable and friendly to a fault guys in this forum (definitely not me) who is giving you very good advice and learning points which you seem to dismiss at will..

Besides dissing the forums because you didnt get free satisfiction prior. Can you link to the thread so I can see what was missed?


Regardless, of the above, Where is the config............... feedback and assistance cannot be provided without the information requested.
Clearly you just want to whine and not get at the root of the config issues. Did you attempt to follow the link more closely??
I can go on all day, so lets just get your config where it needs to be and simply work with the facts.........
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Wed Sep 01, 2021 8:14 pm

Then my bad for some wrong assumptions.
Apology accepted

Quote: " It's a network in service. I can't bring it down to put it back up." Implies you are in charge of a network to me.
This is why we don't assume
Quote: " that article tried it copied pasted it didnt work............no you didnt work, the article is excellent
I tried it many times before I ever even started using my equipment. I tried it in a VM and the imports would fail.
Quote: " And yet in other ecosystems you can. I've done it in OpenWRT without having to dismantle the system." in this case your responding/challenging one of the most knowledgeable and friendly to a fault guys in this forum (definitely not me) who is giving you very good advice and learning points which you seem to dismiss at will..
He said bring the system down. I stated that I had implemented vlans in a system without having to bring it down in another system. I wasn't dismissing anyone. I was stating I couldn't bring my system down. If that's a dismissal, then there's a huge communication barrier going on here.
Besides dissing the forums because you didnt get free satisfiction prior. Can you link to the thread so I can see what was missed?
what thread?
Regardless, of the above, Where is the config............... feedback and assistance cannot be provided without the information requested.
Clearly you just want to whine and not get at the root of the config issues. Did you attempt to follow the link more closely??
I can go on all day, so lets just get your config where it needs to be and simply work with the facts.........
what config? My current one? I just got rid of all the vlans and am using the CSS as a dumb switch now.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Wed Sep 01, 2021 9:04 pm

Suggest
vlan10 for wifi
vlan 99 for managment

provide both eap and switch IP addresses on management vlan.
Keep vlan1 as the default pvid on both router and switch no need to define or do anything different (same as any other vendor switch etc.)
On the router enable bridge vlan filtering after setting up interface bridge ports and interface bridge vlans
Works for me from any MT router to MT switch, netgear switch, dlink switch, tplink switch, MT AP, tplink AP etc.......
Just keep add vlans as required to the router
the 4 needed items are ip pool, ip address, dhcp-server, dhcp-server network interface is the single bridge.


on the switch and APs just need to add the vlan IDs ...........
On the switch if you want to be consistent with router setup, then do basically the same with a single bridge and interface bridge ports and interface bridge vlans as required.
I use a hex router as a switch on my desktop so configured.
If you need examples let me know.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Wed Sep 01, 2021 9:23 pm

Suggest
vlan10 for wifi
vlan 99 for managment
This is what I've been playing with so far. I had it working for a bit with 99 but as soon as I removed vlan1 everything halts. Hence the reason i'm just keeping it as is for now.
provide both eap and switch IP addresses on management vlan.
Keep vlan1 as the default pvid on both router and switch no need to define or do anything different (same as any other vendor switch etc.)
On the router enable bridge vlan filtering after setting up interface bridge ports and interface bridge vlans
Works for me from any MT router to MT switch, netgear switch, dlink switch, tplink switch, MT AP, tplink AP etc.......
Just keep add vlans as required to the router
the 4 needed items are ip pool, ip address, dhcp-server, dhcp-server network interface is the single bridge.
I've got most of that set up. my issue is the bridge. Before, because I was switching on the all in one device, i had to include a bridge. I really think this is what is hanging me up.
on the switch and APs just need to add the vlan IDs ...........
On the switch if you want to be consistent with router setup, then do basically the same with a single bridge and interface bridge ports and interface bridge vlans as required.
I use a hex router as a switch on my desktop so configured.
If you need examples let me know.
Thanks, I appreciate it.

Sorry we got off on the wrong foot. I only went with Mikrotik because I wanted to learn something new that I'm not going to learn in school and I've been eyeballing it for years. I love the equipment and as it is now works fantastic. I just need to get vlan'ing working to move cameras, labs, and uest networks off my main lan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Wed Sep 01, 2021 9:54 pm

No worries, one step at a time.........

Start with the router.
create the bridge call it bridge-test
Create 3 vlans with interface bridge-test. One for wifi vlan10 , one for management vlan99 and one spare you can use at any time or perhaps you have house users and guest users for wifi, or media boxes from china for wifi ;-P, or IOT devices for wifi.
then setup the vlans
Ip address
ip pool
ip dhcp server
ip dhcp server network

interface bridge port settings one line for each port or WLAN (WLAN meaning local unit WLAN, if none local not applicable ***)
add bridge=bridge-test NOTES:
1. select ingress filtering=yes
2. if its a trunk port (carrying tagged vlans) then add allowed only frames=tagged
3. a. if its an access port (carrying one untagged vla) then add allowed only frames=priority and untagged
3 b. if its an access port (or hybrid port) carrying one untagged vlan then you must identify the vlan by PVID=X
4. If its a hybrid port do not make any frames attributioin.

trunk ports carry vlans to smart devices (managed switches, APs that can read vlans)
access ports carry untagged vlans to dumb devices (PC, unmanaged switches etc)
hybrid port carry one untagged vlan and as many tagged vlans as needed ( VOIP modem for PC - modem reads vlan tagged, computer gets untagged vlan)

Next step is the interface bridge vlan settings.
add bridge=bridge for any line entries where the vlan is going to a smart device the bridge must be tagged. Ports are untagged or tagged as appropriate.
Normally one line per vlan ID.

(although the router will automatically create untagged entries dynamically as identified by PVID in bridge port settings, they will not show up in the config and thus I prefer to manually insert them in the config so its clear what the intentions are to the reader.)

(***WLANs are considered ports when the local device is an MT wifi capable device)
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Fri Sep 03, 2021 7:32 pm

So I've finally been able to work on this again.

a few questions,
The default bridge that is created in the default config should be left alone and no vlans added to it correct?

I did everything you mentioned but I'm confused about one thing. vlan1/PVID 1 is created by default. If I move my LAN to another vlan how does that work? I assumed that vlan is native? and that it sends untagged everywhere so on my switch I'm trying to use the port as a hybrid port (untagged 1, tagged everything else) but that fails. Moreso it keeps me from talking between router and switch. I can get vlan ids to communcate on the swith, as they should, but nothing from the router.

If I change the port coming into the switch from the router as Tagged only then devices can get an IP but nothing else, and then other stuff starts to fail. Right now Port 1 on the switch has a vlanid of 1. Using 'Vlan recieve' type of any allows the devices to work, but vlans to fail.

https://pastebin.com/zZHMwUC0 is the latest export after following your post
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Fri Sep 03, 2021 10:25 pm

Hi there,

(1) The bridge vlan section needs to be fixed.
Delete the default one, not sure what happens when you have two selected for vlan filtering like that.
Only need one bridge active.
(note: I dont have ingress filtering set on my bridge, no harm in that, and basically the only action here is to enable vlan filtering once the config is setup.)

(2) YOu have four vlans and five IP pools, so will assume one is for the bridge itself.

(3) Looking at bridge port settings
You have the wrong name for the bridge
ether2 is a regular port providing regular LAN (no vlans)
ether3 is an access port for vlan2
ether4 is a regular port providing regular LAN traffi (no vlans)
ether5 is a trunk port carrying vlans 2,10,30,99

(4) Looking at bridge vlan settings
you are forgetting to tag the bridge
you are tagging the wrong bridge name (wrong name).


Overall my suggestion is not to mix functionality.
By that i mean I achieve most success and more quickly by NOT having the bridge give out subnet info.
So what I would do is create a home vlan11 and remove any bridge responsibilities from dhcp.

/interface vlan
add interface=bridge-test name=vlan_home_users vlan-id=11

/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan_home_users name=dhcp_bridge

/ip address
add address=192.168.1.1/25 interface=vlan_home_users network=192.168.1.0

The only question you have to ask yourself is which ports do you want vlan11 to go on, if to a smart device then tagged
if to a dump PC, then untagged and a pvid would have to be assigned to the port.

In my case my vlan11 is also my management vlan because I am on vlan 11 for all my devices.
I limit only me as part of vlan11 that has admin privileges (full access to router and access to all other vlans by way of firewall rules).
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Sat Sep 04, 2021 6:54 am

Hi there,

(1) The bridge vlan section needs to be fixed.
Delete the default one, not sure what happens when you have two selected for vlan filtering like that.
Only need one bridge active.
(note: I dont have ingress filtering set on my bridge, no harm in that, and basically the only action here is to enable vlan filtering once the config is setup.)
yeah. the issue was the default vlan. I've gone down to 1 bridge
(2) YOu have four vlans and five IP pools, so will assume one is for the bridge itself.
yeah, and testing purposes. I'm down to 3. Unfortunately I can't figure out how to get the router to get an IP from the vlan_lan pool
(3) Looking at bridge port settings
You have the wrong name for the bridge
ether2 is a regular port providing regular LAN (no vlans)
ether3 is an access port for vlan2
ether4 is a regular port providing regular LAN traffi (no vlans)
ether5 is a trunk port carrying vlans 2,10,30,99
5 Is for carrying everything tagged except for 1 which is untagged. I've the bridge setup and working because I can change PVID on the switch and i get the appropriate vlan_DHCP serving handing out address. Plus I can access the internet.
(4) Looking at bridge vlan settings
you are forgetting to tag the bridge
you are tagging the wrong bridge name (wrong name).
One bridge now, named 'Bridge'
Overall my suggestion is not to mix functionality.
By that i mean I achieve most success and more quickly by NOT having the bridge give out subnet info.
So what I would do is create a home vlan11 and remove any bridge responsibilities from dhcp.

/interface vlan
add interface=bridge-test name=vlan_home_users vlan-id=11

/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan_home_users name=dhcp_bridge

/ip address
add address=192.168.1.1/25 interface=vlan_home_users network=192.168.1.0

The only question you have to ask yourself is which ports do you want vlan11 to go on, if to a smart device then tagged
if to a dump PC, then untagged and a pvid would have to be assigned to the port.

In my case my vlan11 is also my management vlan because I am on vlan 11 for all my devices.
I limit only me as part of vlan11 that has admin privileges (full access to router and access to all other vlans by way of firewall rules).
This is where I'm completely stuck. I want to just remove and DHCP from the bridge, but it fails. I can switch around some interfaces but then the gateway goes to another subnet 192.168.1 to .2.

Other than this 1 minor issue everything is working as it should. I'm not sure if I should set a static ip for the router (not sure how exactly) or let DHCP hand out the first address to the router (again, not sure how exactly).

Thnanks for the help.

https://pastebin.com/uB869yeZ
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Another vlan question

Sat Sep 04, 2021 10:38 am

I'm not sure if I should set a static ip for the router (not sure how exactly) or let DHCP hand out the first address to the router (again, not sure how exactly).

My thinking: if access (management, service, whatever) is primarily remote, then device needs static address (on appropriate interface if there are more than one). This device category obviously includes all LAN infrastructure (routers, switches, wifi access points).

How to set device static IP address? Either configure DHCP client on device and set a static lease/address on DHCP server for that device (how that's done depends on DHCP server's management UI[*]) or set address statically on device interface[**].

[*] In ROS you go to IP -> DHCP server -> leases ... on the list of lease entries identify the one belonging to your particular device (it should have "D" in second column, to the left of address column. Click on the libe to open detail page and click "Make static" and close. You can change address by opening detail page again and change address. Note that device will pick up the new address after it tries to renew lease, that will happen either after half of lease time passes or if device starts DHCP process for some other reason (reboot, ethernet cable disconnected for longer than a few seconds, ...)

[**] in ROS go to IP -> Addresses -> add new ... select appropriate interface and enter IP addres together with subnet mask. And disable DHCP client on the same interface in IP -> DHCP client.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Another vlan question

Sat Sep 04, 2021 11:32 am

For clean some mess on latest config I see, paste this on terminal:
/interface bridge
set bridge protocol-mode=none

/interface bridge port
remove [find where interface=sfp1]

/interface list member
add interface=vlan_guest list=LAN
add interface=vlan_cameras list=LAN
add interface=vlan_lan list=LAN

/ip firewall filter
remove [find where action=accept chain=input comment="Allow Vlan" in-interface=vlan_lan]

/ip address
set [find where address="192.168.10.1/25"] address=192.168.10.1/28

/ip pool
set pool_cameras ranges=192.168.30.2-192.168.30.14

/ip dhcp-server network
set [find where address="192.168.30.0/28"] netmask=28 dns-server=192.168.30.1 gateway=192.168.30.1
set [find where address="192.168.10.0/28"] dns-server=192.168.10.1
set [find where address="192.168.1.0/25"] dhcp-option="" dns-server=192.168.1.13,192.168.1.14,192.168.1.1

/ip dhcp-server option
remove [find]
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Sat Sep 04, 2021 2:44 pm

Reviewing the config,

(1) Almost there in terms of transferring DHCP from bridge to vlan 11 for home LAN but missed these two settings.
a. FM
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=bridge name=dhcp_local
TO
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=vlan_lan name=dhcp_local

b. FM
/ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0

add address=192.168.1.1/25 interface=bridge network=192.168.1.0
TO
/ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0

add address=192.168.1.1/25 interface=vlan_lan network=192.168.1.0

(2) interface bridge port synopsis:
Looks like trunk port for ether2, access port for ether3 to a 'dumb' device that needs to be on vlan11, trunk port on ether4, trunk port on ether5

suggest for the active bridge ports add.
-ether3 pvid=11 ingress-filtering=yes frame types only allow priority and untagged frames
-ether5 ingress-filtering=yes frame types only allow tagged frames.

(3) interface bridge vlan synopsis:
All three vlans are tagged on ether5

Also although the router will dynamically create the untagged vlan connection for pvid 11, ..... I prefer to manually insert it into the config so its clear what is going on when looking at the config.
So if I did the config it would look like thus
/interface bridge vlan
add bridge=bridge tagged=ether5,bridge untagged=ether3 vlan-ids=11
add bridge=bridge tagged=ether5,bridge vlan-ids=10,30 ***

*** Another nice thing about showing it all, when you have vlans tagged with no other interfering requirements (such as untagged ports) one can easily combine vlan-ids for the same tagged entities.

(4) Lets look at the firewall rules!!
add action=accept chain=input comment="Allow Vlan" disabled=yes in-interface=\
vlan_lan

THIS IS A GOOD RULE if you are working towards only allowing you as the admin to access the router. This assumes that you will be modifying the config from vlan_lan.
To make it better, add a firewall address list of the devices you will use to administer the router ( make the dhcp leases static on the router so they dont change on you and could include your desktop pc, your laptop; your ipad, your smartphone for example!)
However before you activate this rule, also ensure you have any services setup on the forward chain that all users need and the typical one is DNS, and sometimes NTP.** and for this the allow rule is covered by in-interface-list=LAN.
Finally with the three rules above in place (DNS -- one for tcp, one for udp), you can add a last rule which is drop all else
add action=drop chain=input comment="drop all else"

** I see you do have NTP so make an allow rule for NTP on the input chain with in-interface-list=LAN

and then you can remove this rule no longer relevant
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

BUT feel free to discuss or ask question before the comments here in part (4).

(5) A similar approach can be taken in the forward chain by putting a drop all else rule at the bottom.
If you are interested in that change let me know and I can describe that process.


(6) This can be set to NONE as its not a secure setting.
/tool mac-server
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Sat Sep 04, 2021 2:51 pm

For clean some mess on latest config I see, paste this on terminal:
/interface bridge
set bridge protocol-mode=none

/interface bridge port
remove [find where interface=sfp1]

/interface list member
add interface=vlan_guest list=LAN
add interface=vlan_cameras list=LAN
add interface=vlan_lan list=LAN

/ip firewall filter
remove [find where action=accept chain=input comment="Allow Vlan" in-interface=vlan_lan]

/ip address
set [find where address="192.168.10.1/25"] address=192.168.10.1/28

/ip pool
set pool_cameras ranges=192.168.30.2-192.168.30.14

/ip dhcp-server network
set [find where address="192.168.30.0/28"] netmask=28 dns-server=192.168.30.1 gateway=192.168.30.1
set [find where address="192.168.10.0/28"] dns-server=192.168.10.1
set [find where address="192.168.1.0/25"] dhcp-option="" dns-server=192.168.1.13,192.168.1.14,192.168.1.1

/ip dhcp-server option
remove [find]
.....

@rextended, I am assuming this post is intended to be very helpful, and it may have merit or not, but more importantly I have no clue what is being done and a tiny bit of explanation will be more fruitful for the OPs learning based on the conversation thus far. A little bit of elucidation will go along way!!

For example
a. why are you setting protocol to none for the bridge ??
b. the op has sfp1 disabled, but my thought it was going to be enabled once he had basics ironed out and thus removal may be premature ?
c. Separate listing of vlans as member of interface list =LAN.
Why is this different from the current setting of the bridge being a member of the LAN, when all vlan entities parent interface is the bridge ????

d. I missed the .25 :-( just out of curiosity why did you state /28 vice /24 ?? ( I am IP challenged)

e. Why recommend camera pool from 30.14 to a huge whopping increase to 30.15 ( remember I am IP challenged).

f. I wont even dare attempt to ask about dhcp-server network LOL.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Another vlan question

Sat Sep 04, 2021 3:11 pm

I'm not a good teacher, I give "soluctions" not "explanations"

>>>a. why are you setting protocol to none for the bridge ??
Default is rstp active. If all network are not realized whit in mind the use of rstp everywhere, better leave it off.

>>>b. the op has sfp1 disabled, but my thought it was going to be enabled once he had basics ironed out and thus removal may be premature ?
better remove all disabled stuff, also for improve reading of configuration.
Till unused, sfp1 disabled on bridge are perfecctly useless.

>>>c. Separate listing of vlans as member of interface list =LAN.
>>>Why is this different from the current setting of the bridge being a member of the LAN, when all vlan entities parent interface is the bridge ????
The 3 interface vlan_cameras, vlan_guest,vlan_lan are virtually another 3 layer2 interfaces, NOT on bridge.
On bridge are only the 4 ethernet interfaces 2, 3, 4 and 5

>>>d. I missed the .25 :-( just out of curiosity why did you state /28 vice /24 ?? ( I am IP challenged)
Ask the user, I uniform the "10.x" because is treated everytime as "/28" except on IP is "10.1/25"

>>>e. Why recommend camera pool from 30.14 to a huge whopping increase to 30.15 ( remember I am IP challenged).
Because also this time the "30.x" is a /28 and usable IP (from the 16) go from 1 to 14 (0 is subnet and 15 is broadcast)

>>>f. I wont even dare attempt to ask about dhcp-server network LOL.
On dhcp networks I fix what the user miss or misconfigure, or try to useless dhcp option already defined on dhcp networks
code 6 = DNS, code 42 = NTP server, already defineable on dhcp networks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Sat Sep 04, 2021 3:32 pm

Super,
I have all my vlans indicated on my interface members list and it works and now I know why.
Much thanks for clearing that up, bridge is great when no vlans are in place, once you use a mix or all vlans, they must be included in lan interface members list, if that is required.

I have never set protocol to none on my bridges, so how do I know that RTSP is causing issues, what will be manifested??
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Another vlan question

Sat Sep 04, 2021 3:42 pm

(RSTP not RTSP)
I have never set protocol to none on my bridges, so how do I know that RTSP is causing issues, what will be manifested??
The problem "can" occur with interaction with other manufacturers. It's hard to say in advance...
Some example: conflicting root bridge, dhcp assign timeout, incompatibility with other vendors STP or MSTP mode, etc.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Mon Sep 06, 2021 8:50 am

Reviewing the config,

(1) Almost there in terms of transferring DHCP from bridge to vlan 11 for home LAN but missed these two settings.
a. FM
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=bridge name=dhcp_local
TO
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=vlan_lan name=dhcp_local

b. FM
/ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0

add address=192.168.1.1/25 interface=bridge network=192.168.1.0
TO
/ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0

add address=192.168.1.1/25 interface=vlan_lan network=192.168.1.0
For the life of me I can't get this working.
I've been searching for an answer that I can't find. On normal devices you set the IP of the device so say for instance I want the router to be 192.168.1.1. This is great and all, and I assume the correct answer, but with Mikrotik I can set the IP of an interface as well. This is throwing me for a loop. No matter what I do config wise I can't get the vlan_lan to hand out the IP's via DHCP. They still come from the bridge. Because of this I can't make the traffic 'vlan_tagged' only on the interface. Every attempt so far has ended in some sort of failure. If I do manage to get it working I can see traffic is going across the wire but only locally.
-ether5 ingress-filtering=yes frame types only allow tagged frames.
See above


ntp is working locally as it expected. I'll move on to firewall once I get vlans nailed down. Right now I have a video recorder for cameras that is totally messing up all my stuff. Complete rogue DHCP going on even though its supposed to be enabled. Its slowing me down at every turn.

>>>e. Why recommend camera pool from 30.14 to a huge whopping increase to 30.15 ( remember I am IP challenged).
Because also this time the "30.x" is a /28 and usable IP (from the 16) go from 1 to 14 (0 is subnet and 15 is broadcast)
Misprint on my end. Subnetting is something I'm still getting used to.
>>>f. I wont even dare attempt to ask about dhcp-server network LOL.
On dhcp networks I fix what the user miss or misconfigure, or try to useless dhcp option already defined on dhcp networks
code 6 = DNS, code 42 = NTP server, already defineable on dhcp networks
Except that I want it this way. I can set up 2 DNS servers through the DHCP network yes, but that's not what I want. I want certain devices to use a certain DNS first. Things like smart devices, media players, ect so that its easier to just read the data. I'm using PiHole for DNS so if I need to block something quickly popping up on a TV I know which DNS provider to look at. Its quirky but its a method.

So to sum up, I'm out of steam. I can't get vlan_lan to pass out leases. I'm confused about static ip for the router or for the interface? In the past you set a static ip for your 'router' (all in one) and that's what it was. With Mikrotik its a bit more convoluted to say the least. Being able to give each interface a separate network is a bit powerful, but not something I've fully grasped just yet. I can't get the vlan_lan to assign leases and because of that I can't get ether5 to send only tagged frames (anything on vlan11 gets lost).

I don't think I've changed much in my config but here's what I had as of tonight. https://pastebin.com/vJUjEHry

Again, thanks for all the help!
 
TasNeziniaKas
just joined
Posts: 2
Joined: Tue Oct 23, 2018 4:04 pm

Re: Another vlan question

Mon Sep 06, 2021 1:08 pm

can you paste "/system routerboard print" output here?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Mon Sep 06, 2021 3:30 pm

(1) Quick comments
Each vlan should have
an IP address for the subnet
IP pool
dhcp server
dhcp server netwwork.

(2) The bridge cannot possibly give out dhcp addresses if you have not defined it to do so. You are in control not the router!

(3) Lets look at the config and this is why the bridge is giving out dhcp. As per my last post I asked you to change this ?????
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=bridge name=dhcp_lan
should be vlan_lan

(4) Why did you give your bridge an IP address, remove the line in red!!! I also asked you to do this last time.......???
ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0

add address=192.168.1.1/25 interface=bridge network=192.168.1.0
add address=192.168.1.2/25 interface=vlan_lan network=192.168.1.0 ..Edit: as Gedas pointed out should be .1 !!

(5) OKAY please change your interface list members to the following
/interface list member
add interface=vlan_cameras list=LAN
add interface=vlan_guest list=LAN
add interface=vlan_lan list=LAN

add interface=ether1 list=WAN


(5) Curios as to the purpose of this rule. What on your vlan_lan (device and .40) is a threat on port 67??
add action=drop chain=input dst-port=67 protocol=udp src-address=192.168.1.40
Last edited by anav on Mon Sep 06, 2021 6:20 pm, edited 6 times in total.
 
Gedas
just joined
Posts: 2
Joined: Mon Feb 08, 2016 8:53 pm

Re: Another vlan question

Mon Sep 06, 2021 5:05 pm

Check
/system routerboard print
if current-firmware: is not the same as upgrade-firmware:
run
/system routerboard upgrade
and reboot

I've tried your configuration on RB750Gr3 with 6.48.4. Dhcp works through vlan when dhcp-server and IPs set properly. (like anav wrote)
You should also change ip in line "add address=192.168.1.2/25 interface=vlan_lan network=192.168.1.0" to 192.168.1.1/25
/ip address
set [ find interface=vlan_lan ] address=192.168.1.1/25
because in your "/ip dhcp-server network" gateway is set to 192.168.1.1
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Mon Sep 06, 2021 7:44 pm

Check
/system routerboard print
if current-firmware: is not the same as upgrade-firmware:
run
/system routerboard upgrade
and reboot
Im at the most recent release. It was the first thing I did after I unboxed.
I've tried your configuration on RB750Gr3 with 6.48.4. Dhcp works through vlan when dhcp-server and IPs set properly. (like anav wrote)
You should also change ip in line "add address=192.168.1.2/25 interface=vlan_lan network=192.168.1.0" to 192.168.1.1/25
/ip address
set [ find interface=vlan_lan ] address=192.168.1.1/25
because in your "/ip dhcp-server network" gateway is set to 192.168.1.1
Yeah. I was messing around with that last night. If I set the addresses and dhcp-network to the correct numbers, 192.168.1.1/25, and set them to vlan_lan and reboot the router just fails. Nothing works.
(4) Why did you give your bridge an IP address, remove the line in red!!! I also asked you to do this last time.......???
ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0

add address=192.168.1.1/25 interface=bridge network=192.168.1.0
add address=192.168.1.2/25 interface=vlan_lan network=192.168.1.0 ..Edit: as Gedas pointed out should be .1 !!
for some reason it won't give out leases even if move everything to vlan_lan. I've taken everything off the bridge, cept for the actual ports 2-5, but its still acting weird. If ether5 is my trunk port does it need to be on the bridge or vlan_lan? I'm really confused about this part.
[/quote]
(5) OKAY please change your interface list members to the following
/interface list member
add interface=vlan_cameras list=LAN
add interface=vlan_guest list=LAN
add interface=vlan_lan list=LAN

add interface=ether1 list=WAN
But the bridge should still be on the LAN correct?
(5) Curios as to the purpose of this rule. What on your vlan_lan (device and .40) is a threat on port 67??
add action=drop chain=input dst-port=67 protocol=udp src-address=192.168.1.40
Yeah. I have a video recorder for my cameras. They're designed for people to use without computers. Even though I'm disabling the DHCP on the recorder it still thinks its supposed to pass out leases. So sometimes something will try to go to the router to get a lease but the recorder passes one out first. I was trying to keep that from happening since it isn't necessery for my video recorder to hand out leases.
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Mon Sep 06, 2021 8:24 pm

https://pastebin.com/0aCzEPUY

Its finally working!

I'm not sure what steps I was doing to make it fail but I finally have it working like it should. I'm seeing traffice on the vlans like I should. The trunk is tagged like it should, and finally I can get back to school work.

Thanks for all the help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Another vlan question

Mon Sep 06, 2021 10:14 pm

Awesome, will have a quick look as well.
Looks good the only thing I would change at the moment
is set this to none as its not a secured connection to leave open
/tool mac-server
set allowed-interface-list=LAN
 
forsquirel
just joined
Topic Author
Posts: 21
Joined: Sat Aug 14, 2021 6:46 pm

Re: Another vlan question

Tue Sep 07, 2021 2:34 am

Got it. I'll look into that and make that fix.

What was really confusing me was that I was thinking of IP addresses in terms of devices and not interfaces where everything else I've ever used you set a static ip for the device.

Now that its working I can move forward with locking down the wifi one the EAPs.

again, thanks for all the help!

Who is online

Users browsing this forum: Bing [Bot], Netstumble and 54 guests