Its fixedLink to your export doesn't work.
Not tagging vlan1 breaks everything on the switchJust a general remark: avoid using VLAN ID 1 as tagged VLAN. In ROS, VLAN ID is used as implicit default all over the place and if one doesn't catch all the occurrences, things misbehave in most random ways. Avoid for untagged as well, if link between two devices is untagged (or hybrid with some tagged VLANs and single untagged), then VLAN ID used for untagged can be different on both end (although it can be confusing as hell when comparing configurations).
in the address list? nope. its got the subnet maskHmmm .. the problems you're describing might be due to setting router's LAN address with subnet mask omitted (i.e. 192.168.88.1versus 192.168.88.1/24).
Code: Select all/interface bridge vlan add bridge=bridge comment=guest tagged=ether5 untagged=ether2,bridge vlan-ids=10 add bridge=bridge tagged=ether5 untagged=bridge,ether2 vlan-ids=1
no point in setting up the 4 vlans I need if even 1 doesn't work.Your config is confused LOL.
So its clear you only have one vlan and its being put on etherport 5.
Not sure why you need a vlan then??
Its just there incase I need to plug in and fix somethingThe problem is you think you can send untagged vlan data on ethernet 2 and at the same time send the bridge subnet traffic on ethernet 2.
So do pray tell what device do you have on the other end of ethernet two that will be able to pick out two streams of untagged data???
or vice versa how will the router know where incoming traffic is supposed to go...............???
Where did you get the idea you had to UNTAG bridges???
If I remove it I can't send anything to the switch.
Who knows? The last time I asked a question it sat in limbo with zero responses. This is what I've had to work with, the forums are, how you say, scatterbrain to say the least and trying to make sense of the mess it is. Its just what I ended up with.
As was noted you have a configuration for interface bridge vlans that includes vlan1, which you didnt define so it needs to be removed.
(if you need another vlan use 20 or something but you need to define it ....................
port 2 isn't disabled
Finally you have disabled ethernet 2,3,4 and spf1 so you should not have any traffic.
Oh look, that article. Yeah I've read it. I've copied and pasted it. It still doesn't work.
How do trunk ports work?As @anav said: your VLAN setup is a mess. For example:
Code: Select all/interface bridge vlan add bridge=bridge comment=guest tagged=ether5 untagged=ether2,bridge vlan-ids=10 add bridge=bridge tagged=ether5 untagged=bridge,ether2 vlan-ids=1
While ROS doesn't blurp, you can't have two VLANs untagged at the same time over any port. Yet in your case both bridge and ether2 are supposed to carry untagged frames both for VALN ID 1 and VLAN ID 10.
It's a network in service. I can't bring it down to put it back up.So really: read through tutorial from @anav's post and then start from scratch. My recommendation: start from blank config, first get L2 (bridge, VLANs, ...) done then add L3 (IP) stuff (this part you'll mostly copy-paste from existing config, only change a few interface names).
And ... if you decide to follow my advice of not using VLAN ID 1 explicitly anywhere, you can (easily?) change config appropriately on switch as well. Switch configuration should not be the reason not to make things on router better.
People might be more willing to listen if you didn't come across as a tad bit arrogant.Correct, my bad ether 2 was not disabled.
However, my help here has ended, I am but a lowly home owner and
not a network admin so you know best.
In Mikrotik world, trunk ports are ports carrying (one or) multiple tagged VLANs and none untagged VLANs. Ports carrying some tagged and (exactly) one untagged VLANs are called hybrid ports.How do trunk ports work?
Changing network topology (adding VLANs into the mix is exactly that) is like repkacing car's wheel. Kind of hard to do it while driving on a highway, much easier when car is parked at a curb or even in a garage. Specially if you don't know exactly what needs to be done.It's a network in service. I can't bring it down to put it back up.
Not sure what exactly do you mean with this.Honestly, the answers I've gotten kinda make sense about this forum.
And yet in other ecosystems you can. I've done it in OpenWRT without having to dismantle the system.
Changing network topology (adding VLANs into the mix is exactly that) is like repkacing car's wheel. Kind of hard to do it while driving on a highway, much easier when car is parked at a curb or even in a garage. Specially if you don't know exactly what needs to be done.
Honestly, the answers I've gotten kinda make sense about this forum.
This place doesn't get the best reputation on other forums/sites.Not sure what exactly do you mean with this.
... read this post and get back.
Well, if some poster comes and uses all the right buzzwords, I tend to assume that user knows the meaning of buzzwords. And if that user doesn't indicate he's coming from another ecosystem (where buzzwords might have slightly different meaning), why should I care explaining what exactly those buzzwords mean in MT ecosystem? After all, one writing a post should explain all the circumstances that might affect the meaning of question and if question poster doesn't do it, why should answer poster?Assuming everyone who asks a question understands the completely terminology and ecosystem is a bit naive.
I'm not an IT person. Never said I was.Let me clear, if you are actually a qualified networking IT manager and you actually read the article I linked, then you would have understood it and your config would not have been so sloppy.
When did I say that? I mentioned OpenWRT once.
I am extremely patient with new homeowners learning the ropes, I have less time for snotty nosed arrogant I think I am gods gift to the world Network guy with obviously some useless certification.
Most folks actually come here with an open mind, it seems, but in your case, if it doesnt behave or config like openwrt there must be something wrong with RoS - Cry me a river!!
This right here is what I'm talking about. I'm sorry I can't be as perfect as you but one day I hope that maybe, just maybe, I will.Also, a real IT guy would have fixed the config posted it for review and it would be close to correct based on the excellent feedback support provided thus far.
But NOOOOOOOOOO, just a lot of whining........
Apology acceptedThen my bad for some wrong assumptions.
This is why we don't assumeQuote: " It's a network in service. I can't bring it down to put it back up." Implies you are in charge of a network to me.
I tried it many times before I ever even started using my equipment. I tried it in a VM and the imports would fail.Quote: " that article tried it copied pasted it didnt work............no you didnt work, the article is excellent
He said bring the system down. I stated that I had implemented vlans in a system without having to bring it down in another system. I wasn't dismissing anyone. I was stating I couldn't bring my system down. If that's a dismissal, then there's a huge communication barrier going on here.Quote: " And yet in other ecosystems you can. I've done it in OpenWRT without having to dismantle the system." in this case your responding/challenging one of the most knowledgeable and friendly to a fault guys in this forum (definitely not me) who is giving you very good advice and learning points which you seem to dismiss at will..
what thread?Besides dissing the forums because you didnt get free satisfiction prior. Can you link to the thread so I can see what was missed?
what config? My current one? I just got rid of all the vlans and am using the CSS as a dumb switch now.Regardless, of the above, Where is the config............... feedback and assistance cannot be provided without the information requested.
Clearly you just want to whine and not get at the root of the config issues. Did you attempt to follow the link more closely??
I can go on all day, so lets just get your config where it needs to be and simply work with the facts.........
This is what I've been playing with so far. I had it working for a bit with 99 but as soon as I removed vlan1 everything halts. Hence the reason i'm just keeping it as is for now.Suggest
vlan10 for wifi
vlan 99 for managment
I've got most of that set up. my issue is the bridge. Before, because I was switching on the all in one device, i had to include a bridge. I really think this is what is hanging me up.provide both eap and switch IP addresses on management vlan.
Keep vlan1 as the default pvid on both router and switch no need to define or do anything different (same as any other vendor switch etc.)
On the router enable bridge vlan filtering after setting up interface bridge ports and interface bridge vlans
Works for me from any MT router to MT switch, netgear switch, dlink switch, tplink switch, MT AP, tplink AP etc.......
Just keep add vlans as required to the router
the 4 needed items are ip pool, ip address, dhcp-server, dhcp-server network interface is the single bridge.
Thanks, I appreciate it.on the switch and APs just need to add the vlan IDs ...........
On the switch if you want to be consistent with router setup, then do basically the same with a single bridge and interface bridge ports and interface bridge vlans as required.
I use a hex router as a switch on my desktop so configured.
If you need examples let me know.
yeah. the issue was the default vlan. I've gone down to 1 bridgeHi there,
(1) The bridge vlan section needs to be fixed.
Delete the default one, not sure what happens when you have two selected for vlan filtering like that.
Only need one bridge active.
(note: I dont have ingress filtering set on my bridge, no harm in that, and basically the only action here is to enable vlan filtering once the config is setup.)
yeah, and testing purposes. I'm down to 3. Unfortunately I can't figure out how to get the router to get an IP from the vlan_lan pool(2) YOu have four vlans and five IP pools, so will assume one is for the bridge itself.
5 Is for carrying everything tagged except for 1 which is untagged. I've the bridge setup and working because I can change PVID on the switch and i get the appropriate vlan_DHCP serving handing out address. Plus I can access the internet.(3) Looking at bridge port settings
You have the wrong name for the bridge
ether2 is a regular port providing regular LAN (no vlans)
ether3 is an access port for vlan2
ether4 is a regular port providing regular LAN traffi (no vlans)
ether5 is a trunk port carrying vlans 2,10,30,99
One bridge now, named 'Bridge'(4) Looking at bridge vlan settings
you are forgetting to tag the bridge
you are tagging the wrong bridge name (wrong name).
This is where I'm completely stuck. I want to just remove and DHCP from the bridge, but it fails. I can switch around some interfaces but then the gateway goes to another subnet 192.168.1 to .2.Overall my suggestion is not to mix functionality.
By that i mean I achieve most success and more quickly by NOT having the bridge give out subnet info.
So what I would do is create a home vlan11 and remove any bridge responsibilities from dhcp.
/interface vlan
add interface=bridge-test name=vlan_home_users vlan-id=11
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan_home_users name=dhcp_bridge
/ip address
add address=192.168.1.1/25 interface=vlan_home_users network=192.168.1.0
The only question you have to ask yourself is which ports do you want vlan11 to go on, if to a smart device then tagged
if to a dump PC, then untagged and a pvid would have to be assigned to the port.
In my case my vlan11 is also my management vlan because I am on vlan 11 for all my devices.
I limit only me as part of vlan11 that has admin privileges (full access to router and access to all other vlans by way of firewall rules).
I'm not sure if I should set a static ip for the router (not sure how exactly) or let DHCP hand out the first address to the router (again, not sure how exactly).
/interface bridge
set bridge protocol-mode=none
/interface bridge port
remove [find where interface=sfp1]
/interface list member
add interface=vlan_guest list=LAN
add interface=vlan_cameras list=LAN
add interface=vlan_lan list=LAN
/ip firewall filter
remove [find where action=accept chain=input comment="Allow Vlan" in-interface=vlan_lan]
/ip address
set [find where address="192.168.10.1/25"] address=192.168.10.1/28
/ip pool
set pool_cameras ranges=192.168.30.2-192.168.30.14
/ip dhcp-server network
set [find where address="192.168.30.0/28"] netmask=28 dns-server=192.168.30.1 gateway=192.168.30.1
set [find where address="192.168.10.0/28"] dns-server=192.168.10.1
set [find where address="192.168.1.0/25"] dhcp-option="" dns-server=192.168.1.13,192.168.1.14,192.168.1.1
/ip dhcp-server option
remove [find]
.....For clean some mess on latest config I see, paste this on terminal:Code: Select all/interface bridge set bridge protocol-mode=none /interface bridge port remove [find where interface=sfp1] /interface list member add interface=vlan_guest list=LAN add interface=vlan_cameras list=LAN add interface=vlan_lan list=LAN /ip firewall filter remove [find where action=accept chain=input comment="Allow Vlan" in-interface=vlan_lan] /ip address set [find where address="192.168.10.1/25"] address=192.168.10.1/28 /ip pool set pool_cameras ranges=192.168.30.2-192.168.30.14 /ip dhcp-server network set [find where address="192.168.30.0/28"] netmask=28 dns-server=192.168.30.1 gateway=192.168.30.1 set [find where address="192.168.10.0/28"] dns-server=192.168.10.1 set [find where address="192.168.1.0/25"] dhcp-option="" dns-server=192.168.1.13,192.168.1.14,192.168.1.1 /ip dhcp-server option remove [find]
The problem "can" occur with interaction with other manufacturers. It's hard to say in advance...I have never set protocol to none on my bridges, so how do I know that RTSP is causing issues, what will be manifested??
For the life of me I can't get this working.Reviewing the config,
(1) Almost there in terms of transferring DHCP from bridge to vlan 11 for home LAN but missed these two settings.
a. FM
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=bridge name=dhcp_local
TO
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=vlan_lan name=dhcp_local
b. FM
/ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0
add address=192.168.1.1/25 interface=bridge network=192.168.1.0
TO
/ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0
add address=192.168.1.1/25 interface=vlan_lan network=192.168.1.0
See above-ether5 ingress-filtering=yes frame types only allow tagged frames.
Misprint on my end. Subnetting is something I'm still getting used to.>>>e. Why recommend camera pool from 30.14 to a huge whopping increase to 30.15 ( remember I am IP challenged).
Because also this time the "30.x" is a /28 and usable IP (from the 16) go from 1 to 14 (0 is subnet and 15 is broadcast)
Except that I want it this way. I can set up 2 DNS servers through the DHCP network yes, but that's not what I want. I want certain devices to use a certain DNS first. Things like smart devices, media players, ect so that its easier to just read the data. I'm using PiHole for DNS so if I need to block something quickly popping up on a TV I know which DNS provider to look at. Its quirky but its a method.>>>f. I wont even dare attempt to ask about dhcp-server network LOL.
On dhcp networks I fix what the user miss or misconfigure, or try to useless dhcp option already defined on dhcp networks
code 6 = DNS, code 42 = NTP server, already defineable on dhcp networks
/system routerboard print
/system routerboard upgrade
/ip address
set [ find interface=vlan_lan ] address=192.168.1.1/25
Im at the most recent release. It was the first thing I did after I unboxed.Checkif current-firmware: is not the same as upgrade-firmware:Code: Select all/system routerboard print
runand rebootCode: Select all/system routerboard upgrade
Yeah. I was messing around with that last night. If I set the addresses and dhcp-network to the correct numbers, 192.168.1.1/25, and set them to vlan_lan and reboot the router just fails. Nothing works.I've tried your configuration on RB750Gr3 with 6.48.4. Dhcp works through vlan when dhcp-server and IPs set properly. (like anav wrote)
You should also change ip in line "add address=192.168.1.2/25 interface=vlan_lan network=192.168.1.0" to 192.168.1.1/25because in your "/ip dhcp-server network" gateway is set to 192.168.1.1Code: Select all/ip address set [ find interface=vlan_lan ] address=192.168.1.1/25
for some reason it won't give out leases even if move everything to vlan_lan. I've taken everything off the bridge, cept for the actual ports 2-5, but its still acting weird. If ether5 is my trunk port does it need to be on the bridge or vlan_lan? I'm really confused about this part.(4) Why did you give your bridge an IP address, remove the line in red!!! I also asked you to do this last time.......???
ip address
add address=192.168.10.1/25 interface=vlan_guest network=192.168.10.0
add address=192.168.30.1/28 interface=vlan_cameras network=192.168.30.0
add address=192.168.1.1/25 interface=bridge network=192.168.1.0
add address=192.168.1.2/25 interface=vlan_lan network=192.168.1.0 ..Edit: as Gedas pointed out should be .1 !!
But the bridge should still be on the LAN correct?(5) OKAY please change your interface list members to the following
/interface list member
add interface=vlan_cameras list=LAN
add interface=vlan_guest list=LAN
add interface=vlan_lan list=LAN
add interface=ether1 list=WAN
Yeah. I have a video recorder for my cameras. They're designed for people to use without computers. Even though I'm disabling the DHCP on the recorder it still thinks its supposed to pass out leases. So sometimes something will try to go to the router to get a lease but the recorder passes one out first. I was trying to keep that from happening since it isn't necessery for my video recorder to hand out leases.(5) Curios as to the purpose of this rule. What on your vlan_lan (device and .40) is a threat on port 67??
add action=drop chain=input dst-port=67 protocol=udp src-address=192.168.1.40