Community discussions

MikroTik App
 
vobali
just joined
Topic Author
Posts: 1
Joined: Thu Sep 23, 2021 7:58 am

vlan across two mikrotik devices

Thu Sep 23, 2021 8:02 am

Hi,

I have two hosts, each connected to a different mikrotik device that I would like to be able to reach each other over vlan.

pc1 <-> eth4 / mikrotik1 / eth3 < - > eth3 / mikrotik2 / eth4 <-> pc2

PCs are connected to mikrotik's ether3, and mikrotik's are connected to each other over ether4.

I want eth4 to be access port for vlan10, and eth3 hybrid (vlan1 - untagged, vlan10 - tagged)

With my current setup, pc1 can ping mikrotik1 , pc2 can ping mikrotik2, but no tagged traffic goes between mikrotik1 and mikrotik2 over eth3. At the same time, untagged traffic goes fine over the same physical interface.

With the setup below, I can ping mikrotik2 from mikrotik1 with ip 10.5.205.X (untagged interface), but not luck when using 10.0.0.X (tagged interface). local traffic (pc - mikrotik over eth4) goes fine.

I am almost there, but missing some basic info how to add ether3 to vlan 10 while allowing untagged traffic at the same time, can you help me?

I am testing it on 2x hap lite (RB941-2nD) - my test environment, but at the of the day it will be running this on crs 326 and crs 328

here's my config of mikrotik2 - it is almost identical on mikrotik1:
[admin@hap-lite-b-hp] > /export hide-sensitive
# sep/22/2021 22:04:04 by RouterOS 6.48.4
# software id = MLRS-PPDF
#
# model = RB941-2nD
# serial number = D0550C4357A2
/interface bridge
add admin-mac=48:8F:5A:C2:89:7A auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-C2897E station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-uplink
set [ find default-name=ether3 ] name=ether3-interlink
set [ find default-name=ether4 ] name=ether4-hp
/interface vlan
add interface=bridge name=vlan-10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-uplink
add bridge=bridge comment=defconf interface=ether3-interlink
add bridge=bridge comment=defconf interface=ether4-hp pvid=10
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge interface=vlan-10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3-interlink untagged=ether4-hp vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN
/ip address
add address=10.5.205.152/24 interface=bridge network=10.5.205.0
add address=10.0.0.4/24 interface=vlan-10 network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.5.205.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.5.205.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=hap-lite-b-hp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@hap-lite-b-hp] >
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan across two mikrotik devices

Thu Sep 23, 2021 3:43 pm

network diagram would help
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: vlan across two mikrotik devices

Thu Sep 23, 2021 5:31 pm

I am doing exactly the same thing. My router #1 is connected to my cable based internet and has a collection of LANs and VLANs connected to other ports. All the LANs and VLANs on router #1 are my .10x series of names. Router #2 is connected to my DSL internet (gets replaced with fiber in a week), and also has a collection of LANs and VLANs on other ports. All the LANs and VLANs on router #2 are my .20x series of names. On both routers, port 5 is what I call my .211 LAN that is a direct connection between port 5 of the two routers (and nothing else). Each router has an IP on the .211 LAN - 192.168.211.251 for router #1 and 192.168.211.252 for router #2. On Router #1 there are static routes for all the .20x series LANs that list the IP address of router #2 on the .211 LAN as the Gateway.
/ip route> export
# model = RB4011iGS+
/ip route
add distance=1 dst-address=192.168.201.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.202.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.203.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.204.0/24 gateway=192.168.211.252
add distance=1 dst-address=192.168.205.0/24 gateway=192.168.211.252
There is similar routes on router #2 for the LANs on router #1. Obviously there are firewall rules to allow only what I want to be able to get between routers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan across two mikrotik devices

Thu Sep 23, 2021 6:17 pm

Why?
Not just have one router wth two WAN connections??
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: vlan across two mikrotik devices

Thu Sep 23, 2021 6:41 pm

Why?
Not just have one router wth two WAN connections??
In my case, it's a combination of old history and redundancy - if one router fails, I still have something working. Actually one of my changes will be to merge them into the 4011 router. Hopefully get that completed this weekend in prep for the upgrade from my DSL to fiber as the #2 internet connection next week.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan across two mikrotik devices

Thu Sep 23, 2021 6:52 pm

Makes sense, I have my CCR1009 handling a gig fiber network (primary) and also have a cable modem (backup except primary for email as it was our primary for many years)..
I have a hex router mostly configured as a plug-in back up in case the router fails. My other hex is now a switch on my desk and my RB45Gx4 is acting as a wireguard router (server) behind the hex switch on my desk.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: vlan across two mikrotik devices

Thu Sep 23, 2021 7:47 pm

My router history goes something like this. Way back when I first got DSL (mid 90s), I had one consumer grade router with some stuff on the LAN side. I got into a ham radio application that I needed two ports for that had to be on separate public IP addresses (they fixed that need a long time ago). Since my DSL would provide me up to 5 static addresses, I plugged the DSL into a hub (yes, that long ago), and added a second consumer router to provide LAN for the second instance of the ham radio application. Somewhere along the line, I added WiFi and wanted it to be totally isolated from the home LAN, so added a third consumer grade router. Later, a second WiFi, so a fourth router for the second WiFi.

Got tired of the crappy reliability of the consumer grade routers, and had multiple recommendations for these routers that I had never heard of from some company in Latvia - Mikrotik. Bought a RB750r2 that took the place of all four consumer routers and still allowed me the ability to have total isolation between the LANs - with pinholes between LANs where I desired. A while later I added a second RB750r2 and re-arranged LANs a bit so I would have redundancy..

Three years ago, I was able to get cable based internet at something faster than 100mb/s so replaced one of the RB750r2 routers with a RB750Gr3. So router #1 (the RB750Gr3) used the cable internet and router #2 (the RB750r2) used the DSL. A few weeks ago they FINALLY got fiber to my neighborhood, so the DSL will get replaced with fiber next week. In prep for that, I replaced router #1 (the 750Gr3) with a RB4011iGS+. This weekend I will move the DSL onto the 4011 mainly to make sure I can make dual WANs work right. Next week the fiber gets installed and will go into the RB4011 in place of the DSL. The RB750Gr3 will become a warm spare in case the RB4011 dies. At least one of the RB750r2s will be reconfigured as a switch that will be used to expand ports in my garage data cabinet (I'm running out of ports). Yea, I realize that I only gain 3 ports by using the RB750r2 as a switch to expand port capacity on the CSS326 - so it's hardly worth it (but I have them)....

Who is online

Users browsing this forum: Bing [Bot] and 35 guests