Community discussions

MikroTik App
 
Jammy
just joined
Topic Author
Posts: 2
Joined: Mon Mar 24, 2014 5:33 pm

CRS VLAN Management IP

Mon Mar 24, 2014 7:18 pm

I received a CRS125-24G-1S-RM on Friday and since then I've been trying to get a management IP assigned to a VLAN. I've been following the CRS examples guide and have managed to get a port based VLAN working (except that it leaks tagged traffic from other VLANs, but from what I hear that's the best that can be done at the moment). Down at the bottom of the page, it explains how to set a management IP for the VLAN, which I'd like to do so that the switch can act as the gateway. However, it doesn't seem to work.

I ran Wireshark on a host in the VLAN and attempted to ping it from the switch. In Wireshark, I can see the ARP requests from the switch (untagged) and the ARP responses from the host (also untagged). I've even reset the configuration of the router (removing what I already had configured) and tried just the VLAN configuration from scratch, but no luck. My export is below. Does anyone know what I'm doing wrong? Does anyone have this working?

ros code

[admin@MikroTik] > export
# jan/02/1970 00:35:59 by RouterOS 6.11
# software id = 76PM-XHVB
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether1-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether1-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether1-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether1-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether1-master-local name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether1-master-local name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether1-master-local name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether1-master-local name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether1-master-local name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether1-master-local name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether1-master-local name=ether16-slave-local
set [ find default-name=ether17 ] master-port=ether1-master-local name=ether17-slave-local
set [ find default-name=ether18 ] master-port=ether1-master-local name=ether18-slave-local
set [ find default-name=ether19 ] master-port=ether1-master-local name=ether19-slave-local
set [ find default-name=ether20 ] master-port=ether1-master-local name=ether20-slave-local
set [ find default-name=ether21 ] master-port=ether1-master-local name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether1-master-local name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether1-master-local name=ether23-slave-local
set [ find default-name=ether24 ] master-port=ether1-master-local name=ether24-slave-local
set [ find default-name=sfp1 ] master-port=ether1-master-local name=sfp1-slave-local
/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan200 vlan-id=200
/interface ethernet switch
set bridge-type=customer-vid-used-as-lookup-vid
/port
set 0 name=serial0
/interface ethernet switch egress-vlan-translation
add customer-vid=200 new-customer-vid=0 ports=ether2-slave-local
add customer-vid=200 new-customer-vid=0 ports=ether3-slave-local
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=ether2-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=200 ports=ether3-slave-local sa-learning=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1-master-local network=192.168.88.0
add address=192.168.1.1/24 interface=vlan200 network=192.168.1.0
/ip upnp
set allow-disable-external-interface=no
/lcd interface
set ether1-master-local interface=ether1-master-local
set ether2-slave-local interface=ether2-slave-local
set ether3-slave-local interface=ether3-slave-local
set ether4-slave-local interface=ether4-slave-local
set ether5-slave-local interface=ether5-slave-local
set ether6-slave-local interface=ether6-slave-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
set ether11-slave-local interface=ether11-slave-local
set ether12-slave-local interface=ether12-slave-local
set ether13-slave-local interface=ether13-slave-local
set ether14-slave-local interface=ether14-slave-local
set ether15-slave-local interface=ether15-slave-local
set ether16-slave-local interface=ether16-slave-local
set ether17-slave-local interface=ether17-slave-local
set ether18-slave-local interface=ether18-slave-local
set ether19-slave-local interface=ether19-slave-local
set ether20-slave-local interface=ether20-slave-local
set ether21-slave-local interface=ether21-slave-local
set ether22-slave-local interface=ether22-slave-local
set ether23-slave-local interface=ether23-slave-local
set ether24-slave-local interface=ether24-slave-local
set sfp1-slave-local interface=sfp1-slave-local
/lcd interface pages
set 0 interfaces="ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-l\
    ocal,ether11-slave-local,ether12-slave-local"
set 1 interfaces="ether13-slave-local,ether14-slave-local,ether15-slave-local,ether16-slave-local,ether17-slave-local,ether18-slave-local,ether19-slave-local,ether20-slave-local,ether21-slave-local,ether22\
    -slave-local,ether23-slave-local,ether24-slave-local"
 
Jammy
just joined
Topic Author
Posts: 2
Joined: Mon Mar 24, 2014 5:33 pm

Re: CRS VLAN Management IP

Fri Mar 28, 2014 2:24 pm

Nobody got this working? Has the functionality actually be implemented yet?
 
User avatar
unexpectedly
just joined
Posts: 10
Joined: Mon Mar 10, 2014 1:40 am

Re: CRS VLAN Management IP

Wed Apr 02, 2014 2:02 am

My eventual goal is to implement VLANs, so if I can get my crs125 to work at all, I'm subscribed to this thread and can read up...
nonconsensual network admin
 
infused
Member
Member
Posts: 308
Joined: Fri Dec 28, 2012 2:33 pm

Re: CRS VLAN Management IP

Wed Apr 02, 2014 9:58 am

We gave up on ours... We use them, but without management vlan. Keen to hear if someone gets that going.
 
pingus
newbie
Posts: 37
Joined: Fri Aug 24, 2007 10:04 am

Re: CRS VLAN Management IP

Wed Apr 02, 2014 9:19 pm

I went back to my Cisco L3 Switch .... Mikrotik should stop selling them!
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: CRS VLAN Management IP

Wed Apr 02, 2014 9:24 pm

I went back to my Cisco L3 Switch .... Mikrotik should stop selling them!
I have it partially working... there are some bugs currently though. There are a bunch of fixes in 6.12 and supposedly there will be more examples documented.
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Thu Nov 09, 2006 11:53 am

Re: CRS VLAN Management IP

Sun Apr 13, 2014 1:31 am

[quote="efaden"][quote="pingus"]I went back to my Cisco L3 Switch .... Mikrotik should stop selling them![/quote]

I have it partially working... there are some bugs currently though. There are a bunch of fixes in 6.12 and supposedly there will be more examples documented.[/quote]

Please... can you post a working VLAN configuration with a tagged VLAN Uplink port (to another switch)
That would be very nice
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: CRS VLAN Management IP

Sun Apr 13, 2014 1:40 am

I went back to my Cisco L3 Switch .... Mikrotik should stop selling them!
I have it partially working... there are some bugs currently though. There are a bunch of fixes in 6.12 and supposedly there will be more examples documented.
Please... can you post a working VLAN configuration with a tagged VLAN Uplink port (to another switch)
That would be very nice
After 6.12 is released and the full documentation updated I'd be glad to.
 
vvujasinovic
just joined
Posts: 11
Joined: Sun Apr 07, 2013 10:49 pm

Re: CRS VLAN Management IP

Wed Jul 30, 2014 6:31 pm

Please... can you post a working VLAN configuration with a tagged VLAN Uplink port (to another switch)
That would be very nice

Any updates guys?

Thanks
 
xcom
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: CRS VLAN Management IP

Wed Jul 30, 2014 8:31 pm

Team,

I have the same switch.
I went trough some issues but with help I was able to get it to work.

Though my requirements where a bit different it might help or give others an idea...
Here are my notes:

Ok first create a vlan under the interfaces = add vlan and attach it to "bridge-local"
or you can do:

ros code

/interface vlan add interface=bridge-local name=vlan2 vlan-id=2
Than assign an IP to that vlan in this example we are using vlan2:

ros code

/ip address add address=10.30.10.1 netmask=255.255.255.0 interface=vlan2
Now we add a pool range:

ros code

/ip pool add ranges=10.30.10.100-10.30.10.200 name=vlan2
Now we create a dhcp server:

ros code

/ip dhcp-server add name=guest_vlan2 interface=vlan2

Now we add a network to the dhcp server:

ros code

/ip dhcp-server network add address=10.30.10.0/24 dns-server=8.8.8.8 gateway=10.30.10.1
now we select the pool in the dhcp server

use the pool you created before named "vlan2"
You can edit the dhcp server to do this on the gui and select the pool.

rememebr that the interface is vlan2 and the address pool is vlan2.

Make sure you have nat enable on the gateway interface, and it allready is :)

now we work with the firewall:

Lets create a address list... you can browse the gui to see the results:

ros code

/ip firewall address-list add list=bogons address=10.0.0.0/8
/ip firewall address-list add list=bogons address=172.16.0.0/26
/ip firewall address-list add list=bogons address=192.168.0.0/16
and now we do:

ros code

/ip firewall filter add dst-address-list=bogons chain=forward action=log in-interface=vlan2
what this is saying is log traffic coming in the vlan2 interface going to any of the private IP addresses. you can then change this from action=log to action=drop in the gui.

move this to the top of the list. now guests can have a destination address of anything except the bogons list. bogons being a bit of a misnomer, usually reserved for private ip ranges coming in a wan interface but I like usingit here.

note that guests can still target the router's addresses because the rule is on the forward chain.

you can add more rules to the input chain such as blocking anything coming in the vlan2 interface, or allowing ICMP so you can still ping the gateway. you can experiment with this. If your guest network has a splash page, make sure that the splash page's ip address is allowed through.

so if your splash page is hosted on a server on the LAN, just add an allow rule on the forward chain right above the block rule. rules are matched top down.


To print and confirm some of your work:

ros code

/ip address print where interface=vlan2                                                                                                                                                                                                   
/ip pool print                                                                                                                                                                                                                           
/ip dhcp-server print                                                                                                                                                                                                                    
/ip dhcp-server network print
Here is a port forward example:

ros code

/ip firewall nat add chain=dstnat dst-address=YOURWANIP protocol=tcp dst-port=8088 action=dstnat to-address=YOURLANIP to-port=8088
Good luck.
 
r2504
just joined
Posts: 24
Joined: Sat Jan 21, 2012 3:00 pm

Re: CRS VLAN Management IP

Sat Oct 04, 2014 1:33 am

Where is that "birdge-local" comming from... I don't see it defined anywhere ?

Also looking at the topic starter... I would think the config is correct but I've a similar one and it neither works ?

The question is however simple... define a VLAN on the CRS, link a DHCP client or server to it and have the packets comming out UNTAGGED on a port.
 
xcom
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Sat Jul 05, 2014 8:59 pm

Re: CRS VLAN Management IP

Mon Oct 06, 2014 4:56 am

Where is that "birdge-local" comming from... I don't see it defined anywhere ?

Also looking at the topic starter... I would think the config is correct but I've a similar one and it neither works ?

The question is however simple... define a VLAN on the CRS, link a DHCP client or server to it and have the packets comming out UNTAGGED on a port.

That's exactly what I did.

bridge-local is the default switch config and it came from factory that way. All I did was create a vlan and attach it to the bridge and of course configure the dhcp, pool, etc..

Who is online

Users browsing this forum: acung, anhseo9m, Bing [Bot] and 76 guests