Community discussions

MikroTik App
 
bbhit
just joined
Topic Author
Posts: 7
Joined: Sun Apr 07, 2019 4:41 pm

Mikrotik CSS326-24G VLANS

Wed Apr 24, 2019 2:27 pm

Greetings to everyone,
I am new to CSS326-24G, the diagram attached depicts the central part of our network. I have gone through all the wikis on CSS326 such as https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example, https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table,
But I am unable to setup VLAN so that my UNIFI corporate network receive addresses from DHCP SERVER 1 and public network receive addresses from DHCP SERVER 2.
1. public network is opened to everyone on the subnet 10.10.1.x, VLAN ID: 20
2. Corporate network is secured and meant for internal use only, subnet 192.168.1.x, VLAN ID: 10
Question:
- How do I configure the trunk ports for the three switches to pass on the traffic for both vlans to the UNIFIs and ensure that the rest of the access ports on the various switches only receive traffic from from the corporate network with VLAN ID: 10.?
- Should I allow corporate vlan on native vlan ID: 1 or change it to 10?
I have tried to do this for some time now but not succeeding to let my UNIFIs broadcast public with address from DHCP SERVER 2 and corporate from DHCP SERVER 1.
- I Have already create both corporate networks and public SSID. In the meantime, corporate works fine and receives addresses from DHCP SERVER 1, but public was also receiving address still from DHCP SERVER 1. So I tagged the public network in UNIFI controller with vlan 20, after that public could not receive any address from either DHCP SERVER 1 OR 2.
You do not have the required permissions to view the files attached to this post.
 
Arcee
Member Candidate
Member Candidate
Posts: 272
Joined: Fri Jun 27, 2014 2:33 pm

Re: Mikrotik CSS326-24G VLANS

Wed Apr 24, 2019 3:17 pm

I haven't read your thread in full but I can tell you have have been playing with VLAN configurations alot recently and I got frustrated many times along the way.

This is the only article that worked for me:

https://wiki.mikrotik.com/wiki/Manual:C ... with_Bonds

Seems there is conflicting documents on how to work with VLANS.

Sent from my Pixel 2 using Tapatalk


 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik CSS326-24G VLANS

Wed Apr 24, 2019 5:28 pm

Your configuration is really pretty simple.
The trunks between the three switches needs to have VLANs 10 & 20. Assuming that the WiFi APs know that SSID 1 connects to VLAN 10 and SSID 2 connects to VLAN 20, then the switch ports connected to the three Unifi APs will be just like the switch to switch trunks. I am not specifically familiar with the Unifi APs, but if they are like my cloud managed APs, they MUST have a non-tagged LAN available to connect to their could management system. That LAN does NOT need to be available to either SSID. Your APs may be different however. On my switch to switch or switch to router VLAN trunks, I do not have any non-tagged traffic. I know some people will argue that you need to have something untagged on those ports, but I don't, and the ports are configured for VLAN traffic only.
All the ports for user PCs that are supposed to be on the corporate LAN need to be untagged on VLAN 10. The ports for the two DHCP servers need to be untagged on their respective VLANs.
I am using the exact same switch for a very similar configuration at home, so I can grab screen captures etc.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik CSS326-24G VLANS

Wed Apr 24, 2019 5:33 pm

One other thing you could easily test. Configure a user PC port to VLAN 20 instead of VLAN 10 and confirm that the PC gets a DHCP address from DHCP server 2. That will confirm that your DHCP and switch to switch links are OK.
Part two - Are you sure that your WiFi APs are configured properly for the two VLANs?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik CSS326-24G VLANS

Thu Apr 25, 2019 12:12 am

Here are some screen captures from one of CSS326 switches located in my family room. Most of the ports don't really matter, but I will point out a few. Along with a bunch of end devices in the house, both internet modems connect to this switch (port 1 for the cable and port 9 for the DSL). Port 3 is a trunk between the Family room switch and the Garage switch where both routers are connected. The trunk carries every VLAN in use in the house (all 20 of them). Port SFP1 (not shown in the first two captures) is a second trunk to the garage switch that will become an Aggregate Group when I get the diverse routed conduit run between the house and garage. Port 21 is one of my WiFi access points. It has VLAN 101 untagged along with a bunch of VLANs tagged (four of which will appear on four different SSIDs on the WiFi). BTW, you can ignore Router 3 (ports 11 & 13). That used to be used for some remote test access before my DSL provider changed my service and it was no longer useful. It never had any routing between all the VLANs.

Links tab:
Image

VLAN tab:
Image

VLANs tab:
Image

Does this help?
 
bbhit
just joined
Topic Author
Posts: 7
Joined: Sun Apr 07, 2019 4:41 pm

Re: Mikrotik CSS326-24G VLANS

Fri Apr 26, 2019 11:37 am

I sincerely appreciate all the wonderful replies. I will careful try the suggestions and give you feedback ASAP.
Thanks K6CCC for the screenshots, I think it will be really helpful
regards
 
bbhit
just joined
Topic Author
Posts: 7
Joined: Sun Apr 07, 2019 4:41 pm

Re: Mikrotik CSS326-24G VLANS

Wed May 01, 2019 4:42 pm

I had time to try the suggestions above, especially the screenshots k6ccc shared with me. I made a step forward, I could at least create the two vlans without my cooperate wifi going down like before, but the challenge was how to tag my DHCP server 1 with vlan 10 and DHCP server 2 vlan 20. So I allowed the cooperate network on VLAN 1(default) and it could get IP addresses from DHCP server 1 as before. Setup the second vlan 20 and it did not interfere with VLAN1 as cooperate vlan was still working well, but public network could not still receive any address from DCHP server 2.
On my UNIFI controller, I tagged cooperate wifi with vlan 10, but this caused my DHCP SERVER 1 to stop giving addresses to cooperate wifi network.
So my question is: How do I tag DHCP SERVER 1 to vlan 1( since I have decided to allow it on native vlan) and then tag DHCP SERVER 2 on vlan 20, so that public network can only get addresses from DHCP server 2, while cooperate wifi from the same UNIFI AP receive addresses from DHCP SERVER 1?
It's weird to work with mix vendor equipment like my case with mikrotik and ubiquiti. Not so sure of how UNIFI controller communicate with the DHCP server, how to tell it to link public wifi from the UNIFI APS to DHCP 2. Not so sure of how all these work
Any ideas?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Mikrotik CSS326-24G VLANS

Wed May 01, 2019 5:16 pm

As for your DHCP servers, from your drawing, they are some device that is untagged. Simply put them on a switch port that is untagged on the correct VLAN. Same concept as my Cable Modem on port 1. In my case that is untagged on VLAN 100, but the concept is the same.
 
bbhit
just joined
Topic Author
Posts: 7
Joined: Sun Apr 07, 2019 4:41 pm

Re: Mikrotik CSS326-24G VLANS  [SOLVED]

Fri May 03, 2019 1:05 pm

k6ccc you are a game changer, you made my day. After almost giving up and looking at your reply, I just turn on any on the vlan page, on port 19 where DHCP server 2 was connected and I discovered that vlan2 worked like magic. So glad this finally worked.
So am good to go.
Once more thanks for the great contributions from everyone.
-> Lesson learnt about swos: The most important thing in setting up vlans on swos is vlan membership, you add a certain number of ports to a particular vlan, I noticed that tagging or untagging made no much difference. Not too sure though but it was exciting that at the tell end we are able to stream our tvs (http://www.tvs4jesus.org/ ) on public wifi while cooperate remains secured for internal use.
Kudos

Who is online

Users browsing this forum: No registered users and 8 guests