Community discussions

MikroTik App
 
ashoka
just joined
Topic Author
Posts: 9
Joined: Wed Nov 04, 2020 11:08 pm

CSS610-8G-2S+ and VLANs

Wed Nov 04, 2020 11:24 pm

Hi everyone,
I have just received my CSS610-8G-2S+ and I am unable to configure the VLANs properly.
There is a new scenario in the VLAN setup section: no "enabled" option. I saw in another topic that the developers suggest using "strict" but it is not working at all in my setup.
My setup is fairly simple:
- Trunk: with VLANs 10, 20, 30 and 40
- Hybrid port
- Several access ports.
This scenario is identical to the examples found in the (suggested) switch wiki: https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example. But I've tried all the possible combinations for my Trunk port and it is not working.
Anyone was successful with the VLANs setup?
I guess that running a release-candidate firmware is just ridiculous; even if this is a new product. MikroTik should offer a solution soon because this is absolutely unprofessional.
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: CSS610-8G-2S+ and VLANs

Thu Nov 05, 2020 1:08 pm

Please look at threads written by others before you ask something that has already been asked.

Everybody is having problems with CS610-8G-2S+ devices

viewtopic.php?f=17&t=167891
viewtopic.php?f=17&t=168475
viewtopic.php?f=17&t=167049
viewtopic.php?f=17&t=168159
 
ashoka
just joined
Topic Author
Posts: 9
Joined: Wed Nov 04, 2020 11:08 pm

Re: CSS610-8G-2S+ and VLANs

Thu Nov 05, 2020 7:32 pm

Please look at threads written by others before you ask something that has already been asked.

Everybody is having problems with CS610-8G-2S+ devices

viewtopic.php?f=17&t=167891
viewtopic.php?f=17&t=168475
viewtopic.php?f=17&t=167049
viewtopic.php?f=17&t=168159

Sorry, my fault. I didn't see viewtopic.php?f=17&t=168159, the main topic in the other threads are other than VLAN setup.

I've been tinkering with the VLAN setup this morning and I've got unsatisfactory results. I can't make it run. On the other hand I rescued and upgraded to the latest firmware an old RB260GS and my net runs fine. Thus, I guess that there is something wrong with the CSS610 firmware. If somebody makes some progress, please let us know.

Thanks.
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: CSS610-8G-2S+ and VLANs

Thu Nov 05, 2020 9:09 pm

MikroTik has released their new product with unstable firmware (release candidate) it is full of bugs. This is not what they usually do. I'm disappointed. There are some CSS610 devices sitting on my self right now, and I'm not sure what to do with them. :-(
 
ashoka
just joined
Topic Author
Posts: 9
Joined: Wed Nov 04, 2020 11:08 pm

Re: CSS610-8G-2S+ and VLANs

Thu Nov 05, 2020 9:58 pm

MikroTik has released their new product with unstable firmware (release candidate) it is full of bugs. This is not what they usually do. I'm disappointed. There are some CSS610 devices sitting on my self right now, and I'm not sure what to do with them. :-(

Same feeling here. I am running a Data Science Lab and we have been upgrading old network stuff (HP and Netgear) to MikroTik. We planned to retire our ancient pfSense whitebox and buy at least one beefy router from Mikrotik. But... guys... I can't hardly believe that the CSS610 was shipped with a rc-firmware that makes impossible to runs VLANs: it is supposed to be a managed switch.
 
ashoka
just joined
Topic Author
Posts: 9
Joined: Wed Nov 04, 2020 11:08 pm

Re: CSS610-8G-2S+ and VLANs

Fri Nov 13, 2020 1:24 pm

I've received a reply from Mikrotik an hour ago and I did a quick test. And it works!

[...]
First, try to disable the "Add Information Option" under the System menu.
For access or untagged ports, use "VLAN Mode = optional", "VLAN Receive = only untagged" and specify the "Default VLAN ID". For the trunk or tagged ports, use "VLAN Mode = strict", "VLAN Receive = only tagged". And make sure to include all the necessary member ports for each VLAN ID under the VLANs menu.
[...]
The wiki manuals will get updated, thank you for pointing this out. We are still working on a new SwOS version for CSS610 devices, but I cannot predict when this version will be available.
[...]

It is a good starting point.
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Fri Dec 18, 2020 12:03 am

Oh my, wish I read that before the purchase... My unit was shipped with SwOs 2.12.0 but VLANs still don't work - trunk ports kinda work (though DHCP is not) access ports don't work at all. Looks like the only option is to upgrade to CSS326, however, it's a bit of an overkill for my lab ¯\_(ツ)_/¯

What are you doing MikroTik?!
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Fri Dec 18, 2020 11:53 pm

So, my setup is something like that is pictured on the diagram - https://www.dropbox.com/s/mt4itbnkif9bc ... k.png?dl=0

With this setup, Philips Hue can't get IP from DHCP (all DHCP servers are running on 4011). Additionally, when a client connects to IoT WAP he receives IP from VLAN1. So to mitigate the above issues I temporarily disabled local forwarding in CAPsMAN and connected Hue to one of the ports on 4011.

I have a feeling that the issue is with VLAN1, however, as soon as I try to switch it to another ID and transfer with TAG - I lose connectivity to both 962 and the switch (switch IP is in VLAN1 subnet). Still playing with RB setting to overcome the issue, any advise will be highly appreciated.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 12:09 am

VLAN ID 1 is indeed tricky to use because it's implicitly used in many places and if you don't reconfigure it as required, it can mess things in various unexpected ways.

Post config export (output of at least /interface export) so we can see what exactly you have currently and we'll advise changes (for the better).
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 12:28 am

Sure, part of config for RB4011:
/interface bridge
add name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=CSS610
set [ find default-name=ether2 ] comment=MBP
set [ find default-name=ether3 ] comment=RPi4
set [ find default-name=ether4 ] comment=Desktop
set [ find default-name=ether7 ] comment="thr-2920x enp4s0"
set [ find default-name=ether8 ] comment="thr-2920x enp6s0" mac-address=C4:AD:34:DB:8A:9D
set [ find default-name=ether9 ] comment="Poweredge T30 enp4s0f0"
set [ find default-name=ether10 ] comment="Poweredge T30 enp4s0f1" mac-address=C4:AD:34:DB:8A:9F poe-out=off
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
/interface bonding
add mode=802.3ad name=bonding-thr-2920x slaves=ether7,ether8
add mode=802.3ad name=bonding-tr30 slaves=ether9,ether10
/interface list
add name=RESTRICTED_LAN
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6 pvid=20
add bridge=bridge-local interface=bonding-tr30
add bridge=bridge-local interface=bonding-thr-2920x
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x untagged=br-vlan111 vlan-ids=111
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether1,ether2 vlan-ids=20
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether1,ether2,bonding-thr-2920x vlan-ids=21
add bridge=bridge-local comment="ProxMox Comms" tagged=bonding-thr-2920x,bonding-tr30 vlan-ids=50
/interface list member
add interface=br-vlan20 list=RESTRICTED_LAN
add interface=br-vlan21 list=RESTRICTED_LAN

And RB962:
/interface bridge
add admin-mac=CC:2D:E0:B5:2D:B2 auto-mac=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet speed=100Mbps
set [ find default-name=ether2 ] comment="QNAP eth0" speed=100Mbps
set [ find default-name=ether3 ] comment="QNAP eth1" mac-address=CC:2D:E0:B5:2D:B2 speed=100Mbps
set [ find default-name=ether4 ] comment="Philips HUE" speed=100Mbps
set [ find default-name=ether5 ] comment=RB4011 poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
/interface bonding
add disabled=yes mode=802.3ad name=bonding-qnap slaves=ether2,ether3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WAN-IPV6
/interface bridge port
add bridge=bridge-local interface=ether4 pvid=20
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=bonding-qnap
/interface bridge vlan
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether5 untagged=ether3 vlan-ids=20
add bridge=bridge-local comment="Servers VLAN" tagged=bridge-local,bonding-qnap,ether5 vlan-ids=111
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether5 vlan-ids=21
/interface list member
add interface=bridge-local list=LAN
add interface=ether1 list=WAN
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 12:35 am

Heh, just realised my 962 acts really weird - no 5GHz interface listed and auto-negotiation shows incorrect results on all ports.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 12:51 am

One problem is this config line on RB4011:

/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" \
tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x \
untagged=br-vlan111 \
vlan-ids=111

You should never enumerate VLAN interfaces (created in /interface vlan) as members of bridge which they're based on.
Imagine VLAN interface as a two-way pipe with one tagged and one untagged end. The pipe either strips VLAN tag from packet (when traversing ftom tagged towards untagged end) or it adds VLAN tag to packet (when traversing from untagged towards tagged end). When you create the VLAN interface, you anchor tagged end to underlying interface (and bridge is implicitly an interface as well, in this case you're using the interface personality of bridge). Later on, when you refer to VLAN interface, you're referring to its untagged end.

So when you added VLAN interface as untagged port to bridge, you created a loop between VLAN 111 and untagged "vlan" which is not what you want.

Config of RB962 seems fine to me.

We'd have to see the rest of config (both units) to judge whether L2 setup makes sense for the rest of setup (e.g. which interfaces have DHCP servers enabled, how's addressing done, etc.).
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 1:10 am

Good catch, that's leftover from some of my experiments - was trying to move VLAN if to another physical if.

RB4011:
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=2.4ghz-channel tx-power=16
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX frequency=5180,5260,5500,5660,5745 name=5ghz-channel tx-power=22
/interface bridge
add name=bridge-ikev2
add name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=CSS610
set [ find default-name=ether2 ] comment=MBP
set [ find default-name=ether3 ] comment=RPi4
set [ find default-name=ether4 ] comment=Desktop
set [ find default-name=ether7 ] comment="thr-2920x enp4s0"
set [ find default-name=ether8 ] comment="thr-2920x enp6s0" mac-address=C4:AD:34:DB:8A:9D
set [ find default-name=ether9 ] comment="Poweredge T30 enp4s0f0"
set [ find default-name=ether10 ] comment="Poweredge T30 enp4s0f1" mac-address=C4:AD:34:DB:8A:9F poe-out=off
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
add interface=bridge-local name=br-vlan1000 vlan-id=1000
/interface bonding
add mode=802.3ad name=bonding-thr-2920x slaves=ether7,ether8
add mode=802.3ad name=bonding-tr30 slaves=ether9,ether10
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=yes name=datapath-local
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapath-iot vlan-id=20 vlan-mode=use-tag
add bridge=bridge-local client-to-client-forwarding=no local-forwarding=no name=datapath-guest vlan-id=21 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name=2.4ghz-rates supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi-local passphrase=******
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi-iot passphrase=******
add disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi-guest
/caps-man configuration
add channel=2.4ghz-channel country=poland datapath=datapath-local distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=2.4ghz-wifi-local rates=2.4ghz-rates rx-chains=0,1,2,3 security=\
    wifi-local ssid=Wi-Fi tx-chains=0,1,2,3
add channel=5ghz-channel country=poland datapath=datapath-local distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=5ghz-wifi-local rx-chains=0,1,2,3 security=wifi-local ssid=Wi-Fi \
    tx-chains=0,1,2,3
add channel=2.4ghz-channel country=poland datapath=datapath-iot distance=dynamic hide-ssid=yes hw-protection-mode=rts-cts mode=ap multicast-helper=full name=2.4ghz-wifi-iot rates=2.4ghz-rates rx-chains=0,1,2,3 \
    security=wifi-iot ssid=IoT tx-chains=0,1,2,3
add channel=5ghz-channel country=poland datapath=datapath-iot distance=dynamic hide-ssid=yes hw-protection-mode=rts-cts mode=ap multicast-helper=full name=5ghz-wifi-iot rx-chains=0,1,2,3 security=wifi-iot ssid=IoT \
    tx-chains=0,1,2,3
add channel=2.4ghz-channel country=poland datapath=datapath-guest distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=2.4ghz-wifi-guest rates=2.4ghz-rates rx-chains=0,1,2,3 security=\
    wifi-guest ssid="Wi-Fi Guest" tx-chains=0,1,2,3
add channel=5ghz-channel country=poland datapath=datapath-guest distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=5ghz-wifi-guest rx-chains=0,1,2,3 security=wifi-guest ssid="Wi-Fi Guest" \
    tx-chains=0,1,2,3
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=RESTRICTED_LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool-iot ranges=172.16.20.1-172.16.20.200
add name=dhcp-pool-guest ranges=172.16.21.1-172.16.21.200
add name=dhcp-pool-servers-111 ranges=172.16.111.0-172.16.111.99
add name=dhcp-pool-local ranges=10.113.121.150-10.113.121.199
add name=ikev2-pool ranges=172.16.86.1-172.16.86.253
/ip dhcp-server
add address-pool=dhcp-pool-iot disabled=no interface=br-vlan20 lease-time=30m name=dhcp-iot
add address-pool=dhcp-pool-guest disabled=no interface=br-vlan21 lease-time=30m name=dhcp-guest
add address-pool=dhcp-pool-servers-111 disabled=no interface=br-vlan111 lease-time=30m name=dhcp-servers-111
add address-pool=dhcp-pool-local disabled=no interface=bridge-local lease-time=30m name=dhcp-local
/queue type
add kind=pcq name=PCQ-Down pcq-classifier=dst-address pcq-limit=100KiB
add kind=pcq name=PCQ-Up pcq-classifier=src-address pcq-limit=100KiB
/queue simple
add limit-at=10M/40M max-limit=10M/40M name="Guest network limit" priority=1/1 queue=PCQ-Up/PCQ-Down target=br-vlan21 total-queue=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
set 3 remote=198.51.100.11
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=2.4ghz-wifi-local name-format=prefix-identity name-prefix=2G slave-configurations=2.4ghz-wifi-iot,2.4ghz-wifi-guest
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=5ghz-wifi-local name-format=prefix-identity name-prefix=5G slave-configurations=5ghz-wifi-iot,5ghz-wifi-guest
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6 pvid=20
add bridge=bridge-local interface=bonding-tr30
add bridge=bridge-local interface=bonding-thr-2920x
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x vlan-ids=111
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether1,ether2 vlan-ids=20
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether1,ether2,bonding-thr-2920x vlan-ids=21
add bridge=bridge-local comment="ProxMox Comms" tagged=bonding-thr-2920x,bonding-tr30 vlan-ids=50
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=switch1 vlan-id=20
/interface list member
add interface=br-vlan20 list=RESTRICTED_LAN
add interface=br-vlan21 list=RESTRICTED_LAN
/ip address
add address=10.113.121.254/24 comment="Local NET" interface=bridge-local network=10.113.121.0
add address=172.16.89.4/24 comment="MGMT subnet" interface=bridge-local network=172.16.89.0
add address=172.16.20.254/24 comment="IoT network" interface=br-vlan20 network=172.16.20.0
add address=172.16.21.254/24 comment="Guest network" interface=br-vlan21 network=172.16.21.0
add address=172.16.111.254/24 comment="Servers VLAN" interface=br-vlan111 network=172.16.111.0
/ip dhcp-client
add comment=WAN disabled=no interface=br-vlan1000
/ip dhcp-server network
add address=10.113.121.0/24 comment="Local network" dns-server=198.51.100.5 domain=yottacloud.org gateway=10.113.121.14 netmask=24 ntp-server=10.113.121.254
add address=172.16.20.0/24 comment="IoT network" dns-server=172.16.20.254 gateway=172.16.20.254 ntp-server=172.16.20.254
add address=172.16.21.0/24 comment="Guest network" dns-server=198.51.100.5 gateway=172.16.21.254 ntp-server=172.16.21.254
add address=172.16.111.0/24 boot-file-name=pxelinux.0 comment="Servers VLAN" dns-server=172.16.111.254 gateway=172.16.111.254 next-server=172.16.111.201 ntp-server=172.16.111.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=172.16.21.0/24 list=Guest
add address=172.16.20.0/24 list=IoT
add address=172.16.20.0/24 list=Not-Local
add address=172.16.21.0/24 list=Not-Local
add address=10.113.121.0/24 list=Local-NET
add address=172.16.89.0/24 list=Local-NET
add address=198.51.100.0/24 list=Local-NET
add address=10.0.3.0/24 list=Local-NET
add address=10.0.5.0/24 list=Local-NET
add address=172.16.86.0/24 list=IKEv2
add address=172.16.10.0/24 list=Local-NET
add address=172.16.111.0/24 list=Local-NET
/ip firewall filter
add action=drop chain=input comment="Drop invalid input connections" connection-state=invalid in-interface-list=RESTRICTED_LAN
add action=accept chain=input comment="Accept established input connections" connection-state=established,related in-interface-list=RESTRICTED_LAN
add action=accept chain=input src-address=172.16.86.0/24
add action=accept chain=input comment=IKEv2 dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Accept DNS requests from IoT network" dst-port=53 in-interface=br-vlan20 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=br-vlan20 protocol=udp
add action=accept chain=input comment="Accept incoming NTP connections from IoT network" dst-port=123 in-interface=br-vlan20 protocol=udp
add action=accept chain=input comment="Accept DHCP connections" dst-port=67 in-interface=br-vlan21 protocol=udp
add action=accept chain=input dst-port=67 in-interface=br-vlan20 protocol=udp
add action=drop chain=input comment="Drop incoming connections from IoT and Guest networks" in-interface-list=RESTRICTED_LAN
add action=drop chain=forward comment="Drop invalid forward connections" connection-state=invalid in-interface-list=RESTRICTED_LAN
add action=accept chain=forward comment=IKEv2 ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward src-address=172.16.86.0/24
add action=accept chain=forward comment="Accept established forward connections" connection-state=established,related in-interface-list=RESTRICTED_LAN
add action=accept chain=forward comment="Accept DNS connections from Guest network" dst-address=198.51.100.6 dst-port=53 in-interface=br-vlan21 protocol=tcp
add action=accept chain=forward dst-address=198.51.100.5 dst-port=53 in-interface=br-vlan21 protocol=udp
add action=accept chain=forward comment="Accept all the rest forward connections from IoT and Guest networks" dst-address-list=!Local-NET in-interface-list=RESTRICTED_LAN
add action=drop chain=forward comment="Drop connections to the Local NET from IoT and Guest networks" in-interface-list=RESTRICTED_LAN
/ip route
add distance=1 gateway=10.113.121.14
/routing bgp peer
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB962 out-filter=AS100000-bgp-out remote-address=172.16.89.1 remote-as=100000 ttl=default
add in-filter=AS64500-bgp-in name=MatalLB1 out-filter=AS64500-bgp-out remote-address=10.113.121.210 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB2 out-filter=AS64500-bgp-out remote-address=10.113.121.211 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB3 out-filter=AS64500-bgp-out remote-address=10.113.121.212 remote-as=64500 ttl=default
add address-families=ip,ipv6 disabled=yes in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB2011 out-filter=AS100000-bgp-out remote-address=172.16.89.3 remote-as=100000 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB4 out-filter=AS64500-bgp-out remote-address=10.113.121.220 remote-as=64500 ttl=default
add disabled=yes in-filter=AS64500-bgp-in name=MetalLB5 out-filter=AS64500-bgp-out remote-address=10.113.121.213 remote-as=64500 ttl=default
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB941 out-filter=AS100000-bgp-out remote-address=172.16.89.2 remote-as=100000 ttl=default
/routing filter
add action=discard chain=AS64500-bgp-in prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-in prefix=198.51.100.0/24
add action=accept chain=AS64500-bgp-in
add action=accept chain=AS64500-bgp-out prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS64500-bgp-out
add action=accept chain=AS100000-bgp-in
add action=discard chain=AS100000-bgp-out prefix=10.113.121.0/24
add action=discard chain=AS100000-bgp-out prefix=172.16.89.0/24
add action=discard chain=AS100000-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS100000-bgp-out prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-out
add action=discard chain=AS64500-bgp-in prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-in prefix=198.51.100.0/24
add action=accept chain=AS64500-bgp-in
add action=accept chain=AS64500-bgp-out prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS64500-bgp-out
add action=accept chain=AS100000-bgp-in
add action=discard chain=AS100000-bgp-out prefix=10.113.121.0/24
add action=discard chain=AS100000-bgp-out prefix=172.16.89.0/24
add action=discard chain=AS100000-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS100000-bgp-out prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-out
/snmp
set trap-generators=interfaces,start-trap
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=216.239.35.8
/system ntp server
set enabled=yes
/system package update
set channel=long-term

RB962:
/interface bridge
add admin-mac=CC:2D:E0:B5:2D:B2 auto-mac=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet speed=100Mbps
set [ find default-name=ether2 ] comment="QNAP eth0" speed=100Mbps
set [ find default-name=ether3 ] comment="QNAP eth1" mac-address=CC:2D:E0:B5:2D:B2 speed=100Mbps
set [ find default-name=ether4 ] comment="Philips HUE" speed=100Mbps
set [ find default-name=ether5 ] comment=RB4011 poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
/interface bonding
add disabled=yes mode=802.3ad name=bonding-qnap slaves=ether2,ether3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
set 3 remote=198.51.100.11
/interface bridge port
add bridge=bridge-local interface=ether4 pvid=20
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=bonding-qnap
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether5 untagged=ether3 vlan-ids=20
add bridge=bridge-local comment="Servers VLAN" tagged=bridge-local,bonding-qnap,ether5 vlan-ids=111
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether5 vlan-ids=21
/interface list member
add interface=bridge-local list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.113.121.14/24 interface=bridge-local network=10.113.121.0
add address=172.16.89.1/24 interface=bridge-local network=172.16.89.0
/ip dhcp-client
add comment=WAN disabled=no interface=ether1
add add-default-route=no disabled=no interface=br-vlan20
add add-default-route=no disabled=no interface=br-vlan111
/ip dhcp-relay
add add-relay-info=yes dhcp-server=10.113.121.254 disabled=no interface=bridge-local local-address=10.113.121.14 name=local-net relay-info-remote-id=10.113.121.14
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="*** Connections to router *** Allow L2TP connections" port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=QNAP dst-port=80,443,8080 in-interface-list=WAN protocol=tcp to-addresses=10.113.121.201
add action=dst-nat chain=dstnat comment=IKEv2 dst-port=500,4500 in-interface-list=WAN protocol=udp to-addresses=10.113.121.254
add action=dst-nat chain=dstnat ipsec-policy=in,ipsec to-addresses=10.113.121.254
add action=dst-nat chain=dstnat comment="Public ingress" disabled=yes dst-port=30000 in-interface-list=WAN protocol=tcp to-addresses=198.51.100.0
add action=dst-nat chain=dstnat comment="adguard udp" disabled=yes dst-port=53 in-interface-list=WAN protocol=udp to-addresses=198.51.100.5
add action=dst-nat chain=dstnat comment="adguard tcp" disabled=yes dst-port=53 in-interface-list=WAN protocol=tcp to-addresses=198.51.100.6
/ip route
add comment="QNAP Docker" distance=1 dst-address=10.0.3.0/24 gateway=10.113.121.201
add comment="QNAP Docker" distance=1 dst-address=10.0.5.0/24 gateway=10.113.121.201
/routing bgp peer
add in-filter=AS64500-bgp-in name=MatalLB1 out-filter=AS64500-bgp-out remote-address=10.113.121.210 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB2 out-filter=AS64500-bgp-out remote-address=10.113.121.211 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB3 out-filter=AS64500-bgp-out remote-address=10.113.121.212 remote-as=64500 ttl=default
add address-families=ip,ipv6 disabled=yes in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB2011 out-filter=AS100000-bgp-out remote-address=172.16.89.3 remote-as=100000 ttl=default
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB4011 out-filter=AS100000-bgp-out remote-address=172.16.89.4 remote-as=100000 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB4 out-filter=AS64500-bgp-out remote-address=10.113.121.220 remote-as=64500 ttl=default
add disabled=yes in-filter=AS64500-bgp-in name=MetalLB5 out-filter=AS64500-bgp-out remote-address=10.113.121.213 remote-as=64500 ttl=default
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB941 out-filter=AS100000-bgp-out remote-address=172.16.89.2 remote-as=100000 ttl=default
/routing filter
add action=discard chain=AS64500-bgp-in prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-in prefix=198.51.100.0/24
add action=accept chain=AS64500-bgp-in
add action=accept chain=AS64500-bgp-out prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS64500-bgp-out
add action=discard chain=AS100000-bgp-in prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-in
add action=discard chain=AS100000-bgp-out prefix=10.113.121.0/24
add action=discard chain=AS100000-bgp-out prefix=172.16.89.0/24
add action=discard chain=AS100000-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS100000-bgp-out prefix=2001:470:70:562::/64
add action=discard chain=AS100000-bgp-out prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-out
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB962
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=216.239.35.8
/system ntp server
set enabled=yes
/system package update
set channel=long-term
/system watchdog
set ping-start-after-boot=15m watch-address=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 7:18 pm

Other than setting in /interface ethernet switch vlan (which on RB4011 likely doesn't work anyway) I don't see anything in RB4011 config which would cause IoT devices to get IP address from wrong subnet. So my suspect is CSS config for this one.

My aporoach is this: when I need VLANs, then any link between LAN devices is trunk (no untagged is allowed). This way it's easier to get VLANs right and chance of packets bleeding from one VLAN to another us lower.
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Sat Dec 19, 2020 9:43 pm

Yep, I'll try to switch to trunk ports, thanks for checking anyway.

Just in case, my CSS settings:
https://www.dropbox.com/s/osumvq6vipki9 ... 4.png?dl=0
https://www.dropbox.com/s/u6kn75jqpicjn ... 4.png?dl=0

I've tried playing with VLAN Mode for HUE port, any possible variants give the same results, clearly should go with trunk port for RBs.
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Sun Dec 20, 2020 3:02 pm

mkx thanks a lot for your help, it works now. :)

The confusing part is that access ports do not work with strict VLAN mode, will test afterwards if I can plug into that port and successfully communicated with some VLAN which is not in the table for that port.

My current setup looks like that - https://www.dropbox.com/s/wjvgiss6llpgg ... w.png?dl=0

And RB configs (only bridge settings changed).

RB4011:
/interface bridge
add name=bridge-ikev2
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-local vlan-filtering=yes
/interface bridge port
add bridge=bridge-local frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-local interface=ether2 pvid=3121
add bridge=bridge-local interface=ether3 pvid=3121
add bridge=bridge-local interface=ether4 pvid=3121
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6 pvid=20
add bridge=bridge-local interface=bonding-tr30 pvid=3121
add bridge=bridge-local interface=bonding-thr-2920x pvid=3121
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x vlan-ids=111
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether1,ether2 vlan-ids=20
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether1,ether2,bonding-thr-2920x vlan-ids=21
add bridge=bridge-local comment="ProxMox Comms" tagged=bonding-thr-2920x,bonding-tr30 vlan-ids=50
add bridge=bridge-local comment="WAN VLAN" tagged=bridge-local vlan-ids=1000
add bridge=bridge-local comment="Local NET VLAN" tagged=bridge-local,ether1 untagged=bonding-thr-2920x,bonding-tr30,ether2,ether3,ether4 vlan-ids=3121
RB962:
/interface bridge
add admin-mac=CC:2D:E0:B5:2D:B2 auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-local vlan-filtering=yes
/interface bridge port
add bridge=bridge-local frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5 pvid=3121
add bridge=bridge-local interface=sfp1
/interface bridge vlan
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether5 vlan-ids=20
add bridge=bridge-local comment="Servers VLAN" tagged=bridge-local,ether5 vlan-ids=111
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether5 vlan-ids=21
add bridge=bridge-local comment="Local NET VLAN" tagged=bridge-local,ether5 vlan-ids=3121

Now I'm wondering if I will be able to set up 10G trunk between RB4011 and CSS610 using S+RJ10, the description says I need "MikroTik device with active cooling" while both of my devices are cooled passively. :)
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Sun Dec 20, 2020 9:13 pm

Improved RB962 performance by using switch chip VLAN table:
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-local vlan-filtering=no
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=20
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=21
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=3121

Sorry for flood guys. :)
 
nannou9
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Nov 10, 2020 9:56 pm

Re: CSS610-8G-2S+ and VLANs

Tue Jan 05, 2021 12:52 am

I am on 2.13rc5, followed support response steps in one of the first posts.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
 
mazay
just joined
Posts: 15
Joined: Thu Aug 08, 2013 9:39 am
Location: Earth
Contact:

Re: CSS610-8G-2S+ and VLANs

Tue Jan 05, 2021 9:25 am

I am on 2.13rc5, followed support response steps in one of the first posts.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
Hi nannou9, it's a community forum. Please consider reaching out to MKRT support - https://mikrotik.com/support
 
nannou9
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Tue Nov 10, 2020 9:56 pm

Re: CSS610-8G-2S+ and VLANs

Wed Jan 06, 2021 1:01 am

Got it finally working. But tbh not sure why problem with packet loss got suddenly away. Let’s assume user error.
 
JJT211
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Sun Apr 28, 2019 9:01 pm

Re: CSS610-8G-2S+ and VLANs

Wed Jan 06, 2021 8:31 am

I am on 2.13rc5, followed support response steps in one of the first posts.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
Apparently there's an RC6 version out. I just contacted support, ill pass on the firmware when I get it. Im using the Netpower 7R
 
rooneybuk
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Fri Feb 20, 2015 12:09 pm

Re: CSS610-8G-2S+ and VLANs

Thu Feb 18, 2021 5:34 pm

This worked for me FYI

Disabling "Add Information Option"

Who is online

Users browsing this forum: No registered users and 14 guests