Community discussions

MikroTik App
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

multiples vlan on 1 router

Tue Mar 01, 2016 9:18 am

i have tried to created two vlans 10 and 20 on RB951G. But i thinks it's not working. After i configured vlan10 and 20 still can ping each other. Did i do something wrong ??
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  R  ether1                              ether            1500  1598       2028
 1  RS ether2                              ether            1500  1598       2028
 2   S ether3                              ether            1500  1598       2028
 3   S ether4                              ether            1500  1598       2028
 4   S ether5                              ether            1500  1598       2028
 5  R  wlan1                               wlan             1500  1600
 6  R  bridge1                             bridge           1500  1594
 7  R  bridge2                             bridge           1500  1586
 8  RS vlan10                              vlan             1500  1590
 9  RS vlan20                              vlan             1500  1582
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   10.0.0.1/24        10.0.0.0        vlan10                                   
 1 D 172.16.10.253/24   172.16.10.0     ether1                                   
 2   20.0.0.1/24        20.0.0.0        vlan20   
Flags: X - disabled, R - running, S - slave 
 #    NAME                     MTU ARP        VLAN-ID INTERFACE                  
 0 R  vlan10                  1500 enabled         10 bridge1                    
 1 R  vlan20                  1500 enabled         20 bridge2
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether2                  bridge1                  0x80         10       none
 1 I  ether3                  bridge1                  0x80         10       none
 2 I  ether4                  bridge2                  0x80         10       none
 3    vlan10                  bridge1                  0x80         10       none
 4    vlan20                  bridge2                  0x80         10       none
 5 I  ether5                  bridge2                  0x80         10       none
Tried to add firewall rules but still not worked.
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 1    chain=forward action=accept out-interface=ether1 log=no log-prefix="" 

 2    chain=forward action=drop log=no log-prefix="" 
Worked after i added this rules but i thinks my vlan config is wrong. Because a host in a specific VLAN cannot communicate with a host that is a member of another VLAN.
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  chain=input action=drop src-address=10.0.0.0/24 dst-address=20.0.0.0/24 
      log=no log-prefix="" 
Thanks in advances and sorry for my bad english.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 10:38 am

i think in your configuration vlans are working but only in tagged mode that is vlan packets are tagged with vlanid
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 10:42 am

a better way to do this can be assign a master port to each group of ethernet ports and then that master port give the addressing of the corresponding subnet, no bridges
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:01 am

i think in your configuration vlans are working but only in tagged mode that is vlan packets are tagged with vlanid
How to use tagged mode ?? i already enabled "Use Service Tag" in Vlan config but it's not working ?
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:02 am

a better way to do this can be assign a master port to each group of ethernet ports and then that master port give the addressing of the corresponding subnet, no bridges
Could you be more specific plz ???
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:05 am

i think in your configuration vlans are working but only in tagged mode that is vlan packets are tagged with vlanid
How to use tagged mode ?? i already enabled "Use Service Tag" in Vlan config but it's not working ?

service tag is for QinQ vlans so uncheck that
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:11 am

a better way to do this can be assign a master port to each group of ethernet ports and then that master port give the addressing of the corresponding subnet, no bridges
Could you be more specific plz ???
1. no bridges

2. no vlan interfaces

3. set eth2 master port = none, eth3 master port = eth2

4. set eth4 master port = none, eth5 master port = eth4

5. set eth2 ip address 10.0.0.1/24 10.0.0.0

6. set eth4 ip address 20.0.0.1/24 20.0.0.0

if you loose winbox access during configuration use mac address connection on the neighbors tab to recover management
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:14 am

result will be like this,

communication between eth2 and eth3 will be at wirespeed using hw switch no CPU usage
communication between eth4 and eth5 will be at wirespeed using hw switch no CPU usage

communication between subnet 1 and subnet 2 will be routed by software using CPU resources
IFETH.jpg
You do not have the required permissions to view the files attached to this post.
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:21 am

i think in your configuration vlans are working but only in tagged mode that is vlan packets are tagged with vlanid
How to use tagged mode ?? i already enabled "Use Service Tag" in Vlan config but it's not working ?

service tag is for QinQ vlans so uncheck that
Still not working =.=!!!
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:22 am

a better way to do this can be assign a master port to each group of ethernet ports and then that master port give the addressing of the corresponding subnet, no bridges
Could you be more specific plz ???
1. no bridges

2. no vlan interfaces

3. set eth2 master port = none, eth3 master port = eth2

4. set eth4 master port = none, eth5 master port = eth4

5. set eth2 ip address 10.0.0.1/24 10.0.0.0

6. set eth4 ip address 20.0.0.1/24 20.0.0.0

if you loose winbox access during configuration use mac address connection on the neighbors tab to recover management
Thanks, but i want to setup with vlan :)
btw, i can only set one master port at the same time. I wonder why ?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:33 am

Thanks, but i want to setup with vlan :)
btw, i can only set one master port at the same time. I wonder why ?
you can have multiple master ports but in this case only 2 because its only 5 port switch

multiple master port is a practical and easy way to partition the switch

to setup using vlans you will need to leave a single master port for eth3 eth 4 and eth5, configure vlan interface on master port (eth2) and then configure vlan membership on switch chip
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Tue Mar 01, 2016 11:39 am

explanation of master ports an switch chip features

http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: multiples vlan on 1 router

Wed Mar 02, 2016 4:24 am

Tried to config with a setup like this (http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN) but when i ping from different vlan. It's not "time out" but "no route to host" instead. That's mean if i create a route they can ping each other =.=!!!
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: multiples vlan on 1 router

Wed Mar 02, 2016 6:50 am

Tried to config with a setup like this (http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN) but when i ping from different vlan. It's not "time out" but "no route to host" instead. That's mean if i create a route they can ping each other =.=!!!
be sure of configure router interface address as default gateway on client device
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: multiples vlan on 1 router

Wed Mar 02, 2016 10:22 pm

You're thinking about VLANs a little bit incorrectly.

Your original solution was the correct one.

VLANs separate broadcast traffic from each other / block direct MAC->MAC communications. VLANs don't know what IP protocol is.
Having two VLANs is the same as having two separate physical switches.

Suppose you did have 2 separate switches - then obviously hosts in switch 1 can't talk to hosts in switch 2.

Now suppose you plug a router into switch1 on ether1 and switch2 on ether2, and suppose that hosts on each switch use the router as their default gateway. Now the hosts can talk to each other by forwarding packets through the router. That's the fundamental reason that IP was even invented in the first place - to make this work.

So - instead of using two physical interfaces and two physical switches, you've got one device, and have broken it into two LOGICAL networks, using vlans instead of switches, and vlan-interfaces instead of physical interfaces on the router plugged into two switches..... Other than that, the behavior is going to be the same. The ROUTER will forward packets from one network to the other.

It will always forward packets to the correct interface, until you tell it not to. That's what the firewall rules are for.

Now - the reason you can ping 20.0.0.1 from 10.0.0.X before adding the input firewall rule is something specific to Mikrotik / Linux IPTABLES.
It seems like the forward chain should drop this because these two IP addresses are on different interfaces. However, The 20.0.0.1 address is local to the Mikrotik - this means that packets with that destination do not get forwarded - they get sent up the local IP stack to the CPU - which goes through the INPUT chain, and not the FORWARD chain. Forward means that the packet is going to be transmitted out to some other host than the Mikrotik itself.

Even without the input rule, you would find that you could not ping 20.0.0.2 from 10.0.0.x, even though you can ping 20.0.0.1 until you add that input rule. This is a confusing behavior to new Mikrotik users, but it's completely normal. Personally, I just don't worry about it because it's still just talking to the Mikrotik the same as on 10.0.0.1 - if it really bothers you to see this, then by all means block such traffic in the input chain.
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: multiples vlan on 1 router

Thu Mar 03, 2016 5:06 am

very detailed.
Thanks ZeroByte :D

Who is online

Users browsing this forum: Bing [Bot], dominiaz, ericksetiawan, ivicask and 87 guests