Vlan on 6.41RC need help to understand how it works.

Jotne · Tue Nov 14, 2017 11:08 pm

VLAN on 6.41RC

I am working with Cisco, worked with HP, so have a good knowlede on how VLAN works.
But on Mikrotik, I do not get the hang of it, so I ask for help.

Hardware.
RB 941-2nD
or
RB 750G v3

Software.
6.41RC (latest)

Here is the setting I would like to implement.

Vlan RB.jpg

eth1 ouside, nat, dhcp
eth2 vlan1 untagged
eth3 vlan2 untagged
eth4 vlan1 untagged, vlan2 tagged

vlan1 192.168.1.0/24
vlan2 192.168.2.0/24

Optional
Wifi SSID:home net Vlan1
Wifi SSID:guest net Vlan2

If someone would be kind post the minimum setup to get this to work, I would be happy.

Jotne · Fri Nov 17, 2017 8:39 am

Is this so complicated that no one does not know how to do it.
In Cisco this is simple.
My post is a basic layout, so it would also help other to get a solution for this.

Any other have problem with this?

docmarius · Fri Nov 17, 2017 8:45 am

Maybe it is to simple

- add a VLAN interface with VLAN ID 2 to eth4, call it vlan2
- create 2 bridges
- add ports eth2 and eth4 to bridge1
- add ports eth3 and vlan2 to bridge2
done.

To allow routing, treat each bridge as your actual inside interfaces:
- configure eth1 to your liking (dhcp)
- assign the needed IPs to the bridge interfaces (not the eth)
- add a masquerade nat for eth1
- add a forward established/related accept filter for incoming eth1 (or just an accept to allow incoming traffic forward)
- add forward accept rules from each bridge to eth1

Jotne · Fri Nov 17, 2017 11:19 pm

Thanks, now I am nearly there.

I have two network, net1 and net2. net1 is vlan1 and net2 is vlan2
They have both DHCP, Nat etc.
Connecting a PC to port 2 gives net1 and port3 gives net2

So now I only miss the tagged part of vlan2 to go out eth4

Here is how I did it.

In menu Bridge->Bridge:
Rename original bridge to bridge1
bridge1 has pvid 1
bridge2 created equal to bridge1, except pvid is set to 2

In menu Bridge->Ports
ether2 -> bridge1
ether3 -> bridge2
ether4 -> bridge1
wifi1 -> bridge1

In menu Interfaces -> VLAN
vlan2-> VLAN ID:2 -> Interface:bridge2

In menu IP->Pools
pool_vlan1 192.168.1.10-255
pool_vlan2 192.168.2.10-255

In menu IP->Addresses
bridge1 -> 192.168.1.1/24
bridge1 -> 192.168.2.1/24

In menu DHCP Server DHCP
net1 -> bridge1 ->

What I still miss:
1. How to add vlan2 tagged to eth4?
2. How to add a second Wifi to Vlan2?
If I go to wireless menu and click add, I get three options Virtual, WDS, Nstreme Dual.
Noen of them give me a new Wireless

Need step by step help....

dancsa · Sat Nov 18, 2017 1:09 am

I don't want to interrupt but if we talking about the new RCs, why not use the shiny new vlan aware bridges? I find that more understandable if one used anything switchlike, and if it's on a hardware with good switch chip we can enjoy the hw offload

-you can create one bridge let's say br1 with vlan-filtering=yes
-you add the ports to br1 with /interface bridge port add and set PVID=untagged_vlan_id (you
/interface bridge vlan add vlan-ids=1 bridge=br1 untagged=etherX,etherZ
/interface bridge vlan add vlan-ids=2 bridge=br1 untagged=etherY tagged=etherZ

this is how you can configure easily the L2 stuff,
if you want to bring up the package to L3, you need to add the br1 to that vlan as tagged, ie:
/interface bridge vlan add vlan-ids=1 bridge=br1 untagged=etherX,etherZ tagged=br1
/interface bridge vlan add vlan-ids=2 bridge=br1 untagged=etherY tagged=etherZ,br1
and add vlan interface (like in your favorite or 2nd favorite routing os)
/interface vlan add name=vlanX interface=br1 vlan-id=X <--- you can do whatever you want with this interface, assign IP, run dhcp, it's like a vlan ip interface in cisco

Also you may or may not want to use vlan1 unless you doing something special. I learnt the hard way that each vendor handles differently the default vlan.

docmarius · Sat Nov 18, 2017 1:41 am

...
In menu Interfaces -> VLAN
vlan2-> VLAN ID:2 -> Interface:bridge2
...

You need to add vlan2 to interface eth4, not to the bridge!

The interfaces hierarchy:

eth1 - untagged/no vlan
eth2 - untagged/no vlan
eth3 - untagged/no vlan
eth4 - untagged/no vlan
  |
   -- vlan2 tagged/vlan id 2

the bridges:

bridge1: eth2, eth4
bridge2: eth3, vlan2

You need to understand that inside the bridges, your traffic is untagged and has no vlan id.
On incoming packets, the vlan2 interface will extract tagged 2 traffic from eth4 and offer it as untagged traffic to the router. All the rest of the traffic (in your case untagged) will remain on eth4. On outgoing traffic, the packets exiting the router via interface vlan2 will be tagged with id2 and sent via eth4.

sid5632 · Sat Nov 18, 2017 3:29 am

I don't want to interrupt but if we talking about the new RCs, why not use the shiny new vlan aware bridges? I find that more understandable if one used anything switchlike, and if it's on a hardware with good switch chip we can enjoy the hw offload

Because hardware offload doesn't work on the RB 941-2nD and RB 750G v3 once you enable VLAN filtering.
The only way of doing this properly on these devices is on the switch chip. Anything else is going to kill performance.
The ONLY device that works with this new bridge/VLAN stuff is the CRS326 - and that doesn't have very good reports as yet - the hardware was released way before the software is finished.
Overall it's rather a poor effort, which effectively leaves no usable devices at the current time.

dancsa · Sat Nov 18, 2017 10:32 am

I have a some CRS326, and yeah we had issues, but with RC50+ it seems to work (we still have some STP issue, which I'll try to recreate on clean env if i have time).
I just said, even if there is no HW offload, it's easier to config, maybe more logical for a cisco-person.

Jotne · Sun Nov 19, 2017 7:47 pm

@sid5632

Thanks for you help, but still I am not able to get the trunk to work.

Port4 on the Microtik is connected to a Cisco Switch, port 7.

sh run int Fa0/7
interface FastEthernet0/7
 switchport mode trunk
end

Then on Port 6 on the Cisco, I have a test PC (It works fine on port 3 on Mikrotik, connceted to bridge , getting IP 192.168.2.xxx

sh run int Fa0/6
interface FastEthernet0/6
 switchport access vlan 2
end

cisco is correct, that am I 100% sure of.

Here is the VLAN, that I have mapped to eth4

/interface vlan
add interface=ether4 name=vlan2-eth4 vlan-id=2

So here are my question.
Why does it not work?
If I have more interface that I need to have VLAN 2 tagger, it should be like this?

/interface vlan
add interface=ether5 name=vlan2-eth5 vlan-id=2

In bridge2, should vlan filtering be enabled?
In bridge2, should pvid be set to 2 (vlan 2)?

Jotne · Sun Nov 19, 2017 7:48 pm

@sid5632

Thanks for you help, but still I am not able to get the trunk to work.

Port4 on the Microtik is connected to a Cisco Switch, port 7.

Cisco

sh run int Fa0/7
interface FastEthernet0/7
 switchport mode trunk
end

Then on Port 6 on the Cisco, I have a test PC (It works fine on port 3 on Mikrotik, connceted to bridge , getting IP 192.168.2.xxx

sh run int Fa0/6
interface FastEthernet0/6
 switchport access vlan 2
end

cisco is correct, that am I 100% sure of.

Here is the VLAN, that I have mapped to eth4

/interface vlan
add interface=ether4 name=vlan2-eth4 vlan-id=2

Here is the Bridge config.

/interface bridge
add admin-mac=64:D1:54:05:82:36 auto-mac=no name=bridge1
add fast-forward=no name=bridge2 pvid=2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge2 interface=Wifi1

So here are my question.
Why does it not work?
If I have more interface that I need to have VLAN 2 tagger, it should be like this?

/interface vlan
add interface=ether5 name=vlan2-eth5 vlan-id=2

In bridge2, should vlan filtering be enabled?
In bridge2, should pvid be set to 2 (vlan 2)?

sid5632 · Mon Nov 20, 2017 12:43 am

As I said, do VLANs on the switch chip if you want decent switching performance (certainly on the 941 anyway).
Here is something that should get you going. First the L2 stuff:

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4

/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether4 switch=switch1
add ports=switch1-cpu,ether3,ether4 switch=switch1 vlan-id=2

/interface ethernet switch port
set 1 vlan-header=always-strip vlan-mode=secure
set 2 vlan-header=always-strip vlan-mode=secure default-vlan-id=2
set 3 vlan-mode=secure

And then, the L3 stuff:

/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2

/ip
add address=192.168.1.254/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.254/24 interface=vlan2 network=192.168.2.0

Obviously you change your subnets as appropriate.

This seems to work on my 941-2Nd. I don't have a 750Gr3, but it should work as far as I know.

nickerpick · Tue Nov 21, 2017 6:55 am

Here is the Bridge config.

/interface bridge
add admin-mac=64:D1:54:05:82:36 auto-mac=no name=bridge1
add fast-forward=no name=bridge2 pvid=2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge2 interface=Wifi1

Add your interface vlan2-eth4 to bridge2 and it should work.

Vlan on 6.41RC need help to understand how it works.

Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Re: Vlan on 6.41RC need help to understand how it works.

Who is online