bridge-vlan-10 --- (IP configuration) ether1 ---tagged--- vlan-eth1-10 ---tagless--- | ether2 ---tagged--- vlan-eth1-10 ---tagless--- | ether3 ---tagged--- vlan-eth1-10 ---tagless--- | bridge-vlan-20 --- (IP configuration) ether1 ---tagged--- vlan-eth1-20 ---tagless--- | ether2 ---tagged--- vlan-eth1-20 ---tagless--- | ether3 ---tagged--- vlan-eth1-30 ---tagless--- | bridge-vlan-30 --- (IP configuration) ether1 ---tagged--- vlan-eth1-30 ---tagless--- | ether2 ---tagged--- vlan-eth1-30 ---tagless--- | ether3 ---tagged--- vlan-eth1-30 ---tagless--- |So in total you spend 9 /interface vlan and 3 /interface bridge, and you cannot have hybrid ports because if a physical interface is a member port of a bridge, it cannot at the same time serve as a carrier interface for an /interface vlan.
bridge-all-vlans ether1 ----------------tagged----------------- | ---tagged--- vlan-10 ---tagless--- (IP configuration) ether2 ----------------tagged----------------- | ---tagged--- vlan-20 ---tagless--- (IP configuration) ether3 ----------------tagged----------------- | ---tagged--- vlan-30 ---tagless--- (IP configuration)So you spend just 1 /interface bridge and 3 /interface vlan for the same result, plus you can use MSTP, plus you can specify a pvid (aka default VLAN ID) for each port, so you can use hybrid ports.
Correct. BTW, I've just noticed today that the name vlan-filtering is a bit misleading (at least to date), because if you want the port to really filter by VLAN ID, you have to set ingress-filtering in both /interface bridge port and /interface bridge to yes, and you cannot actually set filtering on egress. Which has quite surprised me when analyzing whether some other device uses an individual MAC address table for each VLAN or a common one - I've found the Mikrotik to both accept in and foward out an ARP request tagged with a particular VLAN ID through a port on which that VLAN was not permitted. By setting ingress-filtering to yes I could get rid of the loop (STP was intentionally off), but it still means that tagged broadcast frames (e.g. generated internally on /interface vlan) are sent out even via ports on which the VLAN is not permitted.So if I understand correctly, you need to tell two places that a port uses untagged vlan.
Eks VLAN 20
1. You set PVID 20 for Bridge/Port connecting ether2 and Bridge_all
2. Using Bridge/VLAN add a connection vlan VLAN 20 to Bridge_all and set VLAN 20 as untagged for ether2
Mostly to emphasize the interaction between the pvid of the /interface bridge itself and of /interface bridge port. So if you want to avoid surprisingly surprising surprises, make sure that you set the pvid of /interface bridge to a VID which is not used anywhere else Plus if you don't specify a pvid, the default is 1 at both places, which makes people here (me included) avoid using VLAN 1 in general.Why do you set PVID=1 for Bridge_all when VLAN 1 is not mention anywher in you whole configuration?
What is expressly prohibited isSo even if this is not correct, it does work.
Just bear in mind that you're asking a fellow forum user, not a Mikrotik insider.@sindy
So my question is:
Yes, except that, as you've found out yourself, it is not easy to mix together in 2D a network topology diagram with configuration item overview where two configuration items need to be set in accord so that a node in the network topology would operate correctly. I'm talking here about the /interface bridge port (interface, pvid) and /interface bridge vlan (untagged,vlan-ids) tuples which have to match so that the magic would happen.1. Does it look correctly?
Because Flexibility is Mikrotik's second name? Basically there is no reason why it should not be possible to use several independent bridges as long as everything is done in software anyway, and in some cases it may prove useful to have several independent bridges with some VLAN IDs existing on more than one bridge without leaking between each other.2. Why do we have the possibility to use more than one Bridge, when we can do it all with one?
It is the old way to do it before VLAN-aware bridging was introduced in 6.41, and it is still possible and in some cases necessary to do it that way. Both old and new ways are documented, so it is a matter of choice.3. MikroTiks example here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN do use multiple Bridges (bridge-vlan200,bridge-vlan300 etc). Its more like my first post Is this the old way to do it? Also video on Youtube use multiple Bridges: https://www.youtube.com/watch?v=sdyWKOXMjwY
4. What is pluss and minus with the two different approach?
I'm afraid it is not a question for me but for Mikrotik and Google. The most clicked search results get offered higher in the list, which makes them most clicked, which makes them... unless someone actively prevents that.5. Why does not MikroTik update their pages so we know what to use? I did a google search for MikroTik and VLAN and this comes up as hit #1
I'm afraid that this is exactly one of the cases where you have to combine the approaches. Both methods of tagging/untagging (/interface bridge port pvid with /interface bridge vlan on one hand and /interface vlan on the other) handle only one tag at a time (although reportedly, until recently there was a bug removing all tags in a single step).6. How to handle Q-in-Q with the Bridge/VLAN solution?
To be precise, you don't add an IP to a VLAN, you add it to an interface whose media layer is incidentally a VLAN. So yes, unless you use firewall rules preventing that, any "connected subnet" (which is any subnet which contains an IP address assigned to a local interface) is included into routing automatically. But here we are getting into the L3 universe, so it is irrelevant whether old or new way of configuring VLANs is used.7. Since I add IP to an VLAN, it will automatically do routing with other VLAN that has IP, correct?
8. I do need to use FW to block if I would like to prevent some data from one VLAN to another VLAN?
You may, but then google will return both and people will get confused again. I'd recommend to edit the original post of this topic with a link to the one which has the most up to date version.I may start a new thread with some good graphical example, since edit this may be complicated with alle the comments.
I strongly prefer to split the layers. The first, simpler one should show how it works and how the executive elements are linked together, and another one should add the translation of that information into configuration elements and their parameters. As you cannot post pictures with layers which could be enabled and disabled, I'd post one picture with only the network topology layer and another one with both.If you look at the last drawing everything should be self explained.
Start reading from here, there is also something regarding the switch chips.Then the last topic, hardware switching. How does it connects all this together?? (Switch Chip Features)
Not easy to post a visible drawing, but I think I can convert Visio that I am using to PDF with layer.As you cannot post pictures with layers which could be enabled and disabled, I'd post one picture with only the network topology layer and another one with both.
add name=bridge-all-vlans vlan-filtering=yes pvid=1
/interface bridge add admin-mac=6C:3B:6B:AA:34:3F auto-mac=no name=Bridge1 protocol-mode=none /interface ethernet set [ find default-name=ether1 ] name=ether1-Wan set [ find default-name=ether2 ] name=ether2-Cisco set [ find default-name=ether4 ] name=ether4-Server1 set [ find default-name=ether5 ] name=ether5-Server2 /interface vlan add interface=Bridge1 name=Tag20->Bridge1 vlan-id=20 /interface list add exclude=dynamic name=discover add name=mactel add name=mac-winbox /interface bridge port add bridge=Bridge1 interface=ether3 pvid=20 add bridge=Bridge1 interface=ether4-Server1 add bridge=Bridge1 interface=ether5-Server2 add bridge=Bridge1 interface=ether2-Cisco /interface bridge vlan add bridge=Bridge1 tagged=ether2-Cisco untagged=ether3 vlan-ids=20 /interface list member add interface=Bridge1 list=discover add interface=ether3 list=discover add interface=ether4-Server1 list=discover add interface=ether5-Server2 list=discover add list=discover add interface=Bridge1 list=mactel
/interface bridge vlan add bridge=Bridge1 tagged=ether2-Cisco untagged=ether3 vlan-ids=20
/interface bridge vlan add bridge=Bridge1 tagged=ether2-C3560CX,Bridge1 untagged=ether3 vlan-ids=20
/interface bridge add admin-mac=6C:3B:6B:AA:34:3F auto-mac=no name=Bridge1 protocol-mode=none
/interface bridge add admin-mac=6C:3B:6B:88:34:3F auto-mac=no name=Bridge1 protocol-mode=none vlan-filtering=yes
Are you sure it really does? Without vlan-filtering=yes, the tagging/untagging on interfaces does not work. So in your case:It seems to work fine without the last changes, so did I break some with it?
This is an advantage if you care about vlan filtering as such, i.e. when you want to drop ingress frames whose VID is not permitted on the ingress port. If you don't, frames tagged with any VID are forwarded between all member ports of a bridge if vlan-filtering=no.With Bridge/VLAN you can specify ranges of VLAN like this:
The same exercise is needed when configuring RB running ROS if that RB is to be used as smart switch. Not that I would recommend that since HW offload is disabled and all traffic is dealt with by CPU.I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port.
As I said, the two routers are only used as routers. All switch functions are handled by the CSS326.The same exercise is needed when configuring RB running ROS if that RB is to be used as smart switch. Not that I would recommend that since HW offload is disabled and all traffic is dealt with by CPU.I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port.
IMO, the biggest improvement -- performance wise -- that MikroTik could add to [RouterOS] for the hEX and for hAPac2 is to to incorporate fq_codel and/or WireGuardI use routers EXCLUSIVELY as routers and switches as switches.
Each port of my routers is either a single LAN or a VLAN trunk port.
Never does any LAN or VLAN appear on more than one physical port.
Each port in turn connects to a port of a managed switch (CSS326-24G-2S).
/ip dhcp-server add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10 add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
/interface vlan add interface=ether1 name=VLAN10 vlan-id=10 add interface=ether1 name=VLAN20 vlan-id=20 /ip address add address=192.168.10.1/24 interface=VLAN10 add address=192.168.20.1/24 interface=VLAN20 /ip pool add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254 add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254 /ip dhcp-server add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10 add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20 /ip dhcp-server network add address=192.168.10.0/24 dns-server=184.108.40.206 gateway=192.168.10.1 add address=192.168.20.0/24 dns-server=220.127.116.11 gateway=192.168.20.1
/interface vlan add interface="wlan2 - 5g" name="VL 201 Guest" vlan-id=201 add interface="wlan2 - 5g" name="VL 202 Fam" vlan-id=202 add interface="wlan2 - 5g" name="VL 203 Kids" vlan-id=203 add interface="wlan2 - 5g" name="VL 204 Office" vlan-id=204 add interface="wlan2 - 5g" name="VL 205 Staff" vlan-id=205 /ip address add address=192.168.88.1/24 comment="Default Config" interface=ether2-master network=192.168.88.0 add address=192.168.201.1/24 interface="VL 201 Guest" network=192.168.201.0 add address=192.168.202.1/24 interface="VL 202 Fam" network=192.168.202.0 add address=192.168.203.1/24 interface="VL 203 Kids" network=192.168.203.0 add address=192.168.204.1/24 interface="VL 204 Office" network=192.168.204.0 add address=192.168.205.1/24 interface="VL 205 Staff" network=192.168.205.0 /ip pool add name="Pool - Default" ranges=192.168.88.100-192.168.88.199 add name="Pool - 201 Guest" ranges=192.168.201.100-192.168.201.199 add name="Pool - 202 Fam" ranges=192.168.202.100-192.168.202.199 add name="Pool - 203 Kids" ranges=192.168.203.100-192.168.203.199 add name="Pool - 204 Office" ranges=192.168.204.100-192.168.204.199 add name="Pool - 205 Staff" ranges=192.168.205.100-192.168.205.199 /ip dhcp-server add address-pool="Pool - Default" disabled=no interface=bridge1 name="DHCP Server 1 - Default" add address-pool="Pool - 202 Fam" interface="VL 202 Fam" name="DHCP Server 2 - Fam" add address-pool="Pool - 201 Guest" interface="VL 201 Guest" name="DHCP Server 3 - Guest" add address-pool="Pool - 203 Kids" interface="VL 203 Kids" name="DHCP Server 4 - Kids" add address-pool="Pool - 204 Office" interface="VL 204 Office" name="DHCP Server 5 - Office" add address-pool="Pool - 205 Staff" interface="VL 205 Staff" name="DHCP Server 7 - Staff" /ip dhcp-server network add address=192.168.88.0/24 comment="Default Config" dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24 add address=192.168.201.0/24 gateway=192.168.201.1 netmask=24 add address=192.168.202.0/24 gateway=192.168.202.1 netmask=24 add address=192.168.203.0/24 gateway=192.168.203.1 netmask=24 add address=192.168.204.0/24 gateway=192.168.204.1 netmask=24 add address=192.168.205.0/24 gateway=192.168.205.1 netmask=24 /interface bridge port add bridge=bridge1 comment="Default Config" interface=ether2-master add bridge=bridge1 comment="Default Config" interface="wlan1 - 2.4g" add bridge=bridge1 comment="Default Config" interface="wlan2 - 5g" add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 add bridge=bridge1 interface="VL 201 Guest" add bridge=bridge1 interface="VL 202 Fam" add bridge=bridge1 interface="VL 203 Kids" add bridge=bridge1 interface="VL 204 Office" add bridge=bridge1 interface="VL 205 Staff" /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
add bridge=bridge1 interface="VL 201 Guest" add bridge=bridge1 interface="VL 202 Fam" add bridge=bridge1 interface="VL 203 Kids" add bridge=bridge1 interface="VL 204 Office" add bridge=bridge1 interface="VL 205 Staff"
Amen to that brother, and keeps the family from tearing strips of ones hide!!Using the Safe Mode button in Winbox/WebGUI or Ctrl-X in CLI lowers the levels of adrenaline very significantly.
@Jotne uses Visio. Others use ASCII art (and lots of imagination)How do people create pretty network diagrams?
- the cable between box-1 and box-2 would have vlan-less, untagged traffic for normal users, and vlan-50-tagged traffic for guest users?
- is possible to have box-1 do DHCP for guest users? (seems the intuitive choice to me)
- how does box-2 tag and route 192.168.50.0/24 traffic to box-1?
I pretty much have a similar setup.Also checking in as someone who is struggling to get VLANs working.
My use-case is trying to isolate traffic from a virtual wireless interface, with separate box for WAN.
I'm confused about "vlan interfaces" and bridge vlan filtering. I thought "vlan interfaces" are the old-school way of doing things and bridge vlan filtering is what we're supposed to use instead?
- how does box-2 tag and route 192.168.50.0/24 traffic to box-1?
- It doesn't route, it uses VLAN tags, switch makes sure packets arrive at desired destination. To make it work, VAP needs to be tagged and the trunk port towards box-2 as well (in addition to untagged). On box-2, trunk port towards box-1 needs same config as trunk port on box-1, then box-1 needs a vlan interface for tagged traffic ... which is where L3 routing/firewalling starts to happen. And DHCP server for guest VLAN (if you kept it on box-1, that one would need a vlan interface as well, with IP address from guest address space, etc.)
OK, I guess this explains why I need a "vlan interface" and why I don't add it to bridge ports.A "vlan interface" can be seen as a virtual switch/bridge port which untags frames as it receives them from the bridge and tags them as it sends them to the bridge. So it is necessary for L3 access to its respective VLAN in both the "old school" and "new school" approach.
However, in the "old school" approach, there was no way to control which ports of a bridge can be used for ingress and egress of particular VLAN, so if you wanted to do that, you needed to use one bridge per VLAN, attach one vlan interface to each Ethernet interface on which that VLAN should be permitted to egress and ingress, and bridge the tagless sides of the vlan interfaces. With the "new school", you only need vlan interface for the L3 access to the VLAN; membership of Ethernet ports of the same bridge in individual VLANs can be controlled using vlan filtering.
/interface bridge port add bridge=bridge interface=ether1 #and all other LAN ports /interface bridge vlan add bridge=bridge tagged=ether1,bridge vlan-ids=50 /interface vlan add name=guest-vlan interface=bridge vlan-id=50 /interface bridge set [ find name=bridge ] vlan-filtering=yes
/ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=Guest-mark passthrough=yes src-address=192.168.50.0/24 add action=mark-routing chain=prerouting connection-mark=Guest-mark new-routing-mark=Guest-mark passthrough=yes /ip route add distance=1 dst-address=192.168.50.0/24 gateway=Guest-vlan routing-mark=Guest-mark
On the guest-internet issue, after some searching I came across a technique someone posted that used firewall mangle rules to set a 'connection-mark' and 'routing-mark' on the way out, so that the replies could be corrected routed/forwarded matching the same mark on arrival from the internet:
/interface vlan add interface=bridge name=vlan-40 vlan-id=40 add interface=bridge name=vlan-41 vlan-id=41 add interface=bridge name=vlan-42 vlan-id=42 /interface list member add interface=vlan-40 list=IPTV add interface=vlan-41 list=guest add interface=vlan-42 list=LAN add interface=pppoe1-out list=WAN /ip firewall filter # The first one takes care about "return" traffic ... masqueraded on the way out add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=forward comment="allow connections from guest to WAN" in-interface-list=guest out-interface-list=WAN add action=drop chain=forward comment="drop connections from guest to anywhere else" in-interface-list=guest add action=accept chain=forward comment="allow connections from IPTV to WAN" in-interface-list=IPTV out-interface-list=WAN add action=drop chain=forward comment="drop connections from IPTV to anywhere else" in-interface-list=IPTV add action=drop chain=forward comment="drop connections from MGMT to WAN" in-interface-list=MGMT out-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Was thinking about that but decided to do it like this in case I decide to allow some other cross connectivity. But yes, your suggestion has its merits.Why not
allow LAN to WAN
allow VLANX to WAN
drop all else
Ahh yes, to handle that I make up different ip firewall address lists and add those to existing rules with the concept that players and devices may change but the rules are generally more static.Was thinking about that but decided to do it like this in case I decide to allow some other cross connectivity. But yes, your suggestion has its merits.Why not
allow LAN to WAN
allow VLANX to WAN
drop all else
I have only just understood what you actually meant by this. The only point of the new VLAN filtering method is to specifically allow hardware switching on a bridge interface. Only useful when you want to create a layer 2 bridge for VLANS on different hardware ports, as in a managed switch. There is no benefit in this outside of using ports on your router like a switch without involving the CPU. i.e. doing the job of a managed switch. So I might as well revert to having my VLANS as slaves to my hardware port, where I can firewall them by interface rather than just IP, let my router be a router...Yes, thank you both for the education. I didn't really need it, but it was interesting. I have a different solution. I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. Never does any LAN or VLAN appear on more than one physical port. Each port in turn connects to a port of a managed switch (CSS326-24G-2S).