add name="vlan1" mtu=1500 arp=enabled vlan-id=101 interface=ether1 comment="" disabled=no
add name="vlan2" mtu=1500 arp=enabled vlan-id=102 interface=ether1 comment="" disabled=no
add name="vlan3" mtu=1500 arp=enabled vlan-id=103 interface=ether1 comment="" disabled=no
/ interface bridge
add name="sm" mtu=1500 arp=enabled stp=no priority=32768 ageing-time=5m forward-delay=15s \
garbage-collection-interval=4s hello-time=2s max-message-age=20s comment="" disabled=no
/ interface bridge port
add interface=vlan1 bridge=sm priority=128 path-cost=10 comment="" disabled=no
add interface=vlan2 bridge=sm priority=128 path-cost=10 comment="" disabled=no
add interface=vlan3 bridge=sm priority=128 path-cost=10 comment="" disabled=no
/ interface bridge broute
add chain=brouting in-interface=vlan1 in-bridge=sm action=accept comment="" disabled=yes
/ ip address
add address=192.168.1.221/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether2 comment="" \
disabled=no
add address=192.168.11.1/24 network=192.168.11.0 broadcast=192.168.11.255 interface=ether1 comment="" \
disabled=no
add address=192.168.5.1/24 network=192.168.5.0 broadcast=192.168.5.255 interface=sm comment="" disabled=no
The whole point of vlans is to keep traffic separate. Once you bridge it then your back to no vlans pretty much. You might as well not use vlans - if you simply looking for a way to monitor / queue traffic then do it using IP addresses.And besides, why would bridging vlans be a problem?
[-----bridge$vlan1] --- [AP] ----- [Canopy SM1$]----- [customer1]
[MT-bridge$vlan2] --- [AP] ----- [Canopy SM2$]----- [customer2]
[-----bridge$vlan3] --- [AP] ----- [Canopy SM3$]----- [customer3]
Dosn't "bridge" mean that ARP is rebroadcast over to all members of the bridge?but on different L2 networks ... doesn't work that way. The connection is sporadic because once their ARP entry times out then connectivity is gone. I'm surprised it even works at all.
Thank you Sten,You might actually not have to do proxy-arp since the kernel will reply arp for *any* ip on the router on *any* broadcast interface.
In 2.9.x you need to add a small unofficial address subnet for each vlan and then route the public ip to the local address on the router.
In 3.x you can route the host route out on the interface itself, forgoing that unofficial subnet. (At least that is what i read in the changelog) - a feature i can't wait to use for myself.
I like the vlans too, for many reasons. I am not using v8 yet on the canopy equipment, but I will look into that too.Doing it right from the start, in my opinion, is to use a separate VLAN per customer and use IP subnetting.
/ int bridge add name=loopback
/ ip address add address=123.0.0.1/32 interface=loopback
/ int vlan add name=vlan2 vlan-id=2 interface=ether2 arp=proxy-arp
/ int vlan add name=vlan3 vlan-id=3 interface=ether2 arp=proxy-arp
/ int vlan add name=vlan4 vlan-id=4 interface=ether2 arp=proxy-arp
/ ip route add dst-address=123.0.0.2/32 gateway=vlan2
/ ip route add dst-address=123.0.0.3/32 gateway=vlan3
/ ip route add dst-address=123.0.0.4/32 gateway=vlan4
Sten, did you actually try this and it worked?imagine a clean router and your public ip subnet is 123.0.0.0/24
/ int bridge add name=loopback
/ ip address add address=123.0.0.1/32 interface=loopback
/ int vlan add name=vlan2 vlan-id=2 interface=ether2 arp=proxy-arp
/ int vlan add name=vlan3 vlan-id=3 interface=ether2 arp=proxy-arp
/ int vlan add name=vlan4 vlan-id=4 interface=ether2 arp=proxy-arp
/ ip address add address=10.0.2.1/30 interface=vlan2
/ ip address add address=10.0.3.1/30 interface=vlan3
/ ip address add address=10.0.4.1/30 interface=vlan4
/ ip route add dst-address=123.0.0.2/32 gateway=10.0.2.1
/ ip route add dst-address=123.0.0.3/32 gateway=10.0.3.1
/ ip route add dst-address=123.0.0.4/32 gateway=10.0.4.1
Now connect your computer on vlan2 and set ip address 123.0.0.2/24 with default gateway 123.0.0.1.
Connect additional test computer on vlan3 and set ip address 123.0.0.3/24 with default gateway 123.0.0.1
Slightly different setup.Sten, did you actually try this and it worked?
Not really.Is it the proxy-arp that makes it work?
No particular difference in effect for what you are trying to achieve, but slightly different side effects.My question is, why does the loopback device have a mask of /32 and what would happen if is were to be /24?
/ int vlan add name=vlan2 vlan-id=2 interface=ether2 arp=proxy-arp
/ int vlan add name=vlan2 vlan-id=2 interface=ether2 arp=enabled