Scenario, RouterBOARD 962 setup as wifi router. ether1 is WAN, ether2-ether5 is bridged for LAN. Device connected downstream to one of the LAN ports on the RB962 needs to be able to communicate over VLAN 500 to the providers upstream router that ether1 is connected to. the RB962 only needs to function as a switch for VLAN 500 passing the tagged traffic to the downstream device, while maintaining full routing control for all other traffic.
Upstream router, 10.10.10.1/24, VLAN 500 10.200.200.1/24
RouterBOARD 962, ether1 10.10.10.20/24, LAN 192.168.88.1/24
Downstream Device ether1 VLAN 500 10.200.200.20/24
Any thoughts on the best & simplest way to achieve this? For performance reasons I'd prefer to have it handled entirely within the switch chip if possible, with nothing touching the CPU.
-
-
BrianHiggins
Forum Veteran
- Posts: 702
- Joined:
- Location: Norwalk, CT
- Contact:
Re: VLAN Switching
The configuration of the bridge and the switch chip is heavily interlinked so you'll have to add ether1 to the common bridge with vlan-filtering set to yes, use an unassigned VLAN ID for the WAN interface (say, 3333) and set ether1 as a hybrid port with "default vlan" 3333 and VLAN 500 permitted on it, and the interface to which that special client will be connected (say, ether2) as a hybrid port with "default vlan" 1 and VLAN 500 permitted on it.
Then, you'll have to use the /interface ethernet switch port and /interface ethernet switch vlan menus to "replicate" the settings in /interface bridge port and /interface bridge vlan.
So connect the PC from which you configure the box to one of the ports which will remain normal LAN ones, and set something like the following:
/interface vlan add name=wan-vlan vlan-id=3333
/interface list member add list=WAN interface=wan-vlan
Now move the WAN IP configuration (/ip address or /ip dhcp-client) from ether1 to wan-vlan; by that step you break the connectivity to internet via ether1.
Continue by
/interface bridge port add bridge=bridge interface=ether1 pvid=3333 hw=yes
/interface bridge vlan
add bridge=bridge vlan-ids=1 tagged=bridge untagged=ether2,ether3,ether4,ether5
add bridge=bridge vlan-ids=500 tagged=ether1,ether2
add bridge=bridge vlan-ids=3333 tagged=bridge,ether1
now press Ctrl-X to actvate safe mode, and then issue /interface bridge set bridge vlan-filtering=yes protocol-mode=none
If you don't lose the management connection, you should also re-gain internet access at this step. If so, you can deactivate the safe mode to store this intermediate result, and continue by setting up the switch chip for hardware forwarding:
/interface ethernet switch vlan
add switch=switch1 vlan-id=0 ports=switch1-cpu,ether2,ether3,ether4,ether5
add switch=switch1 vlan-id=500 ports=ether1,ether2
add switch=switch1 vlan-id=3333 ports=switch1-cpu,ether1
/interface ethernet switch port
set ether1 default-vlan-id=3333 vlan-mode=secure
Now activate safe mode again before the following step:
set ether2,ether3,ether4,ether5 defaut-vlan-id=0 vlan-mode=secure
If your management connection survives this step, you can switch off safe mode an you're done.
If not, something has changed in handling of VID 1 and VID 0 between the chip and the CPU since the time I did something like this the last time a couple of RouterOS versions ago.
Then, you'll have to use the /interface ethernet switch port and /interface ethernet switch vlan menus to "replicate" the settings in /interface bridge port and /interface bridge vlan.
So connect the PC from which you configure the box to one of the ports which will remain normal LAN ones, and set something like the following:
/interface vlan add name=wan-vlan vlan-id=3333
/interface list member add list=WAN interface=wan-vlan
Now move the WAN IP configuration (/ip address or /ip dhcp-client) from ether1 to wan-vlan; by that step you break the connectivity to internet via ether1.
Continue by
/interface bridge port add bridge=bridge interface=ether1 pvid=3333 hw=yes
/interface bridge vlan
add bridge=bridge vlan-ids=1 tagged=bridge untagged=ether2,ether3,ether4,ether5
add bridge=bridge vlan-ids=500 tagged=ether1,ether2
add bridge=bridge vlan-ids=3333 tagged=bridge,ether1
now press Ctrl-X to actvate safe mode, and then issue /interface bridge set bridge vlan-filtering=yes protocol-mode=none
If you don't lose the management connection, you should also re-gain internet access at this step. If so, you can deactivate the safe mode to store this intermediate result, and continue by setting up the switch chip for hardware forwarding:
/interface ethernet switch vlan
add switch=switch1 vlan-id=0 ports=switch1-cpu,ether2,ether3,ether4,ether5
add switch=switch1 vlan-id=500 ports=ether1,ether2
add switch=switch1 vlan-id=3333 ports=switch1-cpu,ether1
/interface ethernet switch port
set ether1 default-vlan-id=3333 vlan-mode=secure
Now activate safe mode again before the following step:
set ether2,ether3,ether4,ether5 defaut-vlan-id=0 vlan-mode=secure
If your management connection survives this step, you can switch off safe mode an you're done.
If not, something has changed in handling of VID 1 and VID 0 between the chip and the CPU since the time I did something like this the last time a couple of RouterOS versions ago.