Community discussions

 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Very simple VLAN

Wed Jul 31, 2019 9:05 pm

All - sorry for what is likely a very basic question, but I am note quite getting something right.

One of my non-MikroTik APs has two SSIDs, the Mikrotik is the router.

SSID-A is sending on VLAN ID1, whereas SSID-B is sending on VLAN ID 99. When clients connect to SSID-1, everything works great. When clients connect to VLAN ID 2, they can't see the internet or any other clients.

I feel like I am missing something very basic to "connect" these together, so VLAN 99 is getting the benefit of DHCP, DNS, access to the internet, etc.. Thanks!
/interface vlan
add interface=bridge name=vlan1 vlan-id=99

/interface bridge
add admin-mac=B8:69:F4:9F:CD:ED auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=vlan1

It seems that there are at least 3 different places to put vlan-bridge mappings (in /interface vlan, /interface bridge, and /interface bridge vlan). I am confused.

Once this is working, I have a different mangle use case for those in VLAN ID 99, but I am pretty sure I know how to handle that part.

Thanks!
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Wed Jul 31, 2019 11:56 pm

I've been googling around and trying to read/understand the forum posts, and can maybe better articulate what would be ideal:

1. VLAN ID 99 is tagged on ingress, and I'd like it to become untagged and set with a routing-mark instead.
2. When packets are sent back (egress), I don't think it matters that they get tagged back to VLAN 99 or not (can you help me do it both ways)?

The goal here is for the packets that come into the router to look like every other packet in the router, other than the routing-mark (which is used in a variety of ways for non-tagged packets)... and that responses get sent back to the client properly (not sure if the originating source requires the VLAN tag on the way back or not...).

Thanks again.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Very simple VLAN

Thu Aug 01, 2019 4:59 am

I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge.
/interface bridge
add name=vlan1-bridge

/interface bridge port
add bridge=vlan1-bridge interface=vlan1
The rest of your config should remain the same.
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Thu Aug 01, 2019 5:41 am

Thank you for the help. I'll admit to being thoroughly confused though - what's the point of having a brand new bridge with just one interface in it? Can't I accomplish the same thing by just having the existing DHCP server to the vlan directly?
I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge.
/interface bridge
add name=vlan1-bridge

/interface bridge port
add bridge=vlan1-bridge interface=vlan1
The rest of your config should remain the same.
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Very simple VLAN

Thu Aug 01, 2019 6:35 am

You mentioned untagging/tagging is why I suggested a bridge. But yes, you can put the IP and DHCP Server directly on vlan1. And you can then remove the bridge port for vlan1 as it is not needed.
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Very simple VLAN

Thu Aug 01, 2019 2:16 pm

Draw diagrams and use this link and examples as a starting point.........
viewtopic.php?t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Thu Aug 01, 2019 4:28 pm

Thank you - great suggestion - I'll admit that I am trying to use a VLAN tag for an odd purpose, so none of the diagrams in that post are exactly what I want to do. I am not trying to separate subnets from one another, I am trying to use VLAN ID 99 packets on egress as a tag that does nothing other than set a routing mark. I can do this in the mangle rules just fine, but there is no traffic ever leaving my router on this interface.

Image

This picture is my current simplified network setup, which works today and has no VLANS.
  • There are n (non-Mikrotik) wireless access points going to a switch that is fully bridged, then to the router.
  • This is all on the 10.10.2.0/23 subnet. Router is 10.10.2.1, Switch is 10.10.2.2.
  • DHCP setup on the Router serving addresses 10.10.3.17-10.10.3-254.
  • All local interfaces are bridged on interface "bridge".
  • ETH1 on the router is WAN, and there is an L2TP tunnel (L2TP_to_SMF) that is used as the outgoing interface for packets that have been mangled with routing-mark = to_smf.
  • Note: Each of the wireless APs sends traffic tagged as VLAN 1, but there is nothing in the switch or router that does anything with this.

Here is what I want to do:
  • I want to setup a new SSID (SSID_smf) in the wireless infrastructure that treats its clients as normal local clients (including broadcast), but uses L2TP_to_SMF as it's outgoing interface.
  • The access points (non-Mikrotik) have the ability to tag packets with a VLAN ID per SSID, but no other feature to distinguish those.
  • I have configured SSID_smf to tag packets as VLAN ID 99.

What I have tried, and current situation:
  • I can see the packets arrive at the router at the L2TP_to_SMF VLAN interface.
  • I thought I could just put L2TP_to_SMF interface into the router's bridge, but clearly that is not enough.
  • I see Rx on the interface, but no Tx.

My asks:
  • Assuming we start with the current state diagram and setup, what steps would I take to have packets arriving at the router on VLAN ID = 99 act as if they were regular local clients on the same subnet, *BUT* get routing-mark=to_smf?
  • I don't know if it is important that traffic go back to the originating access point tagged as VLAN 99 or not, so it would be nice to optionally know how to make sure they are tagged as VLAN 99 on egress (yeah, I got one word!).

Thanks!
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Very simple VLAN

Thu Aug 01, 2019 8:02 pm

The first part of the post is excellent, detailing requirements of what you are trying to accomplish however its still too intertwined with the solution space of the router and configuration.
Divorce yourself from both the configuration and the equipment and describe what you wish to accomplish perhaps via your services output or what you want users to be able to do or not do etc..., without getting into vlans, routers switches etc......... There may actually be more efficient and easier ways to accomplish use cases with available functionality within the routerOS.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Thu Aug 01, 2019 9:18 pm

Thanks - I'd fire myself for the poor requirements/posting. I appreciate you reading through and giving advice on how to clarify my request.

In my current configuration, all devices (independent of how they connect to the router) are on a single subnet 10.10.2.0/23. They can communicate with another, and receive broadcasts. All client devices can get to the internet via the Mikrotik router (gateway 10.10.2.1, default routed to the WAN port), which also handles DHCP.

I have one special address list (clients_smf) that a routed to the internet through a L2TP tunnel (interface L2TP_to_SMF) by way of a /IP firewall mangle pre-routing rule setting router-mark=to_smf and an associated /IP route to L2TP_to_SMF.

Key configuration items that make the above work in my setup:
add interface=L2TP_to_SMF list=VPNs

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for VPNs" ipsec-policy=out,none \
    out-interface-list=VPNs

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!local new-routing-mark=to_SMF \
    passthrough=yes src-address-list=clients_SMF

/ip route
add check-gateway=ping distance=1 gateway=L2TP_to_SMF routing-mark=to_SMF
add distance=2 routing-mark=to_SMF type=prohibit

I'd like:
  • any client that connect to a special wireless SSID (SSID_smf) to be routed to the internet via L2TP_to_SMF instead of the WAN port
  • the local connectivity for these clients should remain unchanged, so they can still communicate with one another

Problem: My wireless APs are not Mikrotik, and each serves up multiple SSIDs. The only way I can see to distinguish the these clients on the Mikrotik router is to use the AP's feature to set a different VLAN ID on a per SSID basis (let's call SSID_smf's VLAN ID = 99).

So, for these clients/packets that come in on VLAN ID = 99, how can I setup RouterOS to:
  • keep their local connectivity as if they were on the main network with all other clients 0 it would be nice if they used the same DHCP server as the other clients, but not required
  • use L2TP_to_SMF as their internet gateway (instead of the default WAN interface) - it would be nice if it happened via a routing-mark=to_smf, but this is not required
  • optionally have any packets related to those that come in on VLAN ID = 99 go out on VLAN ID = 99 as well - I don't know if the originating AP is going to care or not

Thanks!
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1441
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Very simple VLAN

Thu Aug 01, 2019 11:40 pm

Not sure if information missing, or maybe I don't fully understand requirements, but if you have an address list of source IPs, then these are already distinguished on the Mikrotik, why the need to complicate things with VLAN's?

All then needed is policy based routing on source address list to go via Vpn?
MTCNA, MTCTCE, MTCRE & MTCINE
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Thu Aug 01, 2019 11:50 pm

Not sure if information missing, or maybe I don't fully understand requirements, but if you have an address list of source IPs, then these are already distinguished on the Mikrotik, why the need to complicate things with VLAN's?

All then needed is policy based routing on source address list to go via Vpn?
You are right, we have a list of source IPs today.

But what I'd like to do is to allow ANY random client that is able to connect on SSID_smf to be routed through L2TP_to_SMF for outgoing (and continue to have access to the local lan like any other client).

Because the SSID_smf wireless access point is not from Mikrotik, the only way I can find to identify these clients on the router is to tell the AP that SSID_smf is on a particular VLAN ID.
Last edited by thegoop on Fri Aug 02, 2019 12:22 am, edited 1 time in total.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1441
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Very simple VLAN

Fri Aug 02, 2019 10:05 pm

My suggestion will then be place that SSID on a separate vlan, issue a different subnet via DHCP to those clients on the vlan and config routing for that subnet
MTCNA, MTCTCE, MTCRE & MTCINE
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Fri Aug 02, 2019 11:01 pm

My suggestion will then be place that SSID on a separate vlan, issue a different subnet via DHCP to those clients on the vlan and config routing for that subnet
Thanks - and is there a simple way to "tie" the two subnets together so that everything (including broadcast) works across them both?
 
mkx
Forum Guru
Forum Guru
Posts: 3223
Joined: Thu Mar 03, 2016 10:23 pm

Re: Very simple VLAN

Sat Aug 03, 2019 10:19 am

Thanks - and is there a simple way to "tie" the two subnets together so that everything (including broadcast) works across them both?
Subnets and common broadcast domains don't go together. Unless you know well what you're doing ... but then you wouldn't be asking this particular question here ...
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 4044
Joined: Mon Dec 04, 2017 9:19 pm

Re: Very simple VLAN

Sat Aug 03, 2019 12:13 pm

There is a way, however a terrible one.

On the bridge, the common subnet would live, with DHCP server etc. On the ethernet facing towards the non-Mikrotik AP (say, etherX), you'd set up an /interface vlan vlan-id=99 interface=etherX name=ssid-99 (i.e. having that ethernet as carrying interface). But to make this work you have to remove etherX from the bridge first, so the other SSID's VID on the AP has to be changed to something else than 1 - say, 33, and another /interface vlan vlan-id=33 interface=etherX name=ssid-33 has to be added as well. Next, you make these two /interface vlan member ports of the bridge. From this moment on, clients on both SSIDs will see each other transparently at L2 without any limitation, and both will be able to access the same L3 destinations.

To provide different L3 treatment to each SSID's clients, you have to let the bridge use the ip firewall - /interface bridge settings set use-ip-firewall=yes, which will allow you to refer to in-bridge-port (and, eventually, out-bridge-port) in the firewall rules, matching on ssid-33 or ssid-99.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
thegoop
newbie
Topic Author
Posts: 31
Joined: Mon Jan 07, 2019 7:21 am

Re: Very simple VLAN

Sat Aug 03, 2019 6:34 pm

There is a way, however a terrible one.

On the bridge, the common subnet would live, with DHCP server etc. On the ethernet facing towards the non-Mikrotik AP (say, etherX), you'd set up an /interface vlan vlan-id=99 interface=etherX name=ssid-99 (i.e. having that ethernet as carrying interface). But to make this work you have to remove etherX from the bridge first, so the other SSID's VID on the AP has to be changed to something else than 1 - say, 33, and another /interface vlan vlan-id=33 interface=etherX name=ssid-33 has to be added as well. Next, you make these two /interface vlan member ports of the bridge. From this moment on, clients on both SSIDs will see each other transparently at L2 without any limitation, and both will be able to access the same L3 destinations.

To provide different L3 treatment to each SSID's clients, you have to let the bridge use the ip firewall - /interface bridge settings set use-ip-firewall=yes, which will allow you to refer to in-bridge-port (and, eventually, out-bridge-port) in the firewall rules, matching on ssid-33 or ssid-99.
Got it, this makes perfect sense.

And yes, I do realize this is not the purpose of a vlan (I am trying to hack VLAD ID to essentially be a routing-mark, which once I do what sindy suggests, will let me mangle VLAN_ID=99 to whatever routing-mark I want).

Which brings me to a possibly simplifying question. For etherX, can I have the router simply strip the VLAN ID=99 out (or change it to a 1) and replace it with a routing-mark instead? I feel that if I could do that, then everything else would just happen automagically.

Thanks again.
 
sindy
Forum Guru
Forum Guru
Posts: 4044
Joined: Mon Dec 04, 2017 9:19 pm

Re: Very simple VLAN

Sat Aug 03, 2019 9:05 pm

You cannot simplify it the way you suggest, think about the frames carrying the response packets, which need to get tagged with the correct VID on their way to the wireless clients.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 72 guests