Page 1 of 1

Very simple VLAN

Posted: Wed Jul 31, 2019 9:05 pm
by thegoop
All - sorry for what is likely a very basic question, but I am note quite getting something right.

One of my non-MikroTik APs has two SSIDs, the Mikrotik is the router.

SSID-A is sending on VLAN ID1, whereas SSID-B is sending on VLAN ID 99. When clients connect to SSID-1, everything works great. When clients connect to VLAN ID 2, they can't see the internet or any other clients.

I feel like I am missing something very basic to "connect" these together, so VLAN 99 is getting the benefit of DHCP, DNS, access to the internet, etc.. Thanks!
/interface vlan
add interface=bridge name=vlan1 vlan-id=99

/interface bridge
add admin-mac=B8:69:F4:9F:CD:ED auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=vlan1

It seems that there are at least 3 different places to put vlan-bridge mappings (in /interface vlan, /interface bridge, and /interface bridge vlan). I am confused.

Once this is working, I have a different mangle use case for those in VLAN ID 99, but I am pretty sure I know how to handle that part.

Thanks!

Re: Very simple VLAN

Posted: Wed Jul 31, 2019 11:56 pm
by thegoop
I've been googling around and trying to read/understand the forum posts, and can maybe better articulate what would be ideal:

1. VLAN ID 99 is tagged on ingress, and I'd like it to become untagged and set with a routing-mark instead.
2. When packets are sent back (egress), I don't think it matters that they get tagged back to VLAN 99 or not (can you help me do it both ways)?

The goal here is for the packets that come into the router to look like every other packet in the router, other than the routing-mark (which is used in a variety of ways for non-tagged packets)... and that responses get sent back to the client properly (not sure if the originating source requires the VLAN tag on the way back or not...).

Thanks again.

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 4:59 am
by 2frogs
I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge.
/interface bridge
add name=vlan1-bridge

/interface bridge port
add bridge=vlan1-bridge interface=vlan1
The rest of your config should remain the same.

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 5:41 am
by thegoop
Thank you for the help. I'll admit to being thoroughly confused though - what's the point of having a brand new bridge with just one interface in it? Can't I accomplish the same thing by just having the existing DHCP server to the vlan directly?
I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge.
/interface bridge
add name=vlan1-bridge

/interface bridge port
add bridge=vlan1-bridge interface=vlan1
The rest of your config should remain the same.

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 6:35 am
by 2frogs
You mentioned untagging/tagging is why I suggested a bridge. But yes, you can put the IP and DHCP Server directly on vlan1. And you can then remove the bridge port for vlan1 as it is not needed.

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 2:16 pm
by anav
Draw diagrams and use this link and examples as a starting point.........
viewtopic.php?t=143620

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 4:28 pm
by thegoop
Thank you - great suggestion - I'll admit that I am trying to use a VLAN tag for an odd purpose, so none of the diagrams in that post are exactly what I want to do. I am not trying to separate subnets from one another, I am trying to use VLAN ID 99 packets on egress as a tag that does nothing other than set a routing mark. I can do this in the mangle rules just fine, but there is no traffic ever leaving my router on this interface.

Image

This picture is my current simplified network setup, which works today and has no VLANS.
  • There are n (non-Mikrotik) wireless access points going to a switch that is fully bridged, then to the router.
  • This is all on the 10.10.2.0/23 subnet. Router is 10.10.2.1, Switch is 10.10.2.2.
  • DHCP setup on the Router serving addresses 10.10.3.17-10.10.3-254.
  • All local interfaces are bridged on interface "bridge".
  • ETH1 on the router is WAN, and there is an L2TP tunnel (L2TP_to_SMF) that is used as the outgoing interface for packets that have been mangled with routing-mark = to_smf.
  • Note: Each of the wireless APs sends traffic tagged as VLAN 1, but there is nothing in the switch or router that does anything with this.

Here is what I want to do:
  • I want to setup a new SSID (SSID_smf) in the wireless infrastructure that treats its clients as normal local clients (including broadcast), but uses L2TP_to_SMF as it's outgoing interface.
  • The access points (non-Mikrotik) have the ability to tag packets with a VLAN ID per SSID, but no other feature to distinguish those.
  • I have configured SSID_smf to tag packets as VLAN ID 99.

What I have tried, and current situation:
  • I can see the packets arrive at the router at the L2TP_to_SMF VLAN interface.
  • I thought I could just put L2TP_to_SMF interface into the router's bridge, but clearly that is not enough.
  • I see Rx on the interface, but no Tx.

My asks:
  • Assuming we start with the current state diagram and setup, what steps would I take to have packets arriving at the router on VLAN ID = 99 act as if they were regular local clients on the same subnet, *BUT* get routing-mark=to_smf?
  • I don't know if it is important that traffic go back to the originating access point tagged as VLAN 99 or not, so it would be nice to optionally know how to make sure they are tagged as VLAN 99 on egress (yeah, I got one word!).

Thanks!

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 8:02 pm
by anav
The first part of the post is excellent, detailing requirements of what you are trying to accomplish however its still too intertwined with the solution space of the router and configuration.
Divorce yourself from both the configuration and the equipment and describe what you wish to accomplish perhaps via your services output or what you want users to be able to do or not do etc..., without getting into vlans, routers switches etc......... There may actually be more efficient and easier ways to accomplish use cases with available functionality within the routerOS.

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 9:18 pm
by thegoop
Thanks - I'd fire myself for the poor requirements/posting. I appreciate you reading through and giving advice on how to clarify my request.

In my current configuration, all devices (independent of how they connect to the router) are on a single subnet 10.10.2.0/23. They can communicate with another, and receive broadcasts. All client devices can get to the internet via the Mikrotik router (gateway 10.10.2.1, default routed to the WAN port), which also handles DHCP.

I have one special address list (clients_smf) that a routed to the internet through a L2TP tunnel (interface L2TP_to_SMF) by way of a /IP firewall mangle pre-routing rule setting router-mark=to_smf and an associated /IP route to L2TP_to_SMF.

Key configuration items that make the above work in my setup:
add interface=L2TP_to_SMF list=VPNs

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for VPNs" ipsec-policy=out,none \
    out-interface-list=VPNs

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!local new-routing-mark=to_SMF \
    passthrough=yes src-address-list=clients_SMF

/ip route
add check-gateway=ping distance=1 gateway=L2TP_to_SMF routing-mark=to_SMF
add distance=2 routing-mark=to_SMF type=prohibit

I'd like:
  • any client that connect to a special wireless SSID (SSID_smf) to be routed to the internet via L2TP_to_SMF instead of the WAN port
  • the local connectivity for these clients should remain unchanged, so they can still communicate with one another

Problem: My wireless APs are not Mikrotik, and each serves up multiple SSIDs. The only way I can see to distinguish the these clients on the Mikrotik router is to use the AP's feature to set a different VLAN ID on a per SSID basis (let's call SSID_smf's VLAN ID = 99).

So, for these clients/packets that come in on VLAN ID = 99, how can I setup RouterOS to:
  • keep their local connectivity as if they were on the main network with all other clients 0 it would be nice if they used the same DHCP server as the other clients, but not required
  • use L2TP_to_SMF as their internet gateway (instead of the default WAN interface) - it would be nice if it happened via a routing-mark=to_smf, but this is not required
  • optionally have any packets related to those that come in on VLAN ID = 99 go out on VLAN ID = 99 as well - I don't know if the originating AP is going to care or not

Thanks!

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 11:40 pm
by CZFan
Not sure if information missing, or maybe I don't fully understand requirements, but if you have an address list of source IPs, then these are already distinguished on the Mikrotik, why the need to complicate things with VLAN's?

All then needed is policy based routing on source address list to go via Vpn?

Re: Very simple VLAN

Posted: Thu Aug 01, 2019 11:50 pm
by thegoop
Not sure if information missing, or maybe I don't fully understand requirements, but if you have an address list of source IPs, then these are already distinguished on the Mikrotik, why the need to complicate things with VLAN's?

All then needed is policy based routing on source address list to go via Vpn?
You are right, we have a list of source IPs today.

But what I'd like to do is to allow ANY random client that is able to connect on SSID_smf to be routed through L2TP_to_SMF for outgoing (and continue to have access to the local lan like any other client).

Because the SSID_smf wireless access point is not from Mikrotik, the only way I can find to identify these clients on the router is to tell the AP that SSID_smf is on a particular VLAN ID.

Re: Very simple VLAN

Posted: Fri Aug 02, 2019 10:05 pm
by CZFan
My suggestion will then be place that SSID on a separate vlan, issue a different subnet via DHCP to those clients on the vlan and config routing for that subnet

Re: Very simple VLAN

Posted: Fri Aug 02, 2019 11:01 pm
by thegoop
My suggestion will then be place that SSID on a separate vlan, issue a different subnet via DHCP to those clients on the vlan and config routing for that subnet
Thanks - and is there a simple way to "tie" the two subnets together so that everything (including broadcast) works across them both?

Re: Very simple VLAN

Posted: Sat Aug 03, 2019 10:19 am
by mkx
Thanks - and is there a simple way to "tie" the two subnets together so that everything (including broadcast) works across them both?
Subnets and common broadcast domains don't go together. Unless you know well what you're doing ... but then you wouldn't be asking this particular question here ...

Re: Very simple VLAN

Posted: Sat Aug 03, 2019 12:13 pm
by sindy
There is a way, however a terrible one.

On the bridge, the common subnet would live, with DHCP server etc. On the ethernet facing towards the non-Mikrotik AP (say, etherX), you'd set up an /interface vlan vlan-id=99 interface=etherX name=ssid-99 (i.e. having that ethernet as carrying interface). But to make this work you have to remove etherX from the bridge first, so the other SSID's VID on the AP has to be changed to something else than 1 - say, 33, and another /interface vlan vlan-id=33 interface=etherX name=ssid-33 has to be added as well. Next, you make these two /interface vlan member ports of the bridge. From this moment on, clients on both SSIDs will see each other transparently at L2 without any limitation, and both will be able to access the same L3 destinations.

To provide different L3 treatment to each SSID's clients, you have to let the bridge use the ip firewall - /interface bridge settings set use-ip-firewall=yes, which will allow you to refer to in-bridge-port (and, eventually, out-bridge-port) in the firewall rules, matching on ssid-33 or ssid-99.

Re: Very simple VLAN

Posted: Sat Aug 03, 2019 6:34 pm
by thegoop
There is a way, however a terrible one.

On the bridge, the common subnet would live, with DHCP server etc. On the ethernet facing towards the non-Mikrotik AP (say, etherX), you'd set up an /interface vlan vlan-id=99 interface=etherX name=ssid-99 (i.e. having that ethernet as carrying interface). But to make this work you have to remove etherX from the bridge first, so the other SSID's VID on the AP has to be changed to something else than 1 - say, 33, and another /interface vlan vlan-id=33 interface=etherX name=ssid-33 has to be added as well. Next, you make these two /interface vlan member ports of the bridge. From this moment on, clients on both SSIDs will see each other transparently at L2 without any limitation, and both will be able to access the same L3 destinations.

To provide different L3 treatment to each SSID's clients, you have to let the bridge use the ip firewall - /interface bridge settings set use-ip-firewall=yes, which will allow you to refer to in-bridge-port (and, eventually, out-bridge-port) in the firewall rules, matching on ssid-33 or ssid-99.
Got it, this makes perfect sense.

And yes, I do realize this is not the purpose of a vlan (I am trying to hack VLAD ID to essentially be a routing-mark, which once I do what sindy suggests, will let me mangle VLAN_ID=99 to whatever routing-mark I want).

Which brings me to a possibly simplifying question. For etherX, can I have the router simply strip the VLAN ID=99 out (or change it to a 1) and replace it with a routing-mark instead? I feel that if I could do that, then everything else would just happen automagically.

Thanks again.

Re: Very simple VLAN

Posted: Sat Aug 03, 2019 9:05 pm
by sindy
You cannot simplify it the way you suggest, think about the frames carrying the response packets, which need to get tagged with the correct VID on their way to the wireless clients.