Page 1 of 1

Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Posted: Sun Aug 04, 2019 12:38 am
by nmc
Hi,

I'm trying to build a new network with VLAN and bonding and i'm having a lot of trouble getting it up and running.


I have a RB3011 as the main router, which has been working fine for the last 3 years. The current network setuped on this router is 10.50.0.1/24

I just bought a new CRS328-24P-4S+RM to use as my main switch.

I want to create 2 new VLAN where i will move all my machines to eventually. VLAN 100 (10.80.0.0/22) and VLAN 200 (10.80.4.0/22)
Also want a bonding interface between both the switch and router.

Here is a diagram of how i would like things plugued.
Blank Diagram.jpeg
I have tried this. Here is my current config:


RB3011

Code: Select all

# jul/28/2019 18:16:05 by RouterOS 6.45.1
# software id = LM13-4QY3
#
# model = RouterBOARD 3011UiAS
/interface bridge
add admin-mac=xx arp=proxy-arp auto-mac=no fast-forward=no \
name=bridge-local vlan-filtering=yes

/interface bonding
add mode=802.3ad name=router-switch slaves=\
ether4-slave-local,ether5-slave-local

/interface vlan
add interface=router-switch name=vlan-srv-100 vlan-id=100

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local ingress-filtering=yes interface=router-switch

/interface bridge settings
set use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge-local tagged=router-switch vlan-ids=100

/ip address
add address=10.13.37.1/16 comment="default configuration" interface=\
ether2-master-local network=10.13.0.0
add address=69.70.215.78/30 interface=ether1-internet network=69.70.215.76
add address=10.80.0.1/22 interface=vlan-srv-100 network=10.80.0.0

CRS328

Code: Select all

# jan/02/1970 00:30:35 by RouterOS 6.45.1
# software id = R141-ZR7S
#
# model = CRS328-24P-4S+
/interface bridge
add admin-mac=xx auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes

/interface ethernet
set [ find default-name=ether2 ] mac-address=xx

/interface vlan
add interface=bridge name=vlan-srv-100 vlan-id=100

/interface bonding
add mode=802.3ad name=router-switch slaves=ether1,ether2

/interface wireless security-profiles

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=router-switch

/interface bridge vlan
add bridge=bridge tagged=bridge,router-switch vlan-ids=100

/ip address
add address=10.80.0.2/22 interface=vlan-srv-100 network=10.80.0.0

/ip route
add distance=1 dst-address=0.0.0.0/32 gateway=10.80.0.1

The bonding seems to work fine and i'm able to ping to 10.80.0.1 which is the adress of the router VLAN 100. However i cannot ping the switch or anything else on this network.

Anything i'm missing ? Let me know if you need more information.



Thank you.

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Posted: Sun Aug 04, 2019 1:08 am
by sebastia
Hey

There is an extensive vlan how-to on this forum, have a look. (viewtopic.php?f=13&t=143620&hilit=vlan)

Some remarks:
* why need for proxy-arp on bridge?
* vlan-filtering=yes (on non-CRS3xx hardware) is in software, if you want it hardware, you'll need to do it through "switch" functions
* if only vlan should pass over bond, why make it part of bridge and then filter everything away? just keep it independent interface
* do you plan on using that "use-ip-firewall-for-vlan=yes"?
* in "/interface bridge vlan" bridge-local should also be in the tagged list of interfaces (like you did for crs config)

Added info: vlan howto + vlan-filtering clarification

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Posted: Sun Aug 04, 2019 1:36 am
by nmc
Thanks for the reply,

I forgot to mention that I tried to follow this guide : https://wiki.mikrotik.com/wiki/Manual:C ... with_Bonds
Can you link to the VLAN howto you mentioned ? Thanks.

* proxy-arp, I don't remember when and why I activated this, could it be because of VPN or mDNS ? should I remove it ?
* Ok that's what I tough, but that weren't mentioned in the how-to linked above. But i think the RB3011 cannot do VLAN over the bonding interface.
* I followed the how-to above, and it adds bond to the bridge if I understand it correctly.
* I plan on using rules in firewall to block some traffic between subnets, isn't it what this does ?
* OK I will try to add this in bridge vlan.

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Posted: Sun Aug 04, 2019 2:07 am
by sebastia
* proxy-arp, I don't remember when and why I activated this, could it be because of VPN or mDNS ? should I remove it ?
* Ok that's what I tough, but that weren't mentioned in the how-to linked above. Will try a different config with this.
* I followed the how-to above, and it adds bond to the bridge if I understand it correctly.
* I plan on using rules in firewall to block some traffic between subnets, isn't it what this does ?
* OK I will try to add this in bridge vlan.
* proxy-arp will result in transmission of every packet through bridge. Could be useful for vpn, but for bridge??? I would remove / disable for time being, until specific usecase arrises.
* clarified that its in software for all non-CRS3xx hardware: you're fine on the switch, but not on router
* there is no bridging of bond on the router in the how-to. anyway you always have to evaluate such examples on what YOU need
* between subnets -> routing firewall, what you have now is bridge firewall = filtering of traffic within same subnet

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Posted: Sun Aug 04, 2019 3:51 am
by nmc
Hey, i was able to make it work ! thank you. I'll do more testing tonight but at least i'm able to use vlan between a bonding interface with the switch and router.

However i kept software vlan on the router because i don't think the rb3011 support this feature on a bonding interface. See: https://wiki.mikrotik.com/wiki/Manual:I ... Offloading

Thanks again for your help !