Community discussions

MikroTik App
 
JBrinkZA
just joined
Topic Author
Posts: 6
Joined: Sun Jun 05, 2016 10:24 am
Location: Cape Town, ZA
Contact:

Need help with VLAN Trunks

Mon Sep 02, 2019 6:19 pm

Hi All,
I've seem to hit a brick wall, and can't figure the VLAN issue out on a hEX-PoE...

Have a look at the screenshots lower down of the unit's configurations. The device has been configured from fresh start, running on the latest RouterOS stable version, with no fancy setups otherwise. I've done the exact same setup on a RB2011-UiAS and it works. Please help me, I'm starting to go crazy trying to figure it out.

The Goal:
The hEX-PoE will act as a Gateway for my network. It should have internet on eth/1, a management port on eth/2 (no VLAN, different bridge, own DHCP server and scope), and then trunk ports on et/3, eth/4 and eth/5 (all linked to br/1).

The VLANs are:
  • VLAN1 - 192.168.66.0/24
  • VLAN30 - 172.16.99.0/24
All ethernet ports on br/1 ("VLANBridge") should be able to access VLAN1 as untagged traffic, and VLAN30 as tagged traffic, as these ports would go to a switch, a UniFi AP (main SSID on VLAN1, and Guest Access on VLAN30), and then future extension port.

What I've done:
Following the guides online, I've setup the following:
  • Created a VLAN Bridge, "VLANBridge", with ports 3-5 in it (refer to it as br/1).
  • Created VLANs 1 and 30, and added them onto br/1
  • Created Gateway addresses 192.168.66.1/24 binded to vlan1, and 172.16.99.1/24 binded to vlan30.
  • Created DHCP Server (using DHCP Setup), and created scoped DHCP servers for each VLAN.
  • Added the VLANs on br/1, where br/1 has IDs 1, 30, the tagged traffic being VLAN30 interface, and the untagged being VLAN1.
  • Added the VLANs to the switch ports (under switch → VLAN), where all ports on br/1 has both VLANs with independent learning <ON>
  • Changed Switch → Ports, respective br/1 ports to be in secure mode, with VLAN header set to "add if missing" (I've played around with these settings to see if any combination works, and also referred to Source 1 below.

What's happening:
Connecting an internet connection on eth/1, the router has break-out to the internet.
Connecting any computer on eth/2 gets an IP on the Management port, as expected.
Connecting the same or any other PC on eth/3, eth/4 or eth/5 results in loss of connectivity, with no network leases being received whatsoever. Returning to eth/2 works instantly.

Images:
1. RouterBoard's config
Image

2. Intended Network Diagram
Image

Reference Sources:
1. https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29
2. viewtopic.php?t=131334
3. viewtopic.php?t=123228
---
Johan Brink (South Africa)
Owner of 6 experimental Grid Antennas mounted onto a broom stick - AKA "RaDMAS" ("Rapidly Deployable Mobile Antenna Stick")
 
mkx
Forum Guru
Forum Guru
Posts: 3933
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with VLAN Trunks

Mon Sep 02, 2019 11:14 pm

Post full config of your device as shown by executing /export hide-sensitive (obfuscate public IP address) and enclose it to [code] environment.
BR,
Metod
 
JBrinkZA
just joined
Topic Author
Posts: 6
Joined: Sun Jun 05, 2016 10:24 am
Location: Cape Town, ZA
Contact:

Re: Need help with VLAN Trunks

Tue Sep 03, 2019 9:52 am

Post full config of your device as shown by executing /export hide-sensitive (obfuscate public IP address) and enclose it to [code] environment.
Here's the config as requested:
# sep/02/2019 14:19:04 by RouterOS 6.45.5
# software id = ***REDACTED***
#
# model = 960PGS
# serial number = ***REDACTED***
/interface bridge
add name=VLANBridge vlan-filtering=yes
add admin-mac=74:4D:28:29:84:97 auto-mac=no comment="Management Bridge" name=\
    bridge
/interface vlan
add comment="Untagged Traffic" interface=VLANBridge name=VLAN1 vlan-id=1
add comment="Tagged Traffic" interface=VLANBridge name=VLAN30 vlan-id=30
/interface ethernet switch port
set 2 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.66.50-192.168.66.100
add name=dhcp_pool2 ranges=172.16.99.10-172.16.99.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN30 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=VLANBridge untagged=VLANBridge,VLAN1 vlan-ids=1
add bridge=VLANBridge tagged=VLANBridge,VLAN30 vlan-ids=30
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=1
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 interface=VLAN1 network=192.168.66.0
add address=172.16.99.1/24 interface=VLAN30 network=172.16.99.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=172.16.99.0/24 dns-server=172.16.99.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.99.1
add address=192.168.66.0/24 dns-server=192.168.66.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=192.168.66.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Africa/Johannesburg
/system logging
add prefix="[DHCP Event]" topics=dhcp
add topics=event
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
---
Johan Brink (South Africa)
Owner of 6 experimental Grid Antennas mounted onto a broom stick - AKA "RaDMAS" ("Rapidly Deployable Mobile Antenna Stick")
 
mkx
Forum Guru
Forum Guru
Posts: 3933
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with VLAN Trunks

Tue Sep 03, 2019 4:09 pm

You mixed old school setup (/interface ethernet switch subtree) and new school setup (/interface bridge subtree). I suggest you to stick with new school, IMHO the user interface is less confusing (if one can say so) but it does come with performance hit (if it hits you, you can still revamp the config to using old style ... but it doesn't matter if you use RB as "router on a stick" with single interface facing the LAN).

Basically you should remove all VLAN-related configuration from /interface ethernet switch port and /interface ethernet switch vlan. Essentially the whole /interface ethernet switch subtree should be blank.

Next: using VLAN ID 1 as tagged VLAN is sometimes dubious ... ROS uses VID=1 as default in several places and this might cause some configuration mismatches (e.g. bridge with pvid=1 set should not have slave VLAN interface with vlan-id=1). Personally I avoid using VID=1 when I'm doing things VLAN-way, even if some VLAN is only internal to single ROS device. In your case, the untagged LAN ... I'd configure ether3 as hybrid port (tagged VLAN 30 and untagged VLAN X ... just the way you did it, but X being enaything but 1).

Next: VLAN interfaces should (almost) never be tagged member of own parent bridge ... VLAN interfaces are kind of selective pipes. One end is tagged and is anchored to parent interface (e.g. bridge) when creating them using
/interface vlan add name=<vlan interface> interface=<parent interface>
, the other end is untagged and is usually used for L3 stuff.

The proper /interface bridge port config would thus be:
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes pvid=X interface=ether3
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=X interface=\
    ether4
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=X interface=\
    ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1

and corresponding /interface bridge vlan config would be:
/interface bridge vlan
add bridge=VLANBridge tagged=VLANBridge,ether3 untagged=ether4,ether5 vlan-ids=X
add bridge=VLANBridge tagged=VLANBridge,ether3 vlan-ids=30
And be sure to change definition of interface VLAN1 to reflect the newly chosen VLAN ID (X).
BR,
Metod
 
JBrinkZA
just joined
Topic Author
Posts: 6
Joined: Sun Jun 05, 2016 10:24 am
Location: Cape Town, ZA
Contact:

Re: Need help with VLAN Trunks  [SOLVED]

Tue Sep 03, 2019 6:17 pm

You mixed old school setup (/interface ethernet switch subtree) and new school setup (/interface bridge subtree). I suggest you to stick with new school, IMHO the user interface is less confusing (if one can say so) but it does come with performance hit (if it hits you, you can still revamp the config to using old style ... but it doesn't matter if you use RB as "router on a stick" with single interface facing the LAN).

...and it works! :-D

At the end, this is my configurations to have eth/2 as a management port, and eth/3-5 all as hybrid ports, working on one untagged and one tagged VLAN (simplified):
# sep/02/2019 14:47:16 by RouterOS 6.45.5
# model = 960PGS
/interface bridge
add ingress-filtering=yes name=VLANBridge vlan-filtering=yes
add admin-mac=74:4D:28:29:84:97 auto-mac=no comment="Management Bridge" name=\
    bridge
/interface vlan
add comment="Untagged Traffic" interface=VLANBridge name=VLAN2 vlan-id=2
add comment="Tagged Traffic" interface=VLANBridge name=VLAN30 vlan-id=30

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.66.50-192.168.66.100
add name=dhcp_pool2 ranges=172.16.99.10-172.16.99.200

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN2 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN30 name=dhcp2

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether4
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1

/interface bridge vlan
add bridge=VLANBridge tagged=VLANBridge,ether3,ether4,ether5 vlan-ids=2
add bridge=VLANBridge tagged=VLANBridge,ether3,ether4,ether5 vlan-ids=30

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 interface=VLAN2 network=192.168.66.0
add address=172.16.99.1/24 interface=VLAN30 network=172.16.99.0

/ip dhcp-server network
add address=172.16.99.0/24 dns-server=172.16.99.1,1.1.1.1,8.8.8.8 gateway=172.16.99.1
add address=192.168.66.0/24 dns-server=192.168.66.1,1.1.1.1,8.8.8.8 gateway=192.168.66.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

Thank you @mkx, I have the configs that I need to continue, and learned some new things today.
---
Johan Brink (South Africa)
Owner of 6 experimental Grid Antennas mounted onto a broom stick - AKA "RaDMAS" ("Rapidly Deployable Mobile Antenna Stick")
 
smallfount
just joined
Posts: 5
Joined: Sun Jan 17, 2016 6:10 am

Re: Need help with VLAN Trunks

Thu Nov 21, 2019 2:25 pm

Dear Team,
Thank you for your sharing.
I have one concern about this topic since recently I'm also trying to build a new HaP AC2 router between my Cisco Switch.
I want to build a Trunk link between them so I want to use one port similar with what you did, one vlan untagged and one VLAN tagged.

I'm not sure how you can identify at RoS side, which vlan is tagged and another is untagged, since seems on ether3, both vlan are tagged?

use the pvid config? Or anything else?

Thank you in advance.
 
mkx
Forum Guru
Forum Guru
Posts: 3933
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with VLAN Trunks

Thu Nov 21, 2019 3:18 pm

If we stick to "new school" configuration, then consider this configuration excerpt:
/interface bridge
set [ find name=bridge ] vlan-filtering=yes   # don't do this before all VLAN stuff is set
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=300
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=300
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan300 vlan-id=300

It makes ether3 member of the bridge and sets PVID=300 so that untagged packets get tagged with VID=300 on ingress.

Then it creates two VLANs on bridge (as switch). VLAN with VID=100 has two tagged member interfaces: ether3 and bridge (interface) while VLAN with VID=300 has two member interfaces as well, bridge (interface) is tagged and ether3 is untagged. Which means that packets with VID=300 will get untagged on egress from ether3.

Then it creates two interfaces of type vlan, one per VLAN praversing the bridge. These interfaces are used for interaction between router and respective VLAN, so you have to bind IP setup to those interfaces (e.g. /ip address add interface=vlan100 address=192.168.100.1/24).

If RB device is used as L2 switch for certain VLAN, bridge doesn't have to be member of that VLAN and vlan interface for that VID doesn't have to be created.
Example: if we want to add VLAN with VID=400 to ether3 trunk (as tagged) and to ether4 as access port, but RB won't interact with it on IP level, then in addition to the above, configuration would be the following:

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=400
/interface bridge vlan
add bridge=bridge tagged=ether3 untagged=ether4 vlan-ids=400
BR,
Metod

Who is online

Users browsing this forum: Bing [Bot], sistelec, volkirik and 143 guests