Community discussions

MikroTik App
 
JBrinkZA
just joined
Topic Author
Posts: 6
Joined: Sun Jun 05, 2016 10:24 am
Location: Cape Town, ZA
Contact:

Need help with VLAN Trunks

Mon Sep 02, 2019 6:19 pm

Hi All,
I've seem to hit a brick wall, and can't figure the VLAN issue out on a hEX-PoE...

Have a look at the screenshots lower down of the unit's configurations. The device has been configured from fresh start, running on the latest RouterOS stable version, with no fancy setups otherwise. I've done the exact same setup on a RB2011-UiAS and it works. Please help me, I'm starting to go crazy trying to figure it out.

The Goal:
The hEX-PoE will act as a Gateway for my network. It should have internet on eth/1, a management port on eth/2 (no VLAN, different bridge, own DHCP server and scope), and then trunk ports on et/3, eth/4 and eth/5 (all linked to br/1).

The VLANs are:
  • VLAN1 - 192.168.66.0/24
  • VLAN30 - 172.16.99.0/24
All ethernet ports on br/1 ("VLANBridge") should be able to access VLAN1 as untagged traffic, and VLAN30 as tagged traffic, as these ports would go to a switch, a UniFi AP (main SSID on VLAN1, and Guest Access on VLAN30), and then future extension port.

What I've done:
Following the guides online, I've setup the following:
  • Created a VLAN Bridge, "VLANBridge", with ports 3-5 in it (refer to it as br/1).
  • Created VLANs 1 and 30, and added them onto br/1
  • Created Gateway addresses 192.168.66.1/24 binded to vlan1, and 172.16.99.1/24 binded to vlan30.
  • Created DHCP Server (using DHCP Setup), and created scoped DHCP servers for each VLAN.
  • Added the VLANs on br/1, where br/1 has IDs 1, 30, the tagged traffic being VLAN30 interface, and the untagged being VLAN1.
  • Added the VLANs to the switch ports (under switch → VLAN), where all ports on br/1 has both VLANs with independent learning <ON>
  • Changed Switch → Ports, respective br/1 ports to be in secure mode, with VLAN header set to "add if missing" (I've played around with these settings to see if any combination works, and also referred to Source 1 below.

What's happening:
Connecting an internet connection on eth/1, the router has break-out to the internet.
Connecting any computer on eth/2 gets an IP on the Management port, as expected.
Connecting the same or any other PC on eth/3, eth/4 or eth/5 results in loss of connectivity, with no network leases being received whatsoever. Returning to eth/2 works instantly.

Images:
1. RouterBoard's config
Image

2. Intended Network Diagram
Image

Reference Sources:
1. https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29
2. viewtopic.php?t=131334
3. viewtopic.php?t=123228
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with VLAN Trunks

Mon Sep 02, 2019 11:14 pm

Post full config of your device as shown by executing /export hide-sensitive (obfuscate public IP address) and enclose it to [code] environment.
 
JBrinkZA
just joined
Topic Author
Posts: 6
Joined: Sun Jun 05, 2016 10:24 am
Location: Cape Town, ZA
Contact:

Re: Need help with VLAN Trunks

Tue Sep 03, 2019 9:52 am

Post full config of your device as shown by executing /export hide-sensitive (obfuscate public IP address) and enclose it to [code] environment.
Here's the config as requested:
# sep/02/2019 14:19:04 by RouterOS 6.45.5
# software id = ***REDACTED***
#
# model = 960PGS
# serial number = ***REDACTED***
/interface bridge
add name=VLANBridge vlan-filtering=yes
add admin-mac=74:4D:28:29:84:97 auto-mac=no comment="Management Bridge" name=\
    bridge
/interface vlan
add comment="Untagged Traffic" interface=VLANBridge name=VLAN1 vlan-id=1
add comment="Tagged Traffic" interface=VLANBridge name=VLAN30 vlan-id=30
/interface ethernet switch port
set 2 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.66.50-192.168.66.100
add name=dhcp_pool2 ranges=172.16.99.10-172.16.99.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN30 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=VLANBridge untagged=VLANBridge,VLAN1 vlan-ids=1
add bridge=VLANBridge tagged=VLANBridge,VLAN30 vlan-ids=30
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=1
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 interface=VLAN1 network=192.168.66.0
add address=172.16.99.1/24 interface=VLAN30 network=172.16.99.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=172.16.99.0/24 dns-server=172.16.99.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.99.1
add address=192.168.66.0/24 dns-server=192.168.66.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=192.168.66.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Africa/Johannesburg
/system logging
add prefix="[DHCP Event]" topics=dhcp
add topics=event
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with VLAN Trunks

Tue Sep 03, 2019 4:09 pm

You mixed old school setup (/interface ethernet switch subtree) and new school setup (/interface bridge subtree). I suggest you to stick with new school, IMHO the user interface is less confusing (if one can say so) but it does come with performance hit (if it hits you, you can still revamp the config to using old style ... but it doesn't matter if you use RB as "router on a stick" with single interface facing the LAN).

Basically you should remove all VLAN-related configuration from /interface ethernet switch port and /interface ethernet switch vlan. Essentially the whole /interface ethernet switch subtree should be blank.

Next: using VLAN ID 1 as tagged VLAN is sometimes dubious ... ROS uses VID=1 as default in several places and this might cause some configuration mismatches (e.g. bridge with pvid=1 set should not have slave VLAN interface with vlan-id=1). Personally I avoid using VID=1 when I'm doing things VLAN-way, even if some VLAN is only internal to single ROS device. In your case, the untagged LAN ... I'd configure ether3 as hybrid port (tagged VLAN 30 and untagged VLAN X ... just the way you did it, but X being enaything but 1).

Next: VLAN interfaces should (almost) never be tagged member of own parent bridge ... VLAN interfaces are kind of selective pipes. One end is tagged and is anchored to parent interface (e.g. bridge) when creating them using
/interface vlan add name=<vlan interface> interface=<parent interface>
, the other end is untagged and is usually used for L3 stuff.

The proper /interface bridge port config would thus be:
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes pvid=X interface=ether3
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=X interface=\
    ether4
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=X interface=\
    ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1

and corresponding /interface bridge vlan config would be:
/interface bridge vlan
add bridge=VLANBridge tagged=VLANBridge,ether3 untagged=ether4,ether5 vlan-ids=X
add bridge=VLANBridge tagged=VLANBridge,ether3 vlan-ids=30
And be sure to change definition of interface VLAN1 to reflect the newly chosen VLAN ID (X).
 
JBrinkZA
just joined
Topic Author
Posts: 6
Joined: Sun Jun 05, 2016 10:24 am
Location: Cape Town, ZA
Contact:

Re: Need help with VLAN Trunks  [SOLVED]

Tue Sep 03, 2019 6:17 pm

You mixed old school setup (/interface ethernet switch subtree) and new school setup (/interface bridge subtree). I suggest you to stick with new school, IMHO the user interface is less confusing (if one can say so) but it does come with performance hit (if it hits you, you can still revamp the config to using old style ... but it doesn't matter if you use RB as "router on a stick" with single interface facing the LAN).

...and it works! :-D

At the end, this is my configurations to have eth/2 as a management port, and eth/3-5 all as hybrid ports, working on one untagged and one tagged VLAN (simplified):
# sep/02/2019 14:47:16 by RouterOS 6.45.5
# model = 960PGS
/interface bridge
add ingress-filtering=yes name=VLANBridge vlan-filtering=yes
add admin-mac=74:4D:28:29:84:97 auto-mac=no comment="Management Bridge" name=\
    bridge
/interface vlan
add comment="Untagged Traffic" interface=VLANBridge name=VLAN2 vlan-id=2
add comment="Tagged Traffic" interface=VLANBridge name=VLAN30 vlan-id=30

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.66.50-192.168.66.100
add name=dhcp_pool2 ranges=172.16.99.10-172.16.99.200

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN2 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN30 name=dhcp2

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether4
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1

/interface bridge vlan
add bridge=VLANBridge tagged=VLANBridge,ether3,ether4,ether5 vlan-ids=2
add bridge=VLANBridge tagged=VLANBridge,ether3,ether4,ether5 vlan-ids=30

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 interface=VLAN2 network=192.168.66.0
add address=172.16.99.1/24 interface=VLAN30 network=172.16.99.0

/ip dhcp-server network
add address=172.16.99.0/24 dns-server=172.16.99.1,1.1.1.1,8.8.8.8 gateway=172.16.99.1
add address=192.168.66.0/24 dns-server=192.168.66.1,1.1.1.1,8.8.8.8 gateway=192.168.66.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

Thank you @mkx, I have the configs that I need to continue, and learned some new things today.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help with VLAN Trunks

Thu Nov 21, 2019 3:18 pm

If we stick to "new school" configuration, then consider this configuration excerpt:
/interface bridge
set [ find name=bridge ] vlan-filtering=yes   # don't do this before all VLAN stuff is set
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=300
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=300
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan300 vlan-id=300

It makes ether3 member of the bridge and sets PVID=300 so that untagged packets get tagged with VID=300 on ingress.

Then it creates two VLANs on bridge (as switch). VLAN with VID=100 has two tagged member interfaces: ether3 and bridge (interface) while VLAN with VID=300 has two member interfaces as well, bridge (interface) is tagged and ether3 is untagged. Which means that packets with VID=300 will get untagged on egress from ether3.

Then it creates two interfaces of type vlan, one per VLAN praversing the bridge. These interfaces are used for interaction between router and respective VLAN, so you have to bind IP setup to those interfaces (e.g. /ip address add interface=vlan100 address=192.168.100.1/24).

If RB device is used as L2 switch for certain VLAN, bridge doesn't have to be member of that VLAN and vlan interface for that VID doesn't have to be created.
Example: if we want to add VLAN with VID=400 to ether3 trunk (as tagged) and to ether4 as access port, but RB won't interact with it on IP level, then in addition to the above, configuration would be the following:

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=400
/interface bridge vlan
add bridge=bridge tagged=ether3 untagged=ether4 vlan-ids=400
 
durango
just joined
Posts: 2
Joined: Mon Apr 19, 2021 8:29 pm

Re: Need help with VLAN Trunks

Mon Apr 19, 2021 8:44 pm

Hello everyone, I am new to the forum also with microtik,
I have tried to copy in the solution of the configuration above and adapt it in my case.

In the secure section, after doing so, I get out of the winbox, there is no way to connect to the HEX POE.
I have to do a reset.

My map is follow the configuration
Image
https://imgur.com/6xElJrz
config:
/interface bridge
add name=VLANBridge vlan-filtering=yes
add comment="Management Bridge" name=bridge
/interface vlan
add comment="Untagged Traffic" interface=VLANBridge name=VLAN1 vlan-id=1
add comment="Telefonia" interface=VLANBridge name=VLAN20 vlan-id=20
add comment="WIFI" interface=VLANBridge name=VLAN30 vlan-id=30
add comment="Server" interface=VLANBridge name=VLAN40 vlan-id=40
add comment="PC" interface=VLANBridge name=VLAN50 vlan-id=50

/interface ethernet switch port
set 2 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_VLAN30 ranges=172.16.20.20-172.16.30.254
add name=dhcp_VLAN30 ranges=172.16.30.20-172.16.30.254
add name=dhcp_vlan40 ranges=172.16.40.20-172.16.40.254
add name=dhcp_vlan50 ranges=172.16.50.20-172.16.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_VLAN20 disabled=no interface=VLAN20 name=vlan20
add address-pool=dhcp_VLAN30 disabled=no interface=VLAN30 name=vlan30
add address-pool=dhcp_VLAN40 disabled=no interface=VLAN40 name=VLAN40
add address-pool=dhcp_VLAN50 disabled=no interface=VLAN40 name=VLAN50
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=VLANBridge untagged=VLANBridge,VLAN1 vlan-ids=1
add bridge=VLANBridge tagged=VLANBridge,VLAN30 vlan-ids=20
add bridge=VLANBridge tagged=VLANBridge,VLAN30 vlan-ids=30
add bridge=VLANBridge tagged=VLANBridge,VLAN40 vlan-ids=40
add bridge=VLANBridge tagged=VLANBridge,VLAN50 vlan-ids=50
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=20
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=30
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=40
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=50
	
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 interface=VLAN1 network=192.168.66.0
add address=172.16.30.1/24 interface=VLAN30 network=172.16.30.0
add address=172.16.40.1/24 interface=VLAN40 network=172.16.40.0
add address=172.16.50.1/24 interface=VLAN50 network=172.16.50.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=172.16.30.0/24 dns-server=172.16.30.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.30.1
add address=172.16.40.0/24 dns-server=172.16.40.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.30.1
add address=172.16.50.0/24 dns-server=172.16.50.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.30.1
	add address=192.168.66.0/24 dns-server=192.168.66.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Madrid
/system logging
add prefix="[DHCP Event]" topics=dhcp
add topics=event
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
durango
just joined
Posts: 2
Joined: Mon Apr 19, 2021 8:29 pm

Re: Need help with VLAN Trunks

Mon Apr 19, 2021 8:51 pm

Hello everyone, I am new to the forum also with microtik,
I have tried to copy in the solution of the configuration above and adapt it in my case.

In the secure section, after doing so, I get out of the winbox, there is no way to connect to the HEX POE.
I have to do a reset.
My Gateway ist 192.168.1.1/20 or 192.168.188.1/24

My map is follow the configuration
Image
https://imgur.com/6xElJrz
config:
/interface bridge
add name=VLANBridge vlan-filtering=yes
add comment="Management Bridge" name=bridge
/interface vlan
add comment="Untagged Traffic" interface=VLANBridge name=VLAN1 vlan-id=1
add comment="Telefonia" interface=VLANBridge name=VLAN20 vlan-id=20
add comment="WIFI" interface=VLANBridge name=VLAN30 vlan-id=30
add comment="Server" interface=VLANBridge name=VLAN40 vlan-id=40
add comment="PC" interface=VLANBridge name=VLAN50 vlan-id=50

/interface ethernet switch port
set 2 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_VLAN30 ranges=172.16.20.20-172.16.30.254
add name=dhcp_VLAN30 ranges=172.16.30.20-172.16.30.254
add name=dhcp_vlan40 ranges=172.16.40.20-172.16.40.254
add name=dhcp_vlan50 ranges=172.16.50.20-172.16.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_VLAN20 disabled=no interface=VLAN20 name=vlan20
add address-pool=dhcp_VLAN30 disabled=no interface=VLAN30 name=vlan30
add address-pool=dhcp_VLAN40 disabled=no interface=VLAN40 name=VLAN40
add address-pool=dhcp_VLAN50 disabled=no interface=VLAN40 name=VLAN50
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4
add bridge=VLANBridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5
add bridge=VLANBridge comment=defconf ingress-filtering=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=VLANBridge untagged=VLANBridge,VLAN1 vlan-ids=1
add bridge=VLANBridge tagged=VLANBridge,VLAN30 vlan-ids=20
add bridge=VLANBridge tagged=VLANBridge,VLAN30 vlan-ids=30
add bridge=VLANBridge tagged=VLANBridge,VLAN40 vlan-ids=40
add bridge=VLANBridge tagged=VLANBridge,VLAN50 vlan-ids=50
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=20
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=30
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=\
    switch1 vlan-id=40
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=50
	
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.66.1/24 interface=VLAN1 network=192.168.66.0
add address=172.16.30.1/24 interface=VLAN30 network=172.16.30.0
add address=172.16.40.1/24 interface=VLAN40 network=172.16.40.0
add address=172.16.50.1/24 interface=VLAN50 network=172.16.50.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=172.16.30.0/24 dns-server=172.16.30.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.30.1
add address=172.16.40.0/24 dns-server=172.16.40.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.30.1
add address=172.16.50.0/24 dns-server=172.16.50.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=172.16.30.1
	add address=192.168.66.0/24 dns-server=192.168.66.1,1.1.1.1,8.8.8.8 domain=\
    ***REDACTED*** gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Madrid
/system logging
add prefix="[DHCP Event]" topics=dhcp
add topics=event
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with VLAN Trunks

Thu Apr 22, 2021 5:50 pm

@JbrinkZA First comment WHY would you want a port between the CISCO and the MIKROTIK that is a hybrid port.
This makes ZERO sense to me. Just simply carry both over as vlans in a trunk port and then on the MIKROTIK you can deal out vlans as required.
Please explain the purpose of a hybrid port between two "SMART" devices (both acting as switches).????

@Durango, not sure where you get info but for bridge vlan filtering, this is the best guidance.
viewtopic.php?f=23&t=143620
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with VLAN Trunks

Thu Apr 22, 2021 6:16 pm

@Durango

(1) One bridge is required not Two.
(2) Use home vlan as management vlan or if you want a separate management vlan then use something like vlan99. However if you as the admin have your PCs always on the home vlan then simply use the homevlan and use firewall rules to limit access to the HEX within the homelan easy peasy.
(3) Never use vlan1 as anything other than the default vlan pvid for the Hex and the bridge.
(4) Lots of errors in your config misnaming and misnumbering vlan information.
(5) If you have issues with configuring the bridge and locking out, simply keep for the time being, ONE PORT, lets say ether5, as its own complete interface using 192.168.88.1/24 network.
In this way at anytime you can still access the router for config purposes, bypassing the bridge, and simply attaching your laptop to etherport 5 and setting laptop IP to 192.168.88.2 for example).
(6) you have identified vlans as bridge ports....................vlans are not bridge ports!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with VLAN Trunks

Thu Apr 22, 2021 6:39 pm

Without a network diagram there is no information on what is on each etherport on the hex??
/interface ethernet
set [ find default-name=ether1 ] 
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ] name=emerg-access_eth5
set [ find default-name=sfp1 ]

/interface bridge
add name=one-bridge vlan-filtering=yes

/interface vlan
add comment="home users" interface=one-bridge name=vlan10-home
add comment="Telefonia" interface=one-bridge name=VLAN20 vlan-id=20
add comment="WIFI" interface=one-bridge name=VLAN30 vlan-id=30
add comment="Server" interface=one-bridge name=VLAN40 vlan-id=40
add comment="PC" interface=one-bridge name=VLAN50 vlan-id=50

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT

/interface list member
add comment=defconf interface=on-bridge list=LAN
add interface=emerg-access_eth5 list=LAN
add interface=vlan10-home list=MGMT
add interface=emerg-access_eth5 list=MGMT
add comment=defconf interface=ether1 list=WAN

/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server
set allowed-interface-list=NONE  {not secure set to none}

/ip pool
add name=dhcp_emerg ranges=172.16.88.10-172.16.88.254
add name=dhcp_VLAN10 ranges=172.16.10.20-172.16.10.254
add name=dhcp_VLAN20 ranges=172.16.20.20-172.16.20.254
add name=dhcp_VLAN30 ranges=172.16.30.20-172.16.30.254
add name=dhcp_vlan40 ranges=172.16.40.20-172.16.40.254
add name=dhcp_vlan50 ranges=172.16.50.20-172.16.50.254

/ip dhcp-server
add address-pool=dhcp_emerg interface=emerg-access_eth5 name=server-emerg
add address-pool=dhcp_VLAN10 disabled=no interface=VLAN10 name=vlan10-home
add address-pool=dhcp_VLAN20 disabled=no interface=VLAN20 name=vlan20
add address-pool=dhcp_VLAN30 disabled=no interface=VLAN30 name=vlan30
add address-pool=dhcp_VLAN40 disabled=no interface=VLAN40 name=VLAN40
add address-pool=dhcp_VLAN50 disabled=no interface=VLAN40 name=VLAN50

/ip dhcp-server network
add address=172.16.88.0/24 dns-server=172.16.88.1 gateway=172.16.88.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=172.16.30.0/24 dns-server=172.16.30.1 gateway=172.16.30.1
add address=172.16.40.0/24 dns-server=172.16.40.1 gateway=172.16.40.1
add address=172.16.50.0/24 dns-server=172.16.50.1 gateway=172.16.50.1

/ip address
add address=172.16.88.1/24 interface=emerg-access_eth5 network=172.16.88.0
add address=172.16.10.1/24 interface=vlan10-home network=172.16.10.0
add address=172.16.20.1/24 interface=VLAN30 network=172.16.20.0
add address=172.16.30.1/24 interface=VLAN40 network=172.16.30.0
add address=172.16.40.1/24 interface=VLAN50 network=172.16.40.0
add address=172.16.50.1/24 interface=VLAN50 network=172.16.50.0

/interface bridge port
add bridge=one-bridge frame-types=allow-only-tagged-frames ingress-filtering=yes interface=ether2
add bridge=one-bridge frame-types=allow-only-tagged-frames ingress-filtering=yes interface=ether3
add bridge=one-bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4  pvid=XX
add bridge=one-bridge comment=defconf frame-types=allow-only-tagged-frames  ingress-filtering=yes interface=sfp1

/interface bridge vlan
add bridge=one-bridge tagged=one-bridge,ether2,3,sfp1 vlan-ids=10,20,30,40
add bridge=one-bridge untagged=ether4 vlan-ids=XX
...
NOTE: I assumed that all vlans go to smart devices (switches and access points that can read vlan tags) on etherports 2,3,sfp1 and one of the vlans is going to a dumb device on ether4.

Who is online

Users browsing this forum: Google [Bot], onnyloh, tim427 and 89 guests