Community discussions

 
User avatar
alexandersandetsky
just joined
Topic Author
Posts: 4
Joined: Wed Mar 27, 2019 8:24 pm
Location: Volgograd, Russian Federation

CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 11:43 am

Hello,
I'm newbie with MikRotik and does not know some specifick tricks. Please advise me.

I have MikRotik CCR1036. I have bonded interfaces ether5-ether8 with bond name UPLINK (to some upstream router) and sfp1+sfp2 as DOWNLINK (to my LAN)
Uplink interface have white public IP and accessible from Internet.

Now I want to separate LAN data traffic and management-only traffic.
I have create two VLANs in interfaces. (VLAN_MGMT - VLAN ID: 100, ip: 10.10.0.242/24, VLAN_DATA - VLAN ID 4000, ip 10.250.1.1/24)
All works as expected - I can manipulate with UPLINK, DOWNLINK and VLAN_XXX interfaces in firewall rules etc.

But...
I have stuck at the next point.
As per my understanding (from Mikrotik WiKi) - I need a bridge for vlan filtering.
I have create bridge1 and add ports UPLINK and DOWNLINK to the bridge.
And now I can not operate with firewall because only bridge1 allowed as input and output interface in firewall rules because of UPLINK and DOWNLINK are the slaves.

When I'm going wrong?
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 11:56 am

Bridge is essentially a software switch, and you don't need a switch between you UPLINK and DOWNLINK.
So remove UPLINK from the bridge, so that it contains only one interface - DOWNLINK.
Then all the vlans have to be created on the bridge as a parent.
And after that you can use UPLINK and VLAN-XXX in firewall.

That said, you don't really need the bridge at all if you are not planning to use other ports for your vlans.
The configuration where two vlans are created on top of the DOWNLINK bonding interface should work as well.
 
User avatar
alexandersandetsky
just joined
Topic Author
Posts: 4
Joined: Wed Mar 27, 2019 8:24 pm
Location: Volgograd, Russian Federation

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 12:11 pm

Thank you
That said, you don't really need the bridge at all if you are not planning to use other ports for your vlans.
The configuration where two vlans are created on top of the DOWNLINK bonding interface should work as well.
Can you say in short what is the benefit of using bridge? It's used in every Mikrotik example config.
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 12:45 pm

The reason it is used in the most example configs is the simple fact that in most typical scenarios you need some of the ports switched or bridged together to have L2 connectivity between the ports.
That is not the case when you use only one interface for uplink, one for downlink, and device is used as router+firewall+nat between these two ports, meaning purely L3.

In you scenario the only benefit of using the bridge anyway is the ease of reconfiguring the router if somewhen in the future you will decide to add for example eth1 and eth2 to your LAN.
 
User avatar
alexandersandetsky
just joined
Topic Author
Posts: 4
Joined: Wed Mar 27, 2019 8:24 pm
Location: Volgograd, Russian Federation

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 1:09 pm

That said, you don't really need the bridge at all if you are not planning to use other ports for your vlans.
The configuration where two vlans are created on top of the DOWNLINK bonding interface should work as well.
One more question
How I can transfer Mgmt VLAN through Mikrotik?

My network looks like this:
Image
Does I need any additional configuration on Mikrotik 2 (bridges for example) if I want to access Mikrotik 1 through the same Mgmt VLAN? In other words the UPLINK interface must be hybrid where tagged traffic is mgmt and untagged - data (not the same data as Mikrotik2-to-Lan)

PS for your reference and best understanding of the scheme - a.b.c.d/24 - my public IP pool, Mikrotik 1 - serves BGP and pass all traffic to the Microtik 2. Mikrotik 2 serves firewall, NAT, etc.
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 1:54 pm

I guess both blue and orange arrows need to run on one logic link between the two routers?
In that case on Mikrotik 2 you will need to:
- bridge upper and lower interfaces.
- create 3 vlan interfaces on that bridge (for wan, lan and management) + for each one an ip configuration.
- configure (in bridge menu) "upper" port to carry wan and management vlans tagged.
- configure (in bridge menu) "lower" port to carry lan and management vlans tagged.
- use all 3 vlan interfaces for firewall/nat logic.
 
User avatar
alexandersandetsky
just joined
Topic Author
Posts: 4
Joined: Wed Mar 27, 2019 8:24 pm
Location: Volgograd, Russian Federation

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 2:24 pm

Sorry for my "stupidity" )))
It's really hard to understand "right" logic and right ierarchy.

I guess that in my case it is: physical interfaces -> bonding -> bridge -> vlan(-s) on top of bridge
Previously I have try to create VLANs on top of bonding and it does not work as expected

Mikrotik give us a lot of features but it also give a lot of ways to configure and only small piece of configs are good.))


Thank you very mutch for consulting
 
User avatar
xvo
Member
Member
Posts: 420
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: CCR1036 + Bonding + VLAN - cannot find correct way to configure

Tue Oct 08, 2019 2:31 pm

I guess that in my case it is: physical interfaces -> bonding -> bridge -> vlan(-s) on top of bridge
Yes, that's correct.

You are welcome :)

Who is online

Users browsing this forum: Baidu [Spider] and 102 guests