VLAN help

romanboy · Sat Mar 14, 2020 9:26 pm

Hello all,

I've been racking my brains all day with this.
I have a RB750Gr3, running firmware 6.46.2, and I'd like to do VLANs with it.

I found this post viewtopic.php?t=138065, which is useful.
Here's my setup:

HomeNetwork.png

I'd like to have the following setup on the mikrotik router:

eth1 Trunk to Cisco router

eth2 Access VLAN 2 (work laptop)

eth3 Access VLAN 1 (PC)

eth4 Access VLAN 1 (Wi-Fi Disc)

eth5 Access VLAN 1 (TV box)

Here's the setup I have in mind for the Cisco:

eth1: Trunk to Mikrotik router

eth2: Access VLAN 2 (router 2)

eth3: Access VLAN 1 (router 1)

eth4: Access VLAN 1 (Home Server)

Is the following conf correct on the MikroTik?

/interface bridge port
add bridge=bridge interface=ether1 pvid=10
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10

/interface bridge vlan
add vlan-ids=10 tagged=bridge untagged=ether1
add vlan-ids=20 tagged=bridge untagged=ether2,ether3,ether4,


/interface vlan
add name=vlan10 vlan-id=10 interface=bridge
add name=vlan20 vlan-id=20 interface=bridge


/ip address
add address=192.168.10.1/24 interface=vlan10
add address=192.168.20.1/24 interface=vlan20


/interface bridge set bridge vlan-filtering=yes

Many thanks for reading and for your help!

mkx · Sun Mar 15, 2020 12:35 pm

Suggest you have a look at this fine tutorial.

Suggest you to run tagged-only on trunk between Cisco and MT (no pvid setting there). You need to set ether1 (trunk) as tagged member of both VLANs.

sid5632 · Sun Mar 15, 2020 2:21 pm

Your description and config. don't match the diagram for Wi-Fi Disc.
It would be useful if you referred to VLAN10 and VLAN20 instead of VLAN1 and VLAN2.

/interface bridge vlan
add vlan-ids=10 tagged=bridge,ether1
add vlan-ids=20 tagged=bridge,ether1

You don't need to specify the untagged ones - they get created dynamically by virtue of their PVID.

romanboy · Sun Mar 15, 2020 5:33 pm

mkx,

Suggest you have a look at this fine tutorial.

Suggest you to run tagged-only on trunk between Cisco and MT (no pvid setting there). You need to set ether1 (trunk) as tagged member of both VLANs.

I saw that, was reading through it, thank you. The first configuration file takes out IP services like I asked about lower down. (I wrote this reply last.) And it has some extra things I've not thought about, such as the penultimate switch settings

Ensure only visibility and availability from BASE_VLAN, the MGMT network

. I'll dig through the sample switch config and probably use most of it to be honest.

I guess one thing I just thought about is having 3 trunks on the downstairs switch... There's no need really, since the individual routers aren't connected together, and realistically I'm not doing any level 3 traffic across the VLANs. My main aim is to have two networks using one switch, as it's split across two floors.
I think having it this way, with the router connections to the downstairs switch being on VLANs as well give me the ability to change routers around and then isolate the work laptop from wifi traffic, as the WiFi disc only works on Router 2, as it's a slightly different model to Router 1.

sid5632,

Your description and config. don't match the diagram for Wi-Fi Disc.
It would be useful if you referred to VLAN10 and VLAN20 instead of VLAN1 and VLAN2.

/interface bridge vlan
add vlan-ids=10 tagged=bridge,ether1
add vlan-ids=20 tagged=bridge,ether1

You don't need to specify the untagged ones - they get created dynamically by virtue of their PVID.

Yes, Wi-Fi Disc config is incorrect, the diagram is correct. I will edit the config as such. Also, I'll change PVIDs to VLAN10, 20.

I just realised that since Router 1 and 2 are providing DHCP services, do I still need to give out IP addresses? I don't think that i do.

So here's my edited config. I realise I'll work on it some more and post my config if anyone else in a weird similar situation as me.


/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether5 pvid=10

/interface bridge vlan
add vlan-ids=10 tagged=bridge,ether1
add vlan-ids=20 tagged=bridge,ether1


/interface vlan
add name=vlan10 vlan-id=10 interface=bridge
add name=vlan20 vlan-id=20 interface=bridge

/interface bridge set bridge vlan-filtering=yes

anav · Sun Mar 15, 2020 10:42 pm

A few points.......

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether5 pvid=10
/interface bridge vlan
add vlan-ids=10 tagged=bridge,ether1
add vlan-ids=20 tagged=bridge,ether1
/interface vlan
add name=vlan10 vlan-id=10 interface=bridge
add name=vlan20 vlan-id=20 interface=bridge
/interface bridge set bridge vlan-filtering=yes

Better specificity for vlan security practices
/interface bridge port
add bridge=bridge interface=ether1 ingress-filtering=yes
add bridge=bridge interface=ether2 pvid=20 frame-types=\
admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether3 pvid=10 frame-types=\
admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether4 pvid=20 frame-types=\
admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether5 pvid=10 frame-types=\
admit-only-untagged-and-priority-tagged

This did not see right so changed to......
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether3,ether5 vlan-ids=10
add bridge=bridge untagged=ether2,ether4 vlan-ids=20

VLAN help

VLAN help

Re: VLAN help

Re: VLAN help

Re: VLAN help

Re: VLAN help

Who is online