Community discussions

MikroTik App
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sat Apr 17, 2021 10:38 pm

Hi,

I would like to config my network with RB4011 router and CRS328 shown in below diagram.

Image

I tried to apply the config as below. However the config doesn't work.

(Switch)

[admin@MikroTik] > /export
# jan/02/1970 01:15:00 by RouterOS 6.48.1
# software id = 801C-59LB
#
# model = CRS328-24P-4S+
# serial number = D7620CF6AE89
/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add interface=Bridge name=Vlan-PC vlan-id=10
add interface=Bridge name=Vlan-WiFi vlan-id=50
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Bridge interface=sfp-sfpplus1
add bridge=Bridge interface=ether1 pvid=10
add bridge=Bridge interface=ether2 pvid=10
add bridge=Bridge interface=ether19 pvid=50
add bridge=Bridge interface=ether20 pvid=50
add bridge=Bridge interface=ether21 pvid=50
add bridge=Bridge interface=ether22 pvid=50
/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1 untagged=Bridge,ether1,ether2 vlan-ids=10
add bridge=Bridge tagged=sfp-sfpplus1 untagged=Bridge,ether19,ether20,ether21,ether22,ether23 vlan-ids=50
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static allow-from-ports=\
p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28 \
identity=Switch static-ip-address=192.168.1.251


(Router)

[admin@MikroTik] > /export
# jan/02/1970 00:52:51 by RouterOS 6.48.2
# software id = MPYV-N028
#
# model = RB4011iGS+
# serial number = D4450C9894D9
/interface bridge
add name=Bridge vlan-filtering=yes
/interface vlan
add interface=Bridge name=Vlan-PC vlan-id=10
add interface=Bridge name=Vlan-WiFi vlan-id=50
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Bridge interface=sfp-sfpplus1
/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=50
/ip address
add address=192.168.10.254/24 interface=Vlan-PC network=192.168.10.0
add address=192.168.50.254/24 interface=Vlan-WiFi network=192.168.50.0
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sun Apr 18, 2021 12:20 am

...did you see and read this: viewtopic.php?f=13&t=143620 ?
There is no exception from what is stated there from your setup...you'll want the router-on-a-stick scenario.
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sun Apr 18, 2021 1:55 am

I think my scenario is (Switch with a separate router).

I was trying to config my switch from the command of the provided switch configuration.
Once I am enable vlan-filtering, I cannot be able to connect to the switch anymore.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sun Apr 18, 2021 2:40 am

I've not been through the configs in detail, but on the router
/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=10
add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=50

should be
/interface bridge vlan
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=10
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=50


Similarly on the switch the bridge port role should be included as a tagged VLAN member as required for management access to the switch - you do not need to have /interface vlan entries for every VLAN, only ones which are used for management access to the switch. There also do not appear to be any IP addresses attached to the VLANs for management access.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sun Apr 18, 2021 4:11 am

(1) You can improve the bridge ports
add bridge=Bridge interface=sfp-sfpplus1 frame-types=allow only tagged frames ingress filtering=yes
add bridge=Bridge interface=ether1 frame-types=allow priority and untagged frames ingress filtering=yes pvid=10
Repeat same for all access ports 2-22.

(2) The bridge must be tagged when bridge ports are heading towards other devices and to ensure the device itself (in this case a switch, can be assigned an IP from the main lan or management vlan). The bridge is not usually untagged, never seen it before. By the way the router automatically assignes untagged ports based on the bridge settings of PVID. So technically you do not have to physically add them as we are doing below. However I think its good practice to do so as it makes it far easier to read and understand a config.

/interface bridge vlan
add bridge=bridge tagged=one-bridge, sfp-sfpplus1 untagged=ether1,ether2 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether19,ether20,ether21,ether22,ether23 vlan-ids=50

In the case above I do not know which vlan contain the "MAIN" LAN or management vlan but which one IS that, 10 or 50, would need a Tagged Bridge. Since there are no smart devices on any of the other bridge ports, tagging the bridge is not required otherwise. There will always be one Trunk port (uplink to router in this case)a and it will carry the MAIN vlan or management vlan.

(3) TDW is correct on the Router Side, Since the Trunk port is carrying tagged vlans, the bridge must also be tagged.
What should be mentioned is the following.
a. any vlan-id that that has a unique set of tagged and untagged bridge ports requires a separate line
b. vlan-ids that have duplicate set of tagged and untagged bridge ports can be on the same line.

Thus the above can be configured like so.
interface bridge vlan
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=10,50

(4), However since none of the other ports are identified and no WLANS are identified and the rest of the config is not available, there is no guarantee anything will work.
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sun Apr 18, 2021 11:31 pm

(1) You can improve the bridge ports
add bridge=Bridge interface=sfp-sfpplus1 frame-types=allow only tagged frames ingress filtering=yes
add bridge=Bridge interface=ether1 frame-types=allow priority and untagged frames ingress filtering=yes pvid=10
Repeat same for all access ports 2-22.

(2) The bridge must be tagged when bridge ports are heading towards other devices and to ensure the device itself (in this case a switch, can be assigned an IP from the main lan or management vlan). The bridge is not usually untagged, never seen it before. By the way the router automatically assignes untagged ports based on the bridge settings of PVID. So technically you do not have to physically add them as we are doing below. However I think its good practice to do so as it makes it far easier to read and understand a config.

/interface bridge vlan
add bridge=bridge tagged=one-bridge, sfp-sfpplus1 untagged=ether1,ether2 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether19,ether20,ether21,ether22,ether23 vlan-ids=50

In the case above I do not know which vlan contain the "MAIN" LAN or management vlan but which one IS that, 10 or 50, would need a Tagged Bridge. Since there are no smart devices on any of the other bridge ports, tagging the bridge is not required otherwise. There will always be one Trunk port (uplink to router in this case)a and it will carry the MAIN vlan or management vlan.

(3) TDW is correct on the Router Side, Since the Trunk port is carrying tagged vlans, the bridge must also be tagged.
What should be mentioned is the following.
a. any vlan-id that that has a unique set of tagged and untagged bridge ports requires a separate line
b. vlan-ids that have duplicate set of tagged and untagged bridge ports can be on the same line.

Thus the above can be configured like so.
interface bridge vlan
add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=10,50

(4), However since none of the other ports are identified and no WLANS are identified and the rest of the config is not available, there is no guarantee anything will work.
Hi Anav,

I didn't expected I need a management vlan. However, once I read some articles seem it is a must.
Also my network is including wlan, I still have no idea how to configurate 2 vlans for guest and home Wifi network.
I will have a try first. If I cannot make it, hope you can give me some further help.

Thank you!

Best regards
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Mon Apr 19, 2021 1:05 am

The management vlan can simply be your home LAN, no need to create another one.
The way I look at it, the management lan is the one, you as the admin are on all the time.
I also recommending taking one router port and making it its own ethernet interface with small pool, dhcp etc, OFF the bridge as an emergency access to the router in case something gets frigged on the bridge. All one needs to do is plug their laptop into it and have access to the router.
Make the main vlan you are on AND the etherX-Emerg interface members of an interface called MGMT
So bridge list=LAN
So etherX-emerg list =LAN
So vlanmain=MGMT
So etherX-emerg=MGMT

That way making firewall rules is simple and quick.
Also make an adminaccess firewall address list (assuming statically fixed IPs, done on the router)
for admin desktop IP
for admin laptop IP'
for admin smartphone IP
for admin emergX-IP

Therefore for input chain rules besides a few default rules........
add chain=input action=allow in-interface-list=MGMT src-address-list=adminaccess {ensure only the admin has full access to the router }
{will need DNS allow rules for Tcp.udp port 53}
and then a drop all else rule can be administered.

Therefore for forward chain rules, besides the first few default rules,
add action=input action=allow in-interface-list=MGMT out-interface=bridge src-address-list=adminaccess {gives admin access to all subnets}
add allow lan to wan traffic as appropriate
allow access to shared devices
allow port forwarding if required
drop all else.

As for WLANS on the router, wlans are considered bridge ports and since will be untagged when reach the users, it gets a PVID setting.
Wireless settings do not include Vlans.
However vlans are tied WLANS via the bridge port setting.

If you are connecting other wifi devices, MT wifi is similar per device (bridge setup etc) and other vendors have their own methods (assuming they are smart devices capable of handling tagged vlans if not they are dummy devices capable of hosting one subnet (WLAN) only.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Mon Apr 19, 2021 10:44 pm

Why use Bridge VLAN filtering on your router ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Mon Apr 19, 2021 10:58 pm

Why use Bridge VLAN filtering on your router ?
A. because it works
B. because its easy to implement.
C. because there is no letter z in Bridge Vlan filtering ;-P
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Mon Apr 19, 2021 11:05 pm

Why use Bridge VLAN filtering on your router ?
A. because it works
B. because its easy to implement.
C. because there is no letter z in Bridge Vlan filtering ;-P
A. Without bridge Vlan filtering it would work as well... just using software Vlans (/interface Vlan) would be enough...if there is only a trunk port on the router i dont see a reason as to why someone would enable bridge Vlan filtering..
B. It is easy indeed... but not necessary on this implementation...
C. Dont really understand this...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Tue Apr 20, 2021 12:55 am

Ahh you were referring to the switch.
Well I am used to two methods,
SwOS or bridge vlan filtering, I know both well enough and both work,
If you have another method feel free to chime in.............
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Tue Apr 20, 2021 9:17 pm

No, i am referring to the router...
There are many examples, one is here https://wiki.mikrotik.com/wiki/Manual:C ... MAN_Router
If you take a look there, the Trunk port on the router is simply configured without any need of Bridge VLAN filtering or Switch configuration...Just software configuration of the VLANs...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Tue Apr 20, 2021 10:19 pm

That link shows no such thing but does show a full up bridgeport and bridgevlan configuration so whats your point.
In addition the example is missing the IP address assignments.

In summary, if you are using vlans, bridgeport is not necessary if its one vlan per interface, but in this case vlans are not required.
As soon as you mix two or more subnets per interface, vlans and bridge ports are very useful.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Tue Apr 20, 2021 11:41 pm

The link shows exactly what i ve posted earlier... if you look again under the CapsMAN router configuration there is no Bridge configuration at all...

Just the trunk port, ether1, configured with VLANs as a trunk port...

No, nothing is missing... check again...

I would setup a Router with Bridge Vlan filtering only if there was the need to act as a switch as well...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 1:05 am

Ahh okay I kept reading to the next section.
Interesting but of no interest to me as I dont use capsman nor any of its functionality.
When and If Do (aka when hell freezes over) it would mean MT has useful WIFI products. :-)
Unless I have more than 3 wifi devices, I have no use for capsman as an xtra layer of extra config hassles and CPU overhead.

One only has to peruse the wifi forum to realize that capsman is not straightforward to implement and gets folks all tripped up.
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 1:31 am

Yet another disadvantage of cAPsMAN is that if the host router goes down, every AP goes down with it (bad news if you have VRRP)
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 4:58 pm

Interesting but of no interest to me as I dont use capsman nor any of its functionality.
When and If Do (aka when hell freezes over) it would mean MT has useful WIFI products. :-)
Unless I have more than 3 wifi devices, I have no use for capsman as an xtra layer of extra config hassles and CPU overhead.
@anav... the VLAN implementation of the example is not CapsMAN dependent...
I honestly do not understand how you made this conclusion...

It is a VLAN implemenation simply on a CapsMAN configuration... it could be anything else...
You could setup a Router with ether1 os Trunk Port or the SFP as Trunk port, you choose, and connect it on the Trunk port of a Switch that has Bridge VLAN Filtering... it will work just perfectly...!

Another example of InterVLAN Routing: https://wiki.mikrotik.com/wiki/Manual:I ... AN_routing
All VLANs are configured on ether1.. You set IP Addresses on the VLANs, DHCP etc and you are done...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 5:16 pm

all more simple like (not tested, writed at memory):

on RB4011iGS+
/interface vlan
add interface=sfp-sfpplus1 name=vlan-10 vlan-id=10
add interface=sfp-sfpplus1 name=vlan-50 vlan-id=50
/ip address
add address=192.168.10.254/24 interface=vlan-10 network=192.168.10.0
add address=192.168.50.254/24 interface=vlan-50 network=192.168.50.0

and on CRS328-24P-4S+
/interface vlan
add interface=sfp-sfpplus1 name=vlan-10 vlan-id=10
add interface=sfp-sfpplus1 name=vlan-50 vlan-id=50
/int bri
add name=bri-vlan-10
add name=bri-vlan-50
/int bri port
add interface=ether1 bridge=bri-vlan-10
add interface=ether2 bridge=bri-vlan-10
add interface=ether19 bridge=bri-vlan-50
add interface=ether20 bridge=bri-vlan-50
add interface=ether21 bridge=bri-vlan-50
add interface=ether22 bridge=bri-vlan-50
/ip address
add address=192.168.10.253/24 interface=bri-vlan-10 network=192.168.10.0
add address=192.168.50.253/24 interface=bri-vlan-50 network=192.168.50.0
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 8:06 pm

all more simple like (not tested, writed at memory):

on RB4011iGS+
/interface vlan
add interface=sfp-sfpplus1 name=vlan-10 vlan-id=10
add interface=sfp-sfpplus1 name=vlan-50 vlan-id=50
/ip address
add address=192.168.10.254/24 interface=vlan-10 network=192.168.10.0
add address=192.168.50.254/24 interface=vlan-50 network=192.168.50.0


and on CRS328-24P-4S+
/interface vlan
add interface=sfp-sfpplus1 name=vlan-10 vlan-id=10
add interface=sfp-sfpplus1 name=vlan-50 vlan-id=50
/int bri
add name=bri-vlan-10
add name=bri-vlan-50
/int bri port
add interface=ether1 bridge=bri-vlan-10
add interface=ether2 bridge=bri-vlan-10
add interface=ether19 bridge=bri-vlan-50
add interface=ether20 bridge=bri-vlan-50
add interface=ether21 bridge=bri-vlan-50
add interface=ether22 bridge=bri-vlan-50
/ip address
add address=192.168.10.253/24 interface=bri-vlan-10 network=192.168.10.0
add address=192.168.50.253/24 interface=bri-vlan-50 network=192.168.50.0
Hi Rextended,

Thanks!

Is this the configuration need to rely the switch cpu not the switch chip?
I looked at many articles said it is prefer to use bridge vlan filtering to set up vlans.
BTW, To me, the Mikrotik is very very complicate. To set up vlan and trunk, it look to me there are 3 options.
1. Setup in switch tab
2. Setup in Bridge
3. Setup in Interface tab

Hope someone can explain the different.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 8:33 pm

If the device has hardware support, vlan switch is better, but if one of your device are 4011, compared with CRS328, 4011 "switch" are useless.

The key is how many traffic you need to be inspected from 4011...

if more than 200Mbit/s is better you use switch chip, i do not have any 4011 to test, i do not know his switch chip.,
if lower, really if you use cpu or switch chip do not matter...

If hardware support that, the configuration on interface is applied from routeros with internal switching/fastpath if other parts of the configuration on the devices block that (like firewall activated on bridge)

if you do not disable hardware offload, is used automatically...
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 9:16 pm

If the device has hardware support, vlan switch is better, but if one of your device are 4011, compared with CRS328, 4011 "switch" are useless.

The key is how many traffic you need to be inspected from 4011...

if more than 200Mbit/s is better you use switch chip, i do not have any 4011 to test, i do not know his switch chip.,
if lower, really if you use cpu or switch chip do not matter...

If hardware support that, the configuration on interface is applied from routeros with internal switching/fastpath if other parts of the configuration on the devices block that (like firewall activated on bridge)

if you do not disable hardware offload, is used automatically...
Hi Rextended,

Thanks for the explanation.

I would like to achieve the best performance with the correct setup.

Below is the actual schematic of how I want my network to be set up.

Image

Also, I didn't mentioned about I have capmans on the router and I want two Vlans for Home and Guest Wlan networks previously.

Would you please guide me how to achieve this?

Thanks a lot!
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Wed Apr 21, 2021 10:18 pm

Is this the configuration need to rely the switch cpu not the switch chip?
I looked at many articles said it is prefer to use bridge vlan filtering to set up vlans.
BTW, To me, the Mikrotik is very very complicate. To set up vlan and trunk, it look to me there are 3 options.
1. Setup in switch tab
2. Setup in Bridge
3. Setup in Interface tab

Hope someone can explain the different.
The suggestion to use multiple bridges on a CRS3xx is bad, only one of them will use hardware switching. The CRS3xx devices are the only Mikrotiks which combine VLAN-aware bridging with hardware offload - there is no separate switch menu. Your initial switch config was almost correct, other than the omissions pointed out.
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Thu Apr 22, 2021 4:55 am

After I read the tutorial as below.

https://wiki.mikrotik.com/wiki/Manual:C ... MAN_Router

I finally got a Vlan works for PCs. My PCs can get the IP address from the router's DHCP server.
However, for the WiFi Vlans are still completely not working. The Caps are unable to obtain IP address from the router.
Hope someone can help me to look at the configurations below to troubleshoot what was going wrong.

Thank you!

Below is the updated network diagram.

Image

Below is the Router Configuration

/interface vlan
add interface=sfp-sfpplus1 name=VLAN_PC vlan-id=10
add interface=sfp-sfpplus1 name=VLAN_WiFi_Guest vlan-id=60
add interface=sfp-sfpplus1 name=VLAN_WiFi_Home vlan-id=50

/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=security_Home passphrase=\
xxxxxxxx
add authentication-types=wpa-psk,wpa2-psk name=security_Guest passphrase=\
xxxxxxxx

/caps-man configuration
add country=macau datapath.local-forwarding=yes datapath.vlan-id=50 \
datapath.vlan-mode=use-tag name=Config_Home security=security_Home \
security.authentication-types="" ssid=Home
add country=macau datapath.local-forwarding=yes datapath.vlan-id=60 \
datapath.vlan-mode=use-tag name=Config_Guest security=security_Guest \
security.authentication-types="" ssid=Guest


/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool_WiFi_Home ranges=192.168.50.10-192.168.50.250
add name=dhcp_pool_WiFi_Guest ranges=192.168.60.10-192.168.60.250
add name=dhcp_pool_PC ranges=192.168.10.10-192.168.10.200

/ip dhcp-server
add address-pool=dhcp_pool_WiFi_Home disabled=no interface=VLAN_WiFi_Home \
name=dhcp_WiFi_Home
add address-pool=dhcp_pool_WiFi_Guest disabled=no interface=VLAN_WiFi_Guest \
name=dhcp_WiFi_Guest
add address-pool=dhcp_pool_PC disabled=no interface=VLAN_PC name=dhcp_PC

/caps-man manager
set enabled=yes upgrade-policy=require-same-version

/caps-man manager interface
set [ find default=yes ] forbid=yes

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_Home \
slave-configurations=Config_Guest

/ip address
add address=192.168.50.254/24 interface=VLAN_WiFi_Home network=192.168.50.0
add address=192.168.60.254/24 interface=VLAN_WiFi_Guest network=192.168.60.0
add address=192.168.10.254/24 interface=VLAN_PC network=192.168.10.0

/ip dhcp-client
add disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.254
add address=192.168.60.0/24 dns-server=8.8.8.8 gateway=192.168.60.254

/ip firewall nat
add action=masquerade chain=srcnat

/system identity
set name=Router

Below is the Switch Configuration

/interface bridge
add name=Bridge

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=Bridge interface=sfp-sfpplus1
add bridge=Bridge interface=ether19
add bridge=Bridge interface=ether20
add bridge=Bridge interface=ether21
add bridge=Bridge interface=ether22
add bridge=Bridge interface=ether1 pvid=10
add bridge=Bridge interface=ether2 pvid=10

/interface bridge vlan
add bridge=Bridge tagged=sfp-sfpplus1,ether19,ether20,ether21,ether22 \
vlan-ids=50
add bridge=Bridge tagged=sfp-sfpplus1,ether19,ether20,ether21,ether22 \
vlan-ids=60
add bridge=Bridge tagged=sfp-sfpplus1 untagged=ether1,ether2 vlan-ids=10

/system identity
set name=Switch

/system routerboard settings
set boot-os=router-os

/system swos
set address-acquisition-mode=static allow-from-ports="p1,p2,p3,p4,p5,p6,p7,p8,\
p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27\
,p28" identity=Switch static-ip-address=192.168.1.251
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Thu Apr 22, 2021 3:58 pm

This is a farce.
Your setup could be configured and working in 5 minutes using straight forward bridge vlan bridge filtering as you are using ROS and phuck capsman.
Not only that your config which is not your config but what you mistakenly think is only the parts we need to see to discern magically if there are issues with your config, which unlike the diagram seems to miss the fact that there is a vlan20.

The Router
/interface vlan
add interface=onebridge name=VLAN_PC vlan-id=10
add interface=onebridge name=VLAN_CCTV vlan-id=20
add interface=onebridge name=VLAN_WiFi_Home vlan-id=50
add interface=onebridge name=VLAN_WiFi_Guest vlan-id=60
/ip pool
add name=dhcp_pool_WiFi_Home ranges=192.168.50.10-192.168.50.250
add name=dhcp_pool_WiFi_Guest ranges=192.168.60.10-192.168.60.250
add name=dhcp_pool_PC ranges=192.168.10.10-192.168.10.200
add name=dhcp_pool_CCTV ranges=192.168.20.10-192.168.20.200
/ip dhcp-server
add address-pool=dhcp_pool_WiFi_Home disabled=no interface=VLAN-WiFi_Home \
name=dhcp_WiFi_Home
add address-pool=dhcp_pool_WiFi_Guest disabled=no interface=VLAN_WiFi_Guest \
name=dhcp_WiFi_Guest
add address-pool=dhcp_pool_PC disabled=no interface=VLAN_PC \
name=dhcp_PC
add address-pool=dhcp_pool_CCTV disabled=no interface=VLAN_Unk \
name=dhcp_Unk
/ip address
add address=192.168.50.254/24 interface=VLAN_WiFi_Home network=192.168.50.0
add address=192.168.60.254/24 interface=VLAN_WiFi_Guest network=192.168.60.0
add address=192.168.10.254/24 interface=VLAN_PC network=192.168.10.0
add address=192.168.10.254/24 interface=VLAN_CCTV network=192.168.20.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.20.254
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.254
add address=192.168.60.0/24 dns-server=8.8.8.8 gateway=192.168.60.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/interface bridge port
add bridge=onebridge interface=sfpplus1 frame-types=only allow tagged frames ingress filtering=yes
/interface bridge vlan
add bridge=onebridge tagged=onebridge,sfpplus1 vlan-ids=10,20,50,60
DONE!!!
...
...
The Switch
/interface vlan
add interface=bridgeSW name=VLAN_PC vlan-id=10
add interface=bridgeSW name=VLAN_CCTV vlan-id=20
add interface=bridgeSW name=VLAN_WiFi_Home vlan-id=50
add interface=bridgeSW name=VLAN_WiFi_Guest vlan-id=60
/interface bridge port
add bridge=onebridge interface=sfpplus1 frame-types=only allow tagged frames ingress filtering=yes
add bridge=onebridge interface=ether1 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=10
add bridge=onebridge interface=ether2 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=10
add bridge=onebridge interface=ether3 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=10
add bridge=onebridge interface=ether4 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=10
add bridge=onebridge interface=ether5 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=10
add bridge=onebridge interface=ether6 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=10
add bridge=onebridge interface=ether7 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=20
add bridge=onebridge interface=ether8 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=20
add bridge=onebridge interface=ether9 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=20
add bridge=onebridge interface=ether10 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=20
add bridge=onebridge interface=ether11 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=20
add bridge=onebridge interface=ether12 frame-types=only allow tagged priority and untagged frames ingress filtering=yes  pvid=20
add bridge=onebridge interface=ether19 frame-types=only allow tagged frames ingress filtering=yes
add bridge=onebridge interface=ether20 frame-types=only allow tagged frames ingress filtering=yes
add bridge=onebridge interface=ether21 frame-types=only allow tagged frames ingress filtering=yes
add bridge=onebridge interface=ether22 frame-types=only allow tagged frames ingress filtering=yes
add bridge=onebridge interface=ether23 frame-types=only allow tagged frames ingress filtering=yes
add bridge=onebridge interface=ether24 frame-types=only allow tagged frames ingress filtering=yes
/interface bridge vlan
add bridge=bridgeSW tagged=bridgeSW,sfpplus1,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=10,50,60
add bridge=bridgeSW untagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=bridgeSW untagged=ether7,ether8,ether9,ether10,ether11,ether12 vlan-ids=20
....
NOTE1: The reason eth19-24 do not have their own separate line for vlans 50,60 is because I added vlan10 to all the CAPACs 
as I am expecting that you are using vlan10 as the home AND Management VLAN. 
In the sense that you as the admin will be on the homelan and through firewall rules and router rules will be managing the router
and devices.  Thus we need to port vlan10 to the capacs to ensure that they get IP addresses on the vlan10 subnet.
NOTE2: It is not necessary in the bridge vlan interface rules to explicitly state the untagged ports, but I like to do it to match 
up my bridge port config visually!  In other words, your bridge vlan filtering rules could consist of only the one rule as the ROS
will dynamically add the untagged rule when required (active).
 ...
/interface bridge vlan
add bridge=bridgeSW tagged=bridgeSW,sfpplus1,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=10,50,60
DONE!
...
...
SAMPLE CAPAC
/interface vlan
add interface=bridgecap1 name=VLAN_PC vlan-id=10
add interface=bridgecap1 name=VLAN_WiFi_Home vlan-id=50
add interface=bridgecap1 name=VLAN_WiFi_Guest vlan-id=60
/interface bridge port
add bridge=bridgecap1 interface=ether1 frame-types=only allow tagged frames ingress filtering=yes
add bridge=bridgecap1 interface=WLAN-HOME ether1 frame-types=only allow tagged priority and untagged frames \
ingress filtering=yes  pvid=50
add bridge=bridgecap1 interface=WLAN-GUESTS ether2 frame-types=only allow tagged priority and untagged frames \
ingress filtering=yes  pvid=60
/interface bridge vlan
add bridge=bridgecap1 tagged=bridgecap1,ether1 vlan-ids=10  (to assign capac an IP on vlan10 and make it accessible for admin access)
add bridge=bridgecap1 untagged=WLAN-HOME vlan-ids=50
add bridge=bridgecap1 untagged=WLAN-GUESTS vlan-ids=60
...
NOTE1  As previous you dont need to spell out the bridgevlan untagged interfaces as that is done dynamically by the router but I prefer to see the mapping.  It could be done with only the one line
/interface bridge vlan
add bridge=bridgecap1 tagged=bridgecap1,ether1 vlan-ids=10
..
...
FINALLY I recommmend for future acces to the CAPACs that you keep ether2 on the capacs as its own interface and subnet (192.168.88.1/24).
The reason for this is that if you have any issues with capsman or the bridge settings in the future ALL you need to do is plug your laptop into ether2 (using 192.168.88.2 for example)
and be able to reach the capac for configuration change purposes.

There are some other tidbits required but thats most of it in a nutshell./ VLAN10 is your management type vlan.
Last edited by anav on Thu Apr 22, 2021 10:22 pm, edited 1 time in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Thu Apr 22, 2021 8:32 pm

Nice to see that you do not use Bridge Vlan Filtering since it was not a must for your Vlan implementation... ( on the Router's side )

As far as the switch is concerned, did you setup a management Vlan for your Switch?
Under /interface Vlan configure your management Vlan for the Bridge interface...

Then i would do the same for the Caps APs...
Create a Vlan interface and set an IP address on that Vlan... Vlan id same as your Management's Vlan id...

Finally, on your Switch you must add the Bridge as Tagged member for the Management Vlan...

Also, dont forget that with local forwarding you must add the Bridge interface under wireless cap menu so that the Wireless interface will be automatically added in the Bridge with the configured Pvid on the Capsman side...
 
tonify
just joined
Topic Author
Posts: 21
Joined: Fri Sep 04, 2020 11:57 pm
Location: Macau

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sat Apr 24, 2021 5:51 am

Nice to see that you do not use Bridge Vlan Filtering since it was not a must for your Vlan implementation... ( on the Router's side )

As far as the switch is concerned, did you setup a management Vlan for your Switch?
Under /interface Vlan configure your management Vlan for the Bridge interface...

Then i would do the same for the Caps APs...
Create a Vlan interface and set an IP address on that Vlan... Vlan id same as your Management's Vlan id...

Finally, on your Switch you must add the Bridge as Tagged member for the Management Vlan...

Also, dont forget that with local forwarding you must add the Bridge interface under wireless cap menu so that the Wireless interface will be automatically added in the Bridge with the configured Pvid on the Capsman side...
Hi Zacharias,

I still don't have any idea how to configurate the Management vlan.
I will looking to it in this afternoon.
Also I am appreciate that if someone can provide some useful articles about how to configurate it.

Thank you!
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Sat Apr 24, 2021 10:02 am

Just a simple search will provide you with many examples on the wiki on how to do that...
Like the one here: https://wiki.mikrotik.com/wiki/Manual:B ... _switching where Vlan 99 is the management VLAN...

Who is online

Users browsing this forum: gkl1368, neskiask and 111 guests