Community discussions

MikroTik App
 
terraformer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Dec 16, 2016 2:06 am

Advice on how to set up separate bridge for router, port and virtual machine(s)

Thu Sep 22, 2022 8:19 pm

Hi, I've the following hardware setup:
Router (192.168.1.1 with DHCP) <> Ether1 of Mikrotik RB4011 (v6.48.3) <> LAN-Clients (Eth2: IP-phone, Eth3, Debian server with Virtual Machine running Asterisk)

I've read https://help.mikrotik.com/docs/display/ ... VLAN+Table and tried to adapt it.

1. I should create a bridge for the router and the IP-phone, adding dhcp-client for MikroTik at bridge_wan (no pvid?):
/interface bridge
add name=bridge_wan
/interface bridge port
add bridge=bridge_wan comment=defconf interface=ether2
add bridge=bridge_wan comment=defconf interface=ether1

/ip dhcp-client
add disabled=no interface=bridge_wan use-peer-dns=no
With this configuration, the IP-phone and the MikroTik should get an IP address (192.168.1.x) from the router.
But how do I add the virtual server? Since I want to add the Asterisk server, which is a virtual machine, I came up with the idea to add a VLAN tagged virtual adapter "ens3.111" (VLAN ID 111).
2. Hence, I guess, I need to add a VLAN to bridge_wan, for example with ID 111.
3. Since the router and the IP-phone do not send VLAN-tags, I'll add ether1 and ether2 as untagged and vlan_wan as tagged?
/interface vlan
add interface=bridge_wan name=vlan_wan vlan-id=111

/interface bridge vlan
add bridge=bridge_wan tagged=vlan_wan untagged=ether1,ether2 vlan-ids=111
Not sure if I have to add bridge_wan. If so, as tagged or untagged?

4. Last but not least, I have to activate VLAN Filtering
/interface bridge set bridge_wan vlan-filtering=yes
Result: MikroTik, IP-phone and the Asterisk virtual server get an IP address from range 192.168.1.0/24.

This should be it, right? I've read some tutorial where ether1 and ether2 had pvid assigned but I think there is no need for in my scenario.

Hopefully, someone can verify or comment on my idea. If all correct, I will implement it.
Thanks in advance.

Side note: Due to unknown reasons, not all my VoIP-provider configured on my Asterisk server are accessible through the MikroTik router. Hence, I came up with the outlined idea.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Thu Sep 22, 2022 8:44 pm

You really have a convoluted explanation that is not helpful,
A. suggest provide a network diagram
b. Full config of MT devices /export (minus serial numbers andy public ISP IPs etc.)


Is your first router a mikrotik and if so whats its purpose. In other words why not connect the RB4011 to the ISP modem.
Do you get a public IP from the ISP, what kind of connection is it.

For vlans Read Para C. the first link provided gives one a sense of the work involved.
viewtopic.php?t=182373
 
terraformer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Dec 16, 2016 2:06 am

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Thu Sep 22, 2022 9:38 pm

Thank you for your quick response and the link. I'm sorry that you find my post convoluted. I tried to be as specific as possible and to provide all necessary information as well as leaving all things aside that do not affect the idea.
Unfortunately, your reply left me confused. To speak metaphorically, I thought I asked if it is correct to jack up the car and use the wheel wrench to change my tire. But you start to ask me how much horsepower my car has and where I bought it. That said, I really do not see where your questions about my ISP lead to. What are you trying to "fix" here what does not need to be fixed? How could the kind of internet connection and public IP affect the (local) DHCP-server on the router modem in the context of my outlined idea? And, no, the router-modem is not a MikroTik and its purpose is to connect to the ISP. I cannot change the components that are installed here.

Trying to understand why you did not understand my first explanation, I added a simple network diagram that, in my opinion, shows all relevant components. Did you find it more comprehensible than my text version? Or do you need to see the other devices attached to the RB4011, like printer and desktop PC, that have nothing to do with my bridge_wan idea? If the diagram is not enough, I doubt I'll can explain it in a way that you'll be able to give advice. In this case, maybe there are others that do understand what I'm trying to achieve.

PS: English is my second language, so the subtleties may escape me.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Thu Sep 22, 2022 9:48 pm

Its about context, expectations and actual requirements and from that an efficiently designed config can be constructed.

Okay, you have an ISP provided modem router, that you have no control over and which gives you a private IP.
Vlans are an excellent tool to permit various segregated subnets on the LAN side.
From the link proviided, you only need one bridge, and assign all subnets as vlans to the bridge.
The bridge has no dhcp service etc....... clean, simple.
Each vlan gets an ip pool, ip address, dhcp server and dhcp server network.

Assign /interface bridge ports and /interface bridge vlans as applicable.
Ensure firewall rules (default) are modified as necessary.
Firewall rules topic here:
viewtopic.php?t=180838
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Thu Sep 22, 2022 10:13 pm

I thought I asked if it is correct to jack up the car and use the wheel wrench to change my tire. But you start to ask me how much horsepower my car has and where I bought it.
That's just @anav's way, don't worry, your description in the OP is fine (the topic title is a bit confusing though).

I added a simple network diagram that, in my opinion, shows all relevant components.
The diagram shows the physical components but in order to add some value to the text description, it should show the logical topology instead (bridge ports and VLANs).


To your configuration: you mention the "Debian server" to be connected to ether3, but ether3 is not a member port of your bridge_wan. Also, something is telling me that you might want to be able to access the host system "Debian server" for management purposes while the guest system would be connected to the WAN bridge; on the other hand, it seems the server has only a single Ethernet interface as you consider using a VLAN.

All this together suggests that you should use the "single bridge, many VLANs" approach on the 4011, where ether1 and ether2 would be access ports to VLAN 111, and ether3 would be a hybrid port - VLAN 111 would pass in trunk mode and the native VLAN would be the LAN one. In this case, at least one of (WAN, LAN) interfaces of the 4011 would have to be an /interface vlan; the other one could be the bridge itself if you prefer that, or another /interface vlan.

It is also possible to have keep the wan and lan bridges separate, where ether3 would be a member port of the LAN bridge and you would make the tagless end of /interface vlan ... vlan-id=111 a member port of the bridge_wan while its tagged end would be attached to bridge_lan, but that would be a "convoluted" approach in my opinion ;)
 
terraformer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Dec 16, 2016 2:06 am

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Fri Sep 23, 2022 10:04 am

Thank you for your reply and I apologize for the confusing title. I did not know how to describe it more accurate. :( I appreciate help on the wording.
Meanwhile I'll grab a spare HAP lite and try to configure what you suggested. :)

The diagram shows the physical components but in order to add some value to the text description, it should show the logical topology instead (bridge ports and VLANs).
Looks like I misjudged what diagram was expected to understand my idea. Hence, I left out the "default bridge" (bridge1) where all ether-ports despite the WAN port are in. I've made another diagram that should show pre and post idea configuration.

"Debian server" to be connected to ether3, but ether3 is not a member port of your bridge_wan. Also, something is telling me that you might want to be able to access the host system "Debian server" for management purposes while the guest system would be connected to the WAN bridge; on the other hand, it seems the server has only a single Ethernet interface as you consider using a VLAN.
Right, it is physically connected to ether3 and assigned to bridge1. It has one physical Ethernet adapter and that's why I thought a virtual VLAN adapter could get its guests into another bridge. Moreover, I thought that access to the debian server would still be available because it is attached to bridge1.

All this together suggests that you should use the "single bridge, many VLANs" approach on the 4011, where ether1 and ether2 would be access ports to VLAN 111, and ether3 would be a hybrid port - VLAN 111 would pass in trunk mode and the native VLAN would be the LAN one.
Do you literally mean "single bridge" like in my vlan-diagram? Not sure how to visualize the hybrid port.

In this case, at least one of (WAN, LAN) interfaces of the 4011 would have to be an /interface vlan; the other one could be the bridge itself if you prefer that, or another /interface vlan.
Do my blue (VLAN 111) and green (bridge+other ether ports) elements reflect that?
If I understand correctly, RB4011 gets it's 192.168.1.0/24 IP address via DHCP client on vlan111 interface like Ether1 and Ether2 and all virtual machines that use VLAN 111 tagged virtual network adapter.

It is also possible to have keep the wan and lan bridges separate, where ether3 would be a member port of the LAN bridge and you would make the tagless end of /interface vlan ... vlan-id=111 a member port of the bridge_wan while its tagged end would be attached to bridge_lan, but that would be a "convoluted" approach in my opinion ;)
From what I read, I was under the apparently wrong impression that I would need a second bridge. As you described, I can tag ether1 and ether2 so that those device do not need to be VLAN aware. Am I right that this approach requires VLAN Filtering enabled on bridge1 aka bridge_lan because of the tagged ether-ports? If the router-modem and the IP-phone where able to tag their packets with VLAN ID 111, VLAN Filtering would not be needed?

Thank you for your explanation and patience.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Fri Sep 23, 2022 11:30 am

It has one physical Ethernet adapter and that's why I thought a virtual VLAN adapter could get its guests into another bridge. Moreover, I thought that access to the debian server would still be available because it is attached to bridge1.
In the world of "normal" networking devices, you cannot take a particular VLAN from a member port of one bridge and connect it to another bridge. Only Linux-based networking allows to configure things in such an extraordinary way. And I strongly prefer and recommend to use an extraordinary solution only where the goal cannot be accomplished using an ordinary one.

Do you literally mean "single bridge" like in my vlan-diagram? Not sure how to visualize the hybrid port.
Yes, I do, I mean a single common bridge for multiple VLANs, some of them playing the roles of WANs and others playing the role of LANs (in general case, here you'll have a single LAN and a single WAN).

There is no need to visualize a hybrid port in some special way. If the port is colored the same like one of the VLANs, it means that that VLAN passes through that port tagless; if other VLANs are shown to pass through the same port as well, it is a sufficient indication that the port is a hybrid one. Using this approach, a colored port with no other VLANs than the same-colored one is a pure access one, and a port whose color doesn't match any of the VLANs passing through it (ideally some shade of gray) is a pure trunk one.

Thinking on how to visualize the "redirection" of a VLAN from one bridge to another would have lead you to thinking on what would be necessary to actually implement it.

Do my blue (VLAN 111) and green (bridge+other ether ports) elements reflect that?
I wish I was so comfortable with drawing like you are (see this for comparison, it took me hours), but no, the drawing is still not self-explanatory and needs an accompanying text. From the drawing alone it is not clear that the virtual machines run "inside" the Debian server and that VLAN 111 passes through ether3 of 4011 and eth0 of the Debian server. I know I've said to concentrate on the logical topology, but this particular moment (eth0<->ether3 connection carrying two VLANs) is critical for grasping the overall scenario. Also describing the links (arrows) with names of interfaces to which just one end of the link is connected may introduce confusion.

If I understand correctly, RB4011 gets it's 192.168.1.0/24 IP address via DHCP client on vlan111 interface like Ether1 and Ether2 and all virtual machines that use VLAN 111 tagged virtual network adapter.
Exactly.

From what I read, I was under the apparently wrong impression that I would need a second bridge.
This was true many RouterOS versions ago, where you needed one bridge per VLAN to be able to affect membership of ports in VLANs. Before vlan-filtering, all frames were bridged to all other ports of the same bridge, and no tagging/untagging on ingress/egress was possible, it had all to be done using /interface vlan.

As you described, I can tag ether1 and ether2 so that those device do not need to be VLAN aware. Am I right that this approach requires VLAN Filtering enabled on bridge1 aka bridge_lan because of the tagged ether-ports?
Yes, as explained above.

If the router-modem and the IP-phone where able to tag their packets with VLAN ID 111, VLAN Filtering would not be needed?
For this exact scenario, correct, you could have the WAN VLAN (111) and the LAN VLAN (1?) on the same bridge even with vlan-filtering=no. But vlan-filtering=yes is also necessary to allow the actual "filtering", i.e. without it, VLAN111 would be available also at the other Ethernet ports, which is not desired in many cases.
 
terraformer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Dec 16, 2016 2:06 am

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Fri Sep 23, 2022 1:05 pm

Thank you again for the thorough explanation.

Only Linux-based networking allows to configure things in such an extraordinary way.
Good to know! I thought this is an ordinary solution.

the drawing is still not self-explanatory and needs an accompanying text. ... this particular moment (eth0<->ether3 connection carrying two VLANs) is critical for grasping the overall scenario.
Next time I will remember this important detail.


Based on your feedback, I grabbed a hAP lite, reset it with no default configuration and configured it like that (copied from /export):
/interface bridge
add name=bridge_only vlan-filtering=yes
/interface vlan
add interface=bridge_only name=vlan_wan vlan-id=111
/interface bridge port
add bridge=bridge_only interface=ether2 pvid=111
add bridge=bridge_only interface=ether3
add bridge=bridge_only interface=ether1 pvid=111
/interface bridge vlan
add bridge=bridge_only tagged=ether3 untagged=ether1,ether2 vlan-ids=111
/ip dhcp-client
add disabled=no interface=vlan_wan

/ip dhcp-client
add disabled=no interface=ether4
/system clock
set time-zone-name=Europe/Berlin
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

I just rearranged the irrelevant entries and left wireless config etc. for the sake of completeness. ether4 and its DHCP client are purely for easier configuration.

The test
Now I connect the external DHCP-server[1] to ether1 and a client device to ether2. ether3 is the hybrid port where the debian server and its virtual machines will be connected (cannot do that at the moment). [1] For the test, it's the RB4011 but later it's the modem-router.
The client on ether2 gets an IP address from the external DHCP-server and can access the world.
The hAP lite itself is offered an IP but without success "dhcp offering lease 192.168.88.110 for <hAP lite port mac> without success". I searched for this message but could not find a working solution. The cable is fine, it's the same that connects to ether4 where it instantly gets an IP address. Maybe it has something to do with the RB4011 DHCP server configuration. But its the same DHCP server that assigns the IP address on ether4. I'm pretty confident, my configuration on the hAP lite is faulty but I cannot find it. Maybe you see where I failed.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)  [SOLVED]

Fri Sep 23, 2022 1:28 pm

Change
/interface bridge vlan
add bridge=bridge_only tagged=ether3 untagged=ether1,ether2 vlan-ids=111

to
/interface bridge vlan
add bridge=bridge_only tagged=bridge_only,ether3 untagged=ether1,ether2 vlan-ids=111

and you'll be good.

The post I have linked earlier should answer the "why?".
 
terraformer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Dec 16, 2016 2:06 am

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Fri Sep 23, 2022 6:07 pm

That did the trick! Thank you very much.
And I'm sorry, again, that I misunderstood your link. I thought, you just gave an example of network diagrams. :(

I've changed the config on my RB4011 and it works. I started a virtual machine and now it got an IP from the router-modem and an IP from the RB4011.

best regards
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Fri Sep 23, 2022 6:12 pm

And I'm sorry, again, that I misunderstood your link. I thought, you just gave an example of network diagrams. :(
No need to be sorry, the more so because I've indeed posted the link mainly for the drawing. But as it was relevant to the last issue, I've repurposed it :)

Glad it works now. Schönes Wochenende.
 
terraformer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Fri Dec 16, 2016 2:06 am

Re: Advice on how to set up separate bridge for router, port and virtual machine(s)

Fri Sep 23, 2022 6:17 pm

Danke, dir auch. Thanks, you too.

Who is online

Users browsing this forum: Bing [Bot], bpwl, hatred, kolopeter, Michiganbroadband and 69 guests