New to Mkt, struggling with basic VLAN setup

PM848 · Thu Dec 21, 2023 6:28 pm

Dear community,
I'm new to Mikrotik (not new in the networking field though

) and I'm really struggling to add basic vlan support to my CCR2004-16G-2S+
Basically I will use it as a standard NAT router and I will need a few VLANs on my LAN to have AP management and User traffic on 2 different VLANs.

I can't even make the 1st vlan to work (untagged)...
Trying to ping 192.168.88.1 from a laptop (192.168.88.5) connected on ether2.

Can you please assist? I'm sure I'm missing some obvious part here but can't figure out what

Here is the config I tested:

admin@MikroTik] > export
# 1970-01-02 00:28:55 by RouterOS 7.12.1
# software id = NCR8-KCMM
#
# model = CCR2004-16G-2S+
/interface bridge
add name=WIFI vlan-filtering=yes
/interface vlan
add interface=WIFI name=users vlan-id=8
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=WIFI interface=ether2 pvid=8
add bridge=WIFI interface=ether4 pvid=8
add bridge=WIFI interface=ether6 pvid=8
add bridge=WIFI interface=ether8 pvid=8
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=WIFI untagged=ether2,ether4,ether6,ether8 vlan-ids=8
/ip address
add address=192.168.88.1/24 interface=users network=192.168.88.0
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

Thanks

llamajaja · Thu Dec 21, 2023 9:56 pm

viewtopic.php?t=143620

PM848 · Fri Dec 22, 2023 4:31 pm

Hello llamajaja and thank you, yes I checked this topic already...

anav · Fri Dec 22, 2023 10:37 pm

Take a look at your IP address.
/ip address
add address=192.168.88.1/24 interface=users network=192.168.88.0

PM848 · Mon Jan 08, 2024 1:12 pm

Thanks anav,
Well do you mean that the ip address should be associated with WIFI bridge instead of users subinterface?

anav · Mon Jan 08, 2024 2:02 pm

Ahh okay, I see you only have one subnet and are using a vlan for that. A bit unusual but perfectly fine.
My question is, where are your firewall rules?
Where is your internet connection??

PM848 · Mon Jan 08, 2024 2:45 pm

I voluntarily removed all other parts to isolate my issue but basically port 1 will be my WAN interface with classic NAT.
I'll then have 2 vlans: one for users and one for wifi management

PM848 · Mon Jan 08, 2024 3:18 pm

Here is a more comprehensive config I'm trying without success: connecting a laptop to access port 2 or 4 doesn't work: it cannot get any IP from DHCP server.
I tried assigning an IP manually and it cannot ping .1 in any vlan (not DHCP related)

/interface bridge
add name=br-wifi vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
/interface vlan
add interface=br-wifi name=vlan8 vlan-id=8
add interface=br-wifi name=vlan9 vlan-id=9
/ip pool
add name=dhcp_pool0 ranges=10.88.0.2-10.88.0.254
add name=dhcp_pool1 ranges=10.99.0.2-10.99.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan8 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan9 name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=br-wifi interface=ether2 pvid=9
add bridge=br-wifi interface=ether4 pvid=8
add bridge=br-wifi interface=ether6
add bridge=br-wifi interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=br-wifi tagged=ether6,ether8 untagged=ether4 vlan-ids=8
add bridge=br-wifi tagged=ether6,ether8 untagged=ether2 vlan-ids=9
/ip address
add address=10.88.0.1/24 interface=vlan8 network=10.88.0.0
add address=10.99.0.1/24 interface=vlan9 network=10.99.0.0
/ip dhcp-server network
add address=10.88.0.0/24 dns-server=1.1.1.1 gateway=10.88.0.1
add address=10.99.0.0/24 dns-server=1.1.1.1 gateway=10.99.0.1
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

anav · Mon Jan 08, 2024 3:49 pm

Read through this article and pay close attention to /interface bridge ports and /interface bridge vlans to find your error

viewtopic.php?t=143620

PM848 · Mon Jan 08, 2024 4:31 pm

nice I think you made my day ! thanks a lot !
I replaced:

/interface bridge vlan
add bridge=br-wifi tagged=ether6,ether8 untagged=ether4 vlan-ids=8
add bridge=br-wifi tagged=ether6,ether8 untagged=ether2 vlan-ids=9

with:

/interface bridge vlan
add bridge=br-wifi tagged=br-wifi vlan-ids=8
add bridge=br-wifi tagged=br-wifi vlan-ids=9

That said after all the doc/video I checked I cannot recall where it was explained this way

(so many different ways of doing this)

anav · Mon Jan 08, 2024 6:38 pm

The doc shows it but your config still not correct.

/interface bridge port
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=9
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged i interface=ether4 pvid=8
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8

/interface bridge vlan
add bridge=br-dcwifi tagged=br-dcwifi,ether6,ether8 untagged=ether4 vlan-ids=8
add bridge=br-dcwifi tagged=br-dcwifi,ether6,ether8 untagged=ether2 vlan-ids=9

PM848 · Mon Jan 08, 2024 10:58 pm

Ok, I see yours is more strict but the one I pasted seems to work too: it looks like untagged is inferred from the PVID field of this interface

meaning that port 2 and 4 are shown as currently untagged in winbox when active whereas 6 and 8 as tagged which is correct.

anav · Mon Jan 08, 2024 11:08 pm

Correct, I prefer to manually insert the untagging as a visual crosscheck to make sure my bridge ports and bridge interfaces line up.
Also the untagging doesnt show up when exporting a config........

PM848 · Mon Jan 08, 2024 11:28 pm

Yes, the stricter and more explicit it is the better for me too

So basically my mistake was omitting the bridge itself from the vlan table

anav · Tue Jan 09, 2024 2:23 am

Correct, and thus the linked article was not followed, all good now I will bet.

PM848 · Tue Jan 09, 2024 3:48 pm

Indeed I did not read the entire thread, just the first posts, sorry about that.
Thanks for the help.

New to Mkt, struggling with basic VLAN setup [SOLVED]

New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup [SOLVED]

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Re: New to Mkt, struggling with basic VLAN setup

Who is online