Community discussions

MikroTik App
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

VLAN Issue

Tue Jul 09, 2024 10:10 pm

Hello togehter,

I am planning to transfer from a AVM Internet Router to a Mikrotik System. I have to ensure, that the telephone function of the two AVM DECT station still will work and are integrated into the Mikrotik system. The DECT station can not be integrated into the Mikrotik DHCP adresses. It needs to get the IPadress from the internet router directly. A sepearate cabeling would be an extreme effort as the cabling is already existing.

The plan is described in the attachment.

I do not understand, how I can use VLAN on the Ether2 at the Main router as an seperate input, which I can transfer through the two other Mikrotik CAPS clients so that I have at the last CAPS client get the connection and IP adress at Ether 3.

I would be very happy for any helpful comment / hint.

Best regards Michael
Folie1.jpeg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20273
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Issue

Tue Jul 09, 2024 11:03 pm

So you are saying you have two cables coming into the internet router and they will be used to insert into the mikrotik router?
OR
Are you saying that you will keep the internet router and will have two cables coming from it to the mikrotik router??
OR
Are you saying that there will only be one cable coming from some modem that is just upstream to the internet router which will be coming into the Mikrotik on one cable.
If its the latter, do you know if the signals are coming over in vlans ( internet vlanXXX and telephone YYY ) or perhaps just the telephone in a vlan YYY ??)
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Tue Jul 09, 2024 11:40 pm

Yes, there will be two cables from the Internet router (which I will keep) to the Mikrotik Main. One is for the "normal" Internet Conection and the other one will use a separate adresse space, which should be tunneld by a VLAN to Mikrotik1 and Mikrotik2 to the DECT telefone station.
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Tue Jul 09, 2024 11:46 pm

So VLAN 20 is for the "normal" internet, I assume? And the DHCP server for it would be the Mikrotik?
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Tue Jul 09, 2024 11:48 pm

Yes, VLAN 20 is for the normal communication and the DHCP server is the Mikrotik. For the special other subject I will use another VLAN ID and the DHCP-Server will be the internet Router.
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Wed Jul 10, 2024 12:05 am

Ok then, first you'll create a bridge with all ethernet ports except ether1 in it (for the config I'll assume all ports are ether1-5), then create a VLAN interface for VLAN 20 and configure IP addresses and DHCP settings for it. After that you'll fill in the Bridge VLAN table and enable vlan-filtering. Overall, the config should look something like this:
/interface bridge add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=200
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=20
add bridge=bridge1 interface=ether5

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20

/ip address add address=170.205.42.1/24 interface=VLAN20 network=175.205.42.0

/ip pool add name=dhcp_pool ranges=170.205.42.2-170.205.42.254

/ip dhcp-server network add network=170.205.42.0/24 dns-server=170.205.42.1 gateway=170.205.42.1

/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool interface=VLAN20

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=ether5 vlan-ids=200

/interface bridge set bridge1 vlan-filtering=yes
Last edited by TheCat12 on Wed Jul 10, 2024 4:14 pm, edited 2 times in total.
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Wed Jul 10, 2024 12:10 am

A side question - why do you use a public IP (170.x.x.x) for LAN?
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Wed Jul 10, 2024 12:17 am

I would like to acess some IPs from the outside of my home network via certificates.
 
llamajaja
Member Candidate
Member Candidate
Posts: 263
Joined: Sat Sep 30, 2023 3:11 pm

Re: VLAN Issue

Wed Jul 10, 2024 3:34 pm

Cat is on the right track for sure ( except he mixes up the 175 with 170 on several lines of the config ) and agree stick to private IPs within the router, there are ways to ensure external access to your LAN etc, without such drastic ideas.
That requirement is secondary and can be dealt with after with an appropriate vpn selection and config.
I am a bit confused on the the setup though.

Can we assume the internet is coming in to the MK as a plain subnet on ether1 and no vlan tags.?
Can we assume the telephone is coming into the MK as a plain subnet on ether5 and no vlan tags??

If the latter case (telephone) is correct then a good idea to assign it a vlan and move it through the various devices as a vlan and then untag it when it needs to hit the DECT.
If the latter case is incorrect it comes already tagged, then we simply carry it directly to the DECT etc.....

So Option 1 - Both basic subnets, no tags.
/interface bridge add name=bridge1 vlan-filtering=yes  { add the =yes part after the rest of the config is done }

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20
/interface vlan add interface=bridge1 name=VLAN200 vlan-id=200 { need to  create this as it doesnt exist yet  }

/interface bridge port
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether2 pvid=200
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether3,ether4  vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether2  vlan-ids=200

/ip address add address=10.205.42.1/24 interface=VLAN20 network=10.205.42.0
/ip pool add name=dhcp_pool ranges=10.205.42.2-10.205.42.254
/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool interface=VLAN20
/ip dhcp-server network add network=10.205.42.0/24 dns-server=10.205.42.1 gateway=10.205.42.1
......

So Option 2 - Telephone already comes into MT already tagged.
/interface bridge add name=bridge1 vlan-filtering=yes   { add the =yes part after the rest of the config is done }

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20

/interface bridge port
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether3,ether4  vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5,ether2  vlan-ids=200

/ip address add address=10.205.42.1/24 interface=VLAN20 network=10.205.42.0
/ip pool add name=dhcp_pool ranges=10.205.42.2-10.205.42.254
/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool interface=VLAN20
/ip dhcp-server network add network=10.205.42.0/24 dns-server=10.205.42.1 gateway=10.205.42.1
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Wed Jul 10, 2024 4:19 pm

For option 1 I disagree that there is a need for a VLAN200 interface because the VLAN should operate only on L2, no L3 needed. That's why I omitted it from my config
 
llamajaja
Member Candidate
Member Candidate
Posts: 263
Joined: Sat Sep 30, 2023 3:11 pm

Re: VLAN Issue

Wed Jul 10, 2024 5:31 pm

Understood, however since the vlan didnt exist yet (from source), I thought it was necessary??
Perhaps I am wrong, as your logic is also valid, will ask a friend.......
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Wed Jul 10, 2024 6:11 pm

Although it "doesn't exist from source" as you refer to it, it does get introduced by being set as vlan-id in /interface bridge vlan and/or pvid in /interface bridge port, depending on the role of the port, and the VLAN tag begins being added/stripped after enabling vlan-filtering
 
llamajaja
Member Candidate
Member Candidate
Posts: 263
Joined: Sat Sep 30, 2023 3:11 pm

Re: VLAN Issue

Wed Jul 10, 2024 6:42 pm

Yes, and if one thinks about a trunk port coming in with vlan20, it can be then untagged to a port and no definition required for the transfer of such traffic through the bridge.
What is being done is the reverse and thus your setup would seem to the correct one, not required to define.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20273
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Issue

Wed Jul 10, 2024 9:28 pm

Cat 100% correct, no need for vlan interface identification and no need to involve bridge in tagging thusly.
/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20

/interface bridge port
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether2 pvid=200
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether3,ether4  vlan-ids=20
add bridge=bridge1 tagged=ether5  untagged=ether2  vlan-ids=200
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Wed Jul 10, 2024 9:43 pm

Thank you very much for your support. Unfortunately I actually can not access my Mikrotik aAP ac2. I resetted the router, but I can not login neither with admin and no password as well as with admin and my old password.

I tried the followiing things without success:

Using Reset Button
RouterBOARD devices are fitted with a reset button which has several functions:
• Loading the backup RouterBOOT loader
Hold this button before applying power, and release it after three seconds since powering, to load the backup boot loader. This might be necessary if the device is not operating because of a failed RouterBOOT upgrade. When you have started the device with the backup loader, you can either set RouterOS to force backup loader in the RouterBOARD settings or have a chance to reinstall the failed RouterBOOT from a ".fwf" file (total of 3 seconds)
• Resetting the RouterOS configuration
Hold this button until the LED light starts flashing, and release the button to reset RouterOS configuration to default.
• Enabling CAPs mode
To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more seconds, LED turns solid, release now to turn on CAPs mode. It is also possible to enable CAPs mode via the command line, to do so run the command "/system reset-configuration caps-mode=yes";
• Starting the RouterBOARD in Netinstall mode
Or keep holding the button for 5 more seconds until the LED turns off, then release it to make the RouterBOARD look for Netinstall servers. You can also simply keep the button pressed until the device shows up in the Netinstall program on Windows.

Before I have solved this issue, I can not test your suggestions.

Best regards

Michael
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Wed Jul 10, 2024 11:42 pm

Newer models like hAP ac² should have a random password by default which is on the sticker that is on the box, hidden on the router
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Thu Jul 11, 2024 1:00 am

Newer models like hAP ac² should have a random password by default which is on the sticker that is on the box, hidden on the router
Thank you very much. Your post solved an issue, where I already spend 3 hours.
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Fri Jul 12, 2024 10:46 pm

I still have issues and maybe I did not explain everything clear enough.
Mikrotik Main shall provide the Internet access via Ethernet 1 from the Internet Router.
Therfore Ethernet 1 is a DHCP Client of the Internet Router. After this a firewall and NAT is put at bridge (192.168.88.1/22).
From this pool all other Mikrotik-Router (CAPS-client) shall get their IP-adresses.
For the internal configuration/administration should be VLAN20 with address pool 170.205.42.254/24 used. All CAPS clients (following Mikrotik Router) should receive via VLAN20 there addresses.

Following your suggestions the following was happening:
I made with all routers a factory reset
With the installation of the VLAN200 via Ethernet 2 of the Mikrotik Main all clients receive there DHCP addresses from the internet router. No Cable client gets an address from the pool 192.168.88.0/22. I would like, that all clients of the network of the pool 192.168.88.0/22 gets there addresses. Only the DECT station should receive there address from the address pool of the internetrouter via VLAN200. (192.168.178.0/24). These address area shall only used from Mikrotik main and the DECT station.

The function VLAN20 shall only be used to reach the other routers via an ethernet port from the Mikrotik Main.

When I enter “/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool1 interface=VLAN20”
I get the message failure: “can not run on slave interface”

What is my mistake and the solution?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20273
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Issue

Sat Jul 13, 2024 2:12 am

No ideas unless you post your config and for one cap as well.
 
mheber
just joined
Topic Author
Posts: 8
Joined: Tue Jul 09, 2024 9:58 pm
Location: Germany

Re: VLAN Issue

Sat Jul 13, 2024 11:16 am

Thank you, for your help.

meanwhile we can localize the issue to a smaller issue.

The DHCP address distribution to the 192.168.88.0/22 is working as well als the forwarding of the VLAN20. All Router get via VLAN20 their IP-Adress and can be connected.

I get also the VLAN200 connect between the main router and the other Mikrotik Router.

The remaining issue is, that I can not put the input from the ethernet2 into the VLAN200 on the main router. I just like to tunnel the ethernet2 from the internet router without any address change or anything else through the VLAN200 to the other router. In fact it should simulate an additional "software" cable between the Ethernet 2 of internet router and the Ethernet 1 of the DECT station.

Or last findings are that we do not get a DHCP-client address on ethernet3 from Mikrotik 2 from the internet router.

The config of the main router looks like this:


# 2024-07-13 10:04:02 by RouterOS 7.15.1
# software id = 4NJK-U7CA
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxx
/interface bridge
add admin-mac=D4:01:C3:09:B1:E0 auto-mac=no comment=defconf name=bridge
add comment=VLANTEST frame-types=admit-only-vlan-tagged name=bridge_vlan \
pvid=200 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-09B1E4 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-09B1E4 \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
set [ find default-name=ether2 ] comment="DHCP Client DECT"
set [ find default-name=ether5 ] comment="Output f\FCr alles"
/interface vlan
add comment="VLAN Verwaltung" interface=ether5 name=vlan20 use-service-tag=\
yes vlan-id=20
add interface=ether5 name=vlan_200_out vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=VLAN name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add comment=Heimnetz name=dhcp_pool_Network ranges=\
192.168.88.2-192.168.91.254
add comment=Verwaltung name=dhcp_pool_router ranges=\
170.205.42.1-170.205.42.253
/ip dhcp-server
add address-pool=dhcp_pool_Network interface=bridge name=dhcp1
add address-pool=dhcp_pool_router interface=vlan20 name=dhcp2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment="Standard Output" frame-types=\
admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
# ether2,vlan_200_out not a bridge port
add bridge=bridge_vlan tagged=ether2 untagged=vlan_200_out vlan-ids=200
/interface detect-internet
set internet-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=VLAN
/ip address
add address=192.168.88.1/22 comment=defconf interface=bridge network=\
192.168.88.0
add address=170.205.42.254/24 comment=Verwaltungspool interface=vlan20 \
network=170.205.42.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=170.205.42.0/24 gateway=170.205.42.254
add address=192.168.88.0/22 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-Main-Heber
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
TheCat12
Member Candidate
Member Candidate
Posts: 242
Joined: Fri Dec 31, 2021 9:13 pm

Re: VLAN Issue

Sat Jul 13, 2024 6:45 pm

You're mixing apples with oranges and your VLAN config is a complete mess. You either use VLANs all the way or don't use them at all, hybrid setups don't work as expected.

1) Remove or change pvid of vlan bridge to 20 and remove frame-types if you don't want to lock yourself out:

add comment=VLANTEST frame-types=admit-only-vlan-tagged name=bridge_vlan \
pvid=200 vlan-filtering=yes


to:

add comment=VLANTEST name=bridge_vlan \
vlan-filtering=yes


2) Create a VLAN for the 192.168.88.0 network and change all of the settings associated with it:

/interface vlan
add interface=bridge_vlan name=LAN_VLAN vlan-id=30

/ip address
add address=192.168.88.1/22 comment=defconf interface=LAN_VLAN network=\
192.168.88.0

/ip dhcp-server
add address-pool=dhcp_pool_Network interface=LAN_VLAN name=dhcp1


3) Remove ether3 and ether5 from default bridge and assign them as well as ether2 and ether4 to the vlan bridge. Also add appropriate pvids:

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment="Standard Output" frame-types=\
admit-only-vlan-tagged interface=ether5


to:

/interface bridge port
add bridge=bridge_vlan interface=ether2 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=200
add bridge=bridge_vlan comment=defconf interface=ether3 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=30
add bridge=bridge_vlan interface=ether4 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=30
add bridge=bridge_vlan comment="Standard Output" ingress-filtering=\
yes frame-types=\
admit-only-vlan-tagged interface=ether5


4) Remove use-service-tag=yes on VLAN Verwaltung interface because it is associated with a different ethertype (0x88a8), assign it to the vlan bridge and remove vlan_200_out interface:

/interface vlan
add comment="VLAN Verwaltung" interface=ether5 name=vlan20 use-service-tag=\
yes
vlan-id=20
add interface=ether5 name=vlan_200_out vlan-id=200


to:

/interface vlan
add comment="VLAN Verwaltung" interface=bridge_vlan name=vlan20 vlan-id=20


5) Clear your whole Bridge VLAN table and add following entries:

/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan,ether5 vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan,ether5 vlan-ids=30
add bridge=bridge_vlan tagged=bridge_vlan,ether5 vlan-ids=200


With these settings you'll achieve the following:

1) Transparently forward VLAN200
2) Have a management VLAN20 and a VLAN30 for LAN because, as I said, VLAN aware and VLAN non-aware bridges don't mix well

If you wish, you can make ether4 an untagged port for the VLAN20 to have untagged access to the management VLAN:
/interface bridge port
set [find interface=ether4] pvid=20

Who is online

Users browsing this forum: almdandi, boksie and 106 guests