bridges and VLANs - why?
New to Mikrotik and still learning the various ways a router can be configured. I currently have an RB5009 set up where each port is independent (i.e. no bridge) as this is the setup I have been most accustomed to using. I've read up on bridging with ROS and VLAN filtering etc but I am confused as to what the exact benefit of this is versus my current setup. What is the point of having an 8 port router, for example, if ALL the ports are basically trunk ports (I'm referring to the router on a stick setup illustrated in the very well done "Using RouterOS to VLAN your network" guide). I'm sure I'm missing something obvious but I haven't been able to think of a significant response myself. Appreciate any insight others might have. Thanks!
Re: bridges and VLANs - why?
You can configure any MT device (with multiple interfaces) running ROS as a hybrid switch/router (or as pure switch/bridge) and for the switch personality is realized through bridge function.
In ROAS case (or subnet per interface case) using bridge doesn't make any sense.
In ROAS case (or subnet per interface case) using bridge doesn't make any sense.
-
-
ConnyMercier
Forum Veteran
- Posts: 725
- Joined:
Re: bridges and VLANs - why?
RouterOS isn't only for the RB5009, it is installed on almost every Mikrotik-Device.
Quite Handy to have the same Features and UI on every Router, Switch or CHR..
Another main advantage is every single Interface in RouterOS, can be used for
anything you need it to be ....
Having said that,
To answer your question : benefit bridging with VLAN filtering vs each port is independent
If you don't need a bridge/Switch on your RB5009 , then you don't need VLAN-Filtering
You can achieve the same results with independent Port configuration.
You can find a lot of information on the forum.
viewtopic.php?t=143620
To answer your question : What is the point of having an 8 port router?
I could probably write a Book with all the NON-Routing uses for a Mikroik-Router =)
- You don't have to bridge all the interfaces in one bridge...
- You can have multiple bridges if needed..
- The RB5009 has a Switch-chip so if you create a bridge,
It will be able to tranfer L2-Data with Wirespeed and no CPU-Utilisation.
With RouterOS 7.X even L3-Features will be possible via the Switch-Chip
Some Setup-Exemples:
A1: For Small SOHO-Network
SFP+ as WAN and use all ether-Ports as a Switch (With or without VLAN)
For a lot of small Network or LABs may remove the need for a Switch
A2: DMZ-Network
Use the SFP+ to connect to a Switch
Use Ether 1 thru Ether 4 for WAN or other Routing purposes
Bridge ether5 thru ether8 for a DMZ-Network
A3: Extend Switch
Use the SFP+ to connect to a Switch
But maybe you need more Ether-Interface to connect Servers and Co.
You can extend the switch via the RB5009
Quite Handy to have the same Features and UI on every Router, Switch or CHR..
Another main advantage is every single Interface in RouterOS, can be used for
anything you need it to be ....
Having said that,
To answer your question : benefit bridging with VLAN filtering vs each port is independent
If you don't need a bridge/Switch on your RB5009 , then you don't need VLAN-Filtering
You can achieve the same results with independent Port configuration.
You can find a lot of information on the forum.
viewtopic.php?t=143620
To answer your question : What is the point of having an 8 port router?
I could probably write a Book with all the NON-Routing uses for a Mikroik-Router =)
- You don't have to bridge all the interfaces in one bridge...
- You can have multiple bridges if needed..
- The RB5009 has a Switch-chip so if you create a bridge,
It will be able to tranfer L2-Data with Wirespeed and no CPU-Utilisation.
With RouterOS 7.X even L3-Features will be possible via the Switch-Chip
Some Setup-Exemples:
A1: For Small SOHO-Network
SFP+ as WAN and use all ether-Ports as a Switch (With or without VLAN)
For a lot of small Network or LABs may remove the need for a Switch
A2: DMZ-Network
Use the SFP+ to connect to a Switch
Use Ether 1 thru Ether 4 for WAN or other Routing purposes
Bridge ether5 thru ether8 for a DMZ-Network
A3: Extend Switch
Use the SFP+ to connect to a Switch
But maybe you need more Ether-Interface to connect Servers and Co.
You can extend the switch via the RB5009
Re: bridges and VLANs - why?
mkx - thanks for the response. Very glad to know I didn't misunderstand anything and that my confusion about using the bridge/vlan configuration in my circumstances was merited. If the 5009 didn't have so many ports, I could see the need to use VLANs (I have 4 subnets in my setup). For now, I just run a ethernet cable from each router port to my managed switch. The switch has ports configured for the right subnets and all works well. Doesn't look like I need to consider another setup....for now at least.
Re: bridges and VLANs - why?
ConnyMercier - appreciate your input. Definitely understand that the 5009 isn't the only Mikrotik router in the offering.
Wanted to ask you a bit more about this:
"- The RB5009 has a Switch-chip so if you create a bridge,
It will be able to tranfer L2-Data with Wirespeed and no CPU-Utilisation.
With RouterOS 7.X even L3-Features will be possible via the Switch-Chip"
Does this mean that my current, independent port setup incurs a performance penalty versus a bridge setup or will render some features unavailable? I haven't removed any ports from the switch, just no bridge. BUT if that has an impact, perhaps I should consider an alternate setup.
Wanted to ask you a bit more about this:
"- The RB5009 has a Switch-chip so if you create a bridge,
It will be able to tranfer L2-Data with Wirespeed and no CPU-Utilisation.
With RouterOS 7.X even L3-Features will be possible via the Switch-Chip"
Does this mean that my current, independent port setup incurs a performance penalty versus a bridge setup or will render some features unavailable? I haven't removed any ports from the switch, just no bridge. BUT if that has an impact, perhaps I should consider an alternate setup.
-
-
ConnyMercier
Forum Veteran
- Posts: 725
- Joined:
Re: bridges and VLANs - why?
Look the Wiki on L3:
https://help.mikrotik.com/docs/display/ ... Offloading
I don't think your setup will get better with L3-Hardware Offloading
But maybe someone else in the Forum as more experience...
https://help.mikrotik.com/docs/display/ ... Offloading
I don't think your setup will get better with L3-Hardware Offloading
But maybe someone else in the Forum as more experience...
Re: bridges and VLANs - why?
A better read....
viewtopic.php?t=173692
viewtopic.php?t=173692
Re: bridges and VLANs - why?
anav, it seems like only yesterday… 
So, based on that post it would seem that you or OP are indeed recommending using the bridge option to connect one physical port to a switch trunk port. I have no problem with learning and playing around with my setup. I basically want to make sure that I learn best practice ways of setting things up to ensure best performance and smartest and most secure configuration. The challenge is figuring out what I’d use the other 7 ports for, if anything.
So, based on that post it would seem that you or OP are indeed recommending using the bridge option to connect one physical port to a switch trunk port. I have no problem with learning and playing around with my setup. I basically want to make sure that I learn best practice ways of setting things up to ensure best performance and smartest and most secure configuration. The challenge is figuring out what I’d use the other 7 ports for, if anything.
Re: bridges and VLANs - why?
It does depend on what you are going to be doing. In my case, I don't have a bridge at all. The router is not doing any "switch" functions. Switching is all handled in a separate switch (CSS326-24G-2S). All ports on the router connect to ports on the switch as follows (using my router #1 for this example):
Ether1 = Cable internet
Ether2 = .101 LAN (my primary home LAN)
Ether3 = .103 LAN (primary resident WiFi)
Ether4 = trunk port with .102, .104, 105, & .106 VLANs (all the other stuff)
Ether5 = tieline to router #2
For the most part, each LAN does not have access to other LANs, but can get to the internet. There are a few firewall holes for selected stuff to get between LANs
Router #2 is the same except is is my DSL internet and the .2xx series of LANs
BTW, Just a couple weeks ago the DSL was replace with fiber (yea) and the two router were combined into one RB4011iGS+
Ether1 = Cable internet
Ether2 = .101 LAN (my primary home LAN)
Ether3 = .103 LAN (primary resident WiFi)
Ether4 = trunk port with .102, .104, 105, & .106 VLANs (all the other stuff)
Ether5 = tieline to router #2
For the most part, each LAN does not have access to other LANs, but can get to the internet. There are a few firewall holes for selected stuff to get between LANs
Router #2 is the same except is is my DSL internet and the .2xx series of LANs
BTW, Just a couple weeks ago the DSL was replace with fiber (yea) and the two router were combined into one RB4011iGS+
Re: bridges and VLANs - why?
v7 on RB5009 doesn't offer L3 HW offload yet and it's not officially on the roadmap yet. AFAIK it was mentioned tgat used switch chip does support L3 functionality so it may be possible to do it in ROS.
When it does, then it'll be benefitial to convert your current setup to bridge ... and for better performance it'll probably still make sense to use multiple router<->switch connections, only that they will be trunk (tagged) instead of plain (untagged). Using multiple links won't change processing overhead, but will offer sort of bonding. But then you could go for proper bonding if switch supports that (in hardware).
When it does, then it'll be benefitial to convert your current setup to bridge ... and for better performance it'll probably still make sense to use multiple router<->switch connections, only that they will be trunk (tagged) instead of plain (untagged). Using multiple links won't change processing overhead, but will offer sort of bonding. But then you could go for proper bonding if switch supports that (in hardware).
Re: bridges and VLANs - why?
My basic rule of thumb is that if you need different subnets and have enough ports on the router you dont need a bridge and can assign subnets to etherports.
If you run out of ports then go vlans as typically running out of ports means you will need a switch or smart AP down the line and thus one port will carry more than one subnet.
Once into the realm of vlans, bridges make sense.
Another situation where bridge makes sense is if you only have one subnet and you want that to go to all ports.......... Then the bridge can do everything.
When you have a mix of different subnets as stated above you can mix and match, same subnet spanning multiple ports can use bridge, other subnets can be assigned to remaining etheports directly
If you run out of ports then go vlans as typically running out of ports means you will need a switch or smart AP down the line and thus one port will carry more than one subnet.
Once into the realm of vlans, bridges make sense.
Another situation where bridge makes sense is if you only have one subnet and you want that to go to all ports.......... Then the bridge can do everything.
When you have a mix of different subnets as stated above you can mix and match, same subnet spanning multiple ports can use bridge, other subnets can be assigned to remaining etheports directly
Re: bridges and VLANs - why?
Wow - as has been my experience so far with Mikrotik and the forums, you all are amazing. Really appreciate all the thoughts and information on how you approach your networking needs. I'm sorry to be a little late in responding; hope I didn't make anyone feel like they were ignored.
k6cc - thank you for your thoughts. I'm not running as many subnets as you are but it's definitely cool to hear about your setup and how you have implemented your routing. Your setup, and the one that anav recommends, is definitely in line with my current setup and mindset.
mkx - thank you for your insight on the L3 HW offloading an potential future benefits. I'm certainly interested in anything that takes the load off the CPU and leverages capabilities of the switch chip. Will have to see if/when Mikrotik takes advantage of that capability.
All in all, I might just decide to go to a bridge config with vlan filtering OR, I could go with a bridge setup similar to the guide and use the sfp+ port as the trunk to my downlink switch.
My last question is - is there a way I could make the sfp+ a trunk port without changing my current config? I want to say that it's not possible I won't be able to duplicate the dhcp servers etc. But, I'm new and, frankly, am not 100% sure or confident that I've completely understood the Mikrotik way of doing things. It seems to me that I'd have to do the bridge, then I could do VLAN filtering for the ports and also have the sfp+ as a trunk. If I'm wrong or have misunderstood some of the principles behind this, please help me understand. I've greatly enjoyed the guidance I've received thus far. Anav is very direct in his approach, a trait I personally value greatly. As long as you're patient with me if I stumble some, I can take the beatings along the way.
k6cc - thank you for your thoughts. I'm not running as many subnets as you are but it's definitely cool to hear about your setup and how you have implemented your routing. Your setup, and the one that anav recommends, is definitely in line with my current setup and mindset.
mkx - thank you for your insight on the L3 HW offloading an potential future benefits. I'm certainly interested in anything that takes the load off the CPU and leverages capabilities of the switch chip. Will have to see if/when Mikrotik takes advantage of that capability.
All in all, I might just decide to go to a bridge config with vlan filtering OR, I could go with a bridge setup similar to the guide and use the sfp+ port as the trunk to my downlink switch.
My last question is - is there a way I could make the sfp+ a trunk port without changing my current config? I want to say that it's not possible I won't be able to duplicate the dhcp servers etc. But, I'm new and, frankly, am not 100% sure or confident that I've completely understood the Mikrotik way of doing things. It seems to me that I'd have to do the bridge, then I could do VLAN filtering for the ports and also have the sfp+ as a trunk. If I'm wrong or have misunderstood some of the principles behind this, please help me understand. I've greatly enjoyed the guidance I've received thus far. Anav is very direct in his approach, a trait I personally value greatly. As long as you're patient with me if I stumble some, I can take the beatings along the way.
Re: bridges and VLANs - why?
My last question is - is there a way I could make the sfp+ a trunk port without changing my current config?
Very probably ... but can't say for sure without seeing your current config (text export) ... at least everything under /interface.
Re: bridges and VLANs - why?
mkx - appreciate the response. I DID however decide to just bite the bullet and set up vlans, if for nothing more than the chance to learn. I had to do a hybrid config since all the examples in the great VLAN tutorial have the user creating a non-VLAN=1 management vlan. I currently have Ubiquiti Unifi switching as my infrastructure and their gear defaults to vlan1 which means any attempt to use something else will result in me losing access to my switches. Furthermore, I don't even know how I would adopt a new one in the future if I didn't have a vlan1. Soo....I restored the default config, removed a few ports, changed the IP schema for that network, and then added the vlans on top. It all works great and I'm able to use the sfp+ as the connection to my downlink switch (along with ether2,3,4 if I wanted to change things up some). Would you/someone be willing to review my config one last time to make sure I haven't missed anything obvious?
One immediate question I have is, according to the VLAN guide, it says to do something like /interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1] for VLAN security. I didn't use ether1 of course but did specify the ports that are part of the bridge. However, when I did this on the various ports in my config, I lost access to the internet and the router.
Is this causing me issues because I am using the default vlan1 which is untagged versus tagged?
Is there anything else I can do to implement the essence of what the guide was conveying or do I just need to leave that particular feature alone? Currently each port is set to "admit all."
One immediate question I have is, according to the VLAN guide, it says to do something like /interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1] for VLAN security. I didn't use ether1 of course but did specify the ports that are part of the bridge. However, when I did this on the various ports in my config, I lost access to the internet and the router.
Is this causing me issues because I am using the default vlan1 which is untagged versus tagged?
Is there anything else I can do to implement the essence of what the guide was conveying or do I just need to leave that particular feature alone? Currently each port is set to "admit all."
Code: Select all
# oct/25/2021 22:00:21 by RouterOS 7.1rc4
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac= auto-mac=no name=BaseNetwork vlan-filtering=\
yes
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface vlan
add interface=BaseNetwork name=CAMERAS_VLAN vlan-id=40
add interface=BaseNetwork name=DMZ_VLAN vlan-id=80
add interface=BaseNetwork name=KIDS_VLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANS
add include=LAN,VLANS name=ALL
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BaseNetwork ranges=10.20.2.100-10.20.2.254
add name=KIDS_POOL ranges=10.20.20.100-10.20.20.254
add name=CAMERAS_POOL ranges=10.20.40.100-10.20.40.254
add name=DMZ_POOL ranges=10.20.80.100-10.20.80.254
/ip dhcp-server
add address-pool=BaseNetwork interface=BaseNetwork lease-time=8h name=LAN
add address-pool=KIDS_POOL interface=KIDS_VLAN name=KIDS
add address-pool=CAMERAS_POOL interface=CAMERAS_VLAN name=Cameras
add address-pool=DMZ_POOL interface=DMZ_VLAN name=DMZ
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/interface bridge port
add bridge=BaseNetwork comment=defconf interface=ether2
add bridge=BaseNetwork comment=defconf interface=ether3
add bridge=BaseNetwork comment=defconf interface=ether4
add bridge=BaseNetwork comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BaseNetwork tagged=BaseNetwork,ether2,ether3,ether4,sfp-sfpplus1 \
vlan-ids=20,40,80
/interface list member
add interface=BaseNetwork list=LAN
add interface=ether1 list=WAN
add interface=KIDS_VLAN list=VLANS
add interface=CAMERAS_VLAN list=VLANS
add interface=DMZ_VLAN list=VLANS
add interface="Remote Access Wireguard" list=LAN
add interface=Mullvad list=LAN
add interface=Utah list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=136.36.56.240 endpoint-port=\
51822 interface=Utah persistent-keepalive=30s public-key=\
"UOKuHFY1WhC6b2beXIQGmivsFuXtqY9g8KNd6eC5qTc="
add allowed-address=0.0.0.0/0 endpoint-address=86.106.143.145 endpoint-port=\
51820 interface=Mullvad persistent-keepalive=30s public-key=\
"JQo2XN042FQbMrpvRMpEoA+CpqhRESeSWjkNB+k41Ds="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
public-key="S0v2v7bRuzOnzcuC35IOTqEoq7TFXZAeLuXMcqgneC0="
/ip address
add address=10.20.2.1/24 interface=BaseNetwork network=10.20.2.0
add address=10.20.20.1/24 interface=KIDS_VLAN network=10.20.20.0
add address=10.20.40.1/24 interface=CAMERAS_VLAN network=10.20.40.0
add address=10.20.80.1/24 interface=DMZ_VLAN network=10.20.80.0
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.111.167 interface=Mullvad network=10.64.111.167
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
10.103.103.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
REMOVED
/ip dhcp-server network
add address=10.20.2.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
gateway=10.20.2.1
add address=10.20.20.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
gateway=10.20.20.1
add address=10.20.40.0/24 dns-server=10.20.40.1 domain=mikrotik.overseas \
gateway=10.20.40.1
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=mikrotik.overseas \
gateway=10.20.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.2.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.20.0/24 list="Local Subnets"
add address=10.20.80.0/24 list="Local Subnets"
add address=10.20.20.10 comment="Kids Devices" list=KidsDevices
add address=10.20.20.11 list=KidsDevices
add address=10.20.20.22 list=KidsDevices
add address=10.20.20.23 list=KidsDevices
add address=10.20.20.20 list=KidsDevices
add address=10.20.20.21 list=KidsDevices
add address=10.20.20.22 comment="Kids Laptops" list="Kids Laptops"
add address=10.20.20.23 list="Kids Laptops"
add address=10.20.2.50 comment=Sonos list=Sonos
add address=10.20.2.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.20.0/24 comment="Kids Network" list="Kids Network"
add address=10.20.2.0/24 comment="Local Trusted Subnet" list=\
"Local Trusted Network"
add address=10.20.2.4 list=Streaming
add address=10.20.2.8 list=Streaming
add address=10.20.2.9 list=Streaming
add address=10.20.2.51 list=Sonos
add address=10.20.2.52 list=Sonos
add address=10.20.2.53 list=Sonos
add address=10.20.2.54 list=Sonos
add address=10.20.2.55 list=Sonos
add address=10.20.2.56 list=Sonos
add address=10.20.2.57 list=Sonos
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.20.30 list=Streaming
add address=10.20.20.31 list=Streaming
add address=10.20.2.7 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.2.70 comment="Management devices" list="Management Devices"
add address=10.20.2.71 list="Management Devices"
add address=10.20.2.72 list="Management Devices"
add address=10.20.2.73 list="Management Devices"
add address=10.20.80.0/24 comment="DMZ network" list=DMZ
add address=10.103.103.0/24 list="Management Devices"
add address=10.20.40.0/24 comment=Cameras list=Cameras
add address=10.20.40.0/24 list="Local Subnets"
/ip firewall filter
add action=accept chain=input comment="allow established and related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="management devices to router" \
connection-state="" src-address-list="Management Devices"
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow ssh" dst-port=55512 protocol=tcp
add action=accept chain=input comment="remote access wireguard" dst-port=\
51820 in-interface=ether1 protocol=udp
add action=accept chain=input comment="utah wireguard" dst-port=51822 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment="DNS " dst-port=53 in-interface-list=\
ALL protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=ALL protocol=udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=ALL \
protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
"allow established and related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="allow established and related" \
connection-state=established,related
add action=accept chain=forward comment="remote wireguard" in-interface=\
"Remote Access Wireguard"
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
in-interface=BaseNetwork
add action=accept chain=forward comment="kids firewall" dst-address=10.20.2.6 \
dst-port=53 in-interface=KIDS_VLAN protocol=tcp
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
in-interface=KIDS_VLAN protocol=udp
add action=accept chain=forward in-interface=KIDS_VLAN out-interface=Utah \
src-address-list=Streaming
# inactive time
add action=accept chain=forward in-interface=KIDS_VLAN out-interface=ether1 \
time=5h-20h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="cameras firewall" dst-address=\
10.20.2.10 in-interface=CAMERAS_VLAN
add action=accept chain=forward dst-address=10.20.2.10 in-interface=\
CAMERAS_VLAN
add action=accept chain=forward comment="DMZ firewall" in-interface=DMZ_VLAN \
out-interface=ether1
add action=drop chain=forward comment="drop everything else" log-prefix=\
"drop all"
/ip firewall nat
add action=masquerade chain=srcnat comment=ISP out-interface=ether1
add action=masquerade chain=srcnat comment=Mullvad out-interface=Mullvad
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=Utah pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.30.0/24 gateway=Utah pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah routing-table=\
Utah scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=lookup disabled=no dst-address=10.20.0.0/16 src-address=\
10.103.103.0/24 table=main
add action=lookup comment="Local to LTE Mikrotik" disabled=no dst-address=\
192.168.88.0/24 src-address=10.20.2.0/24 table=main
add action=lookup-only-in-table comment="Local to Utah" disabled=no \
dst-address=10.10.0.0/16 min-prefix=0 src-address=10.20.2.0/24 table=Utah
add action=lookup comment="Local to Local" disabled=no dst-address=\
10.20.0.0/16 src-address=10.20.0.0/16 table=main
add action=lookup comment=kw.zain.com disabled=no dst-address=\
212.43.17.129/32 src-address=10.20.2.0/24 table=main
add action=lookup comment=Sonos disabled=no src-address=10.20.2.50/32 table=\
main
add action=lookup disabled=no src-address=10.20.2.51/32 table=main
add action=lookup disabled=no src-address=10.20.2.52/32 table=main
add action=lookup disabled=no src-address=10.20.2.53/32 table=main
add action=lookup disabled=no src-address=10.20.2.54/32 table=main
add action=lookup disabled=no src-address=10.20.2.55/32 table=main
add action=lookup disabled=no src-address=10.20.2.56/32 table=main
add action=lookup disabled=no src-address=10.20.2.57/32 table=main
add action=lookup comment=PiHole disabled=no src-address=10.20.2.6/32 table=\
main
add action=lookup-only-in-table comment="Fire Tablets" disabled=no \
min-prefix=0 src-address=10.20.20.30/32 table=Utah
add action=lookup-only-in-table disabled=no src-address=10.20.20.31/32 table=\
Utah
add action=lookup-only-in-table comment=FireTV disabled=no src-address=\
10.20.2.3/32 table=Utah
add action=lookup-only-in-table comment=AppleTV disabled=no src-address=\
10.20.2.9/32 table=Utah
add action=lookup comment="LAN to Mullvad" disabled=no src-address=\
10.20.2.0/24 table=Mullvad
/system clock
set time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=0.pool.ntp.org
/system package update
set channel=development
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by gabacho4 on Wed Nov 24, 2021 9:01 pm, edited 2 times in total.
Re: bridges and VLANs - why?
Is this causing me issues because I am using the default vlan1 which is untagged versus tagged?
It is indeed. frame-types=admit-only-vlan-tagged is appropriate setting for trunk (tagged-only) ports while in your case where ports are hybrid (a few tagged VLANs and untagged) you should leave setting at default frame-types=admit-all. It will still offer certain level of security (on ingress only select VLANs will be allowed along with untagged with appropriately setting of PVID - default setting us PVID=1).
Last edited by mkx on Mon Oct 25, 2021 10:48 pm, edited 1 time in total.
Re: bridges and VLANs - why?
mkx - alright I’ll leave that shine for sure. Explanation makes sense to me. Any other pointers?
Re: bridges and VLANs - why?
Regarding L2 (VLANs) your setup seems fine to me. And I won't bother with L3 too much as I lack knowledge about your networks (and intentions).
Re: bridges and VLANs - why?
Thanks again. This has been a pretty fun adventure. A few moments where I doubted my ability to stick with MikroTik but all in all not too horrible. The one thing really not in MikroTik’s favor is the very scattered and decentralized documentation. The documentation that exists is OK but doesn’t provide much by way of examples in many instances. The forum and other things I found online were very helpful. One of the biggest things I have to commend MikroTik users and experts for is the amazing support and guidance on the forums. Without you guys, I’m not sure I’d be using the Tik device still. Thanks a ton!
Re: bridges and VLANs - why?
As per the links if you need a management vlan use something like vlan99.
Use all other vlans for data EXCEPT vlan1 which is the default vlan for the bridge which should be left as the default.
At least at our level of MT knowledge.
For example I would get rid of the base network and call it a vlan.
Move dhcp off the bridge to a vlan, so to speak.
Brigdename goes simply back to bridge or whatever you want to call it. MYBRIDGE etc..
vlan2 name is MainLan etc.
Once I introduce vlans, I prefer to use the bridge simply for bridging and nothing else.
Use all other vlans for data EXCEPT vlan1 which is the default vlan for the bridge which should be left as the default.
At least at our level of MT knowledge.
For example I would get rid of the base network and call it a vlan.
Move dhcp off the bridge to a vlan, so to speak.
Brigdename goes simply back to bridge or whatever you want to call it. MYBRIDGE etc..
vlan2 name is MainLan etc.
Once I introduce vlans, I prefer to use the bridge simply for bridging and nothing else.
Re: bridges and VLANs - why?
anav - I would like to have done exactly what you advise but the issue is that Ubiquiti Unifi gear (my switches, my aps, cloud controller, security cameras) is set out of the box to run on vlan1 for adoption and configuration purposes. l've read up on ways to change this, but they all seem to be AFTER the device is adopted and setup. I don't feel like dealing with that mess personally. So, I definitely understand the vlan concept on Mikrotik much better and, in the future, if/when I decide to swap out the Unifi gear for MT or another brand that allows me to connect directly and configure from a GUI or CLI, I can update my config as you recommend. UNLESS, you know of a way to set up another untagged vlan1 and have my gear use that versus the bridge. Is that possible in any way?
Re: bridges and VLANs - why?
All bridge ports, including the intrinsic one for bridge-to-CPU traffic, are by default untagged a.k.a. access ports. Adding tagged membership will change them into hybrid ports unless the ingress filtering is set to only permit tagged traffic.
You could either use VLAN 1 tagged internally with the following changes / additions:
/interface bridge
add admin-mac=2C:C8:1B:FF:62:8B auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BaseNetwork vlan-filtering=yes
/interface vlan
add interface=BaseNetwork name=MGMT_VLAN vlan-id=1
/interface bridge vlan
add bridge=BaseNetwork tagged=BaseNetwork vlan-ids=1
and change the IP address/services/firewall rules, etc. references from BaseNetwork to MGMT_VLAN
Or create a VLAN with any desired ID for management and untag it on the hybrid ports to the UniFi devices:
/interface vlan
add interface=BaseNetwork name=MGMT_VLAN vlan-id=NN
/interface bridge port
add bridge=BaseNetwork comment=defconf interface=ether2 pvid=NN
add bridge=BaseNetwork comment=defconf interface=ether3 pvid=NN
add bridge=BaseNetwork comment=defconf interface=ether4 pvid=NN
add bridge=BaseNetwork comment=defconf interface=sfp-sfpplus1 pvid=NN
/interface bridge vlan
add bridge=BaseNetwork tagged=BaseNetwork vlan-ids=NN
and again change the IP address/services/firewall rules, etc. references from BaseNetwork to MGMT_VLAN
You could either use VLAN 1 tagged internally with the following changes / additions:
/interface bridge
add admin-mac=2C:C8:1B:FF:62:8B auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BaseNetwork vlan-filtering=yes
/interface vlan
add interface=BaseNetwork name=MGMT_VLAN vlan-id=1
/interface bridge vlan
add bridge=BaseNetwork tagged=BaseNetwork vlan-ids=1
and change the IP address/services/firewall rules, etc. references from BaseNetwork to MGMT_VLAN
Or create a VLAN with any desired ID for management and untag it on the hybrid ports to the UniFi devices:
/interface vlan
add interface=BaseNetwork name=MGMT_VLAN vlan-id=NN
/interface bridge port
add bridge=BaseNetwork comment=defconf interface=ether2 pvid=NN
add bridge=BaseNetwork comment=defconf interface=ether3 pvid=NN
add bridge=BaseNetwork comment=defconf interface=ether4 pvid=NN
add bridge=BaseNetwork comment=defconf interface=sfp-sfpplus1 pvid=NN
/interface bridge vlan
add bridge=BaseNetwork tagged=BaseNetwork vlan-ids=NN
and again change the IP address/services/firewall rules, etc. references from BaseNetwork to MGMT_VLAN
Re: bridges and VLANs - why?
tdw - outstanding advice and recommendations. I went with option 1 as this is what I had intended to do when I set out to create the VLANs. Couldn't have been much easier and I am back to pushing packets no differently than before. I've also verified that ether2,3,4 all take over in the event I disconnect the sfp+ so all is configured well. I am most pleased! Thanks again to you and to all the others who have helped me figure this out. Have learned a ton and am no longer as timid about MT products as I was when I started.
FYI - I updated my RB5009 with the new 7.1rc5 and it works great so, for any of you out there who might have been hesitant, while my config isn't the same as yours might be, I haven't seen any issues whatsoever on the device. I. Am. Loving. It.
FYI - I updated my RB5009 with the new 7.1rc5 and it works great so, for any of you out there who might have been hesitant, while my config isn't the same as yours might be, I haven't seen any issues whatsoever on the device. I. Am. Loving. It.
Who is online
Users browsing this forum: Amazon [Bot] and 41 guests