Community discussions

MikroTik App
 
metik237
just joined
Topic Author
Posts: 14
Joined: Wed Jan 26, 2022 10:30 pm

VLAN Trunk on hEX RB750Gr2

Fri Jan 28, 2022 10:11 am

Hi,

I have been using Mikrotik RB750GR2 for couple of month as my main router and till now I have been able to configure everthing I really needed.
Now I am extending my home lab and would like activate several VLANs which are more or less intended for VMware lab.
Network topology is very basic. There is Mikrotik hEX RB750Gr2 as main roter and Managed TP-Link switch SG108E (see attached topology).

What is confusing to me, is that there are several ways to configure VLANs on Mikrotik. Some people are using bridge and some not, but nevertheless nothing is really working for me.

What is the goal:
To configure only Mikrotik port 4 to be able to trunk VLAN 100,200,50,88 to TP-Link switch Port1. Than I would again trunk 4 ports from Switch to 2 ESXi hosts where multiple VMs are deployed.

In my case I really dont have idea whether configure Mikrotik without VLAN bridging:
Interface list: Add VLAN, choose ID and assign to Port4
Address list: Add addressess and assign it to previously created VLANs

...Or with bridging and vlan filtering?
Create new bridge interface
Add port 4 to the bridge
Create VLAN tabble (tagging only Port4, Untagging 0)
Activate VLAN filtering

Let me also mention that I already have one active bridge, if that is playing any part?

Topology:
Topology.jpg
SG108E:
TP-Link-SG108E.png
Thank you in advance for any help or tip!

BR,

Matic
You do not have the required permissions to view the files attached to this post.
 
Antoni777
just joined
Posts: 8
Joined: Tue Jan 18, 2022 4:20 am

Re: VLAN Trunk on hEX RB750Gr2

Fri Jan 28, 2022 6:36 pm

I'm interested in this answer because I have the same issue as you. Also, just in case you know, I have the same topology as you with the exception that I want port #4 (in the router) to be a separate VLAN for my VOIP. My issue is that I have tried many settings, but I can't get port 4 to issue an IP corresponding to my VOIP IP pool. It just issues a bridge native IP, and if I turn on VLAN filtering, I don't get any IP at all. In my setup all ports are a member of 1 bridge. I'm using ROS 7.1.1
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN Trunk on hEX RB750Gr2

Fri Jan 28, 2022 6:57 pm

If you need to use only one port on RB, and you're sure that you won't need more in future (e.g. you won't need to extend same VLANs to another switch in second RB's port), then just remove that port from any existing bridge, add four VLAN interfaces to it, and that's it (aside from IP settings and such).
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Fri Jan 28, 2022 8:21 pm

Regarding the SG108E setup.........
The only ports with native vlan1 set as pvid should be the trunk ports.
The other ports (access port) will have the pVID of the vlan in use ( tagged when traffic coming from dumb device onto switch and stripped when traffic heading back to dumb device)

Management port for 2-4 STEWPID ubiquiti APs that expect the management vlan OKAY (damn hybrid ports to come in untagged However the production vlan 2000 should be removed from ports 2-4!! The ubiquitis should only need 100 untagged and 88 tagged. (same here the untagging of pvid 100 removes vlan1 here).

If they were normal APs, both 88 and 100 would go to them as a trunk port.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Antoni777
just joined
Posts: 8
Joined: Tue Jan 18, 2022 4:20 am

Re: VLAN Trunk on hEX RB750Gr2

Fri Jan 28, 2022 9:54 pm

If you need to use only one port on RB, and you're sure that you won't need more in future (e.g. you won't need to extend same VLANs to another switch in second RB's port), then just remove that port from any existing bridge, add four VLAN interfaces to it, and that's it (aside from IP settings and such).
I would rather keep everything in one bridge for simplicity, I don't know what exactly I'm missing. The PVID is already changed. VLAN is configured in the interface menu/ not at the bridge lvl.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Fri Jan 28, 2022 10:03 pm

Follow the link to ITEM C here - viewtopic.php?t=182373. It is the best vlan setup with examples document.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Antoni777
just joined
Posts: 8
Joined: Tue Jan 18, 2022 4:20 am

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 1:05 am

Follow the link to ITEM C here - viewtopic.php?t=182373. It is the best vlan setup with examples document.
Thanks, it has to be something I'm missing as I removed the port from the bridge and still not gave an IP address. I will continue to research.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 1:31 am

post your router config.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Antoni777
just joined
Posts: 8
Joined: Tue Jan 18, 2022 4:20 am

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 2:21 am

post your router config.
/export hide-sensitive file=anynameyouwish
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac=(mac address) auto-mac=no comment="Management VLAN" \
ingress-filtering=no name=bridgeLAN pvid=14 vlan-filtering=yes
/interface vlan
add interface=sfp-sfpplus1 name="vlan 20 Rokus & streaming devices" vlan-id=\
20
add interface=sfp-sfpplus1 name="vlan 40 Cameras" vlan-id=40
add interface=sfp-sfpplus1 name="vlan 50 Lab LAN" vlan-id=50
add interface=ether4 name="vlan 60 Majik Jack" vlan-id=60
add interface=sfp-sfpplus1 name="vlan10 Computers and Printers" vlan-id=10
add interface=sfp-sfpplus1 name="vlan30 Game Consoles" vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name="USER VLANS"
add name="Cam VLANS"
add name="Lab VLANS"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="Pool 14 Management" ranges=95.32.7.100-95.32.7.144
add name="Pool 10 Computers" ranges=44.33.10.100-44.33.10.150
add name="Pool 20 Rokus" ranges=44.33.20.100-44.33.20.150
add name="Pool 30 Game consoles" ranges=44.33.30.100-44.33.30.120
add name="Pool 40 Cameras" ranges=44.33.40.100-44.33.40.150
add name="Pool 50 Lab Network" ranges=44.33.50.100-44.33.50.120
add name="Pool 60 Majick Jack" ranges=44.33.60.100-44.33.60.110

/ip dhcp-server
add address-pool="Pool 14 Management" interface=bridgeLAN name=\
"Management VLAN14"
add address-pool="Pool 10 Computers" interface=\
"vlan10 Computers and Printers" lease-time=1d name=\
"Computers and printers"
add address-pool="Pool 10 Computers" interface=\
"vlan 20 Rokus & streaming devices" lease-time=1d name=\
"ROKUS and streaming devices"
add address-pool="Pool 30 Game consoles" interface="vlan30 Game Consoles" \
lease-time=1d name="Game Consoles"
add address-pool="Pool 40 Cameras" interface="vlan 40 Cameras" lease-time=1d \
name=Cameras
add address-pool="Pool 50 Lab Network" interface="vlan 50 Lab LAN" \
lease-time=1d name="Lab Network"
add address-pool="Pool 60 Majick Jack" interface="vlan 60 Majik Jack" name=\
"Majick Jack"
/interface bridge port
add bridge=bridgeLAN comment=defconf ingress-filtering=no interface=ether2 \
pvid=14
add bridge=bridgeLAN comment=defconf ingress-filtering=no interface=ether3 \
pvid=14
add bridge=bridgeLAN comment=defconf disabled=yes interface=ether5 pvid=14
add bridge=bridgeLAN comment=defconf disabled=yes ingress-filtering=no \
interface=ether6
add bridge=bridgeLAN comment=defconf disabled=yes ingress-filtering=no \
interface=ether7
add bridge=bridgeLAN comment=defconf disabled=yes ingress-filtering=no \
interface=ether8
add bridge=bridgeLAN comment="All VLAN going to Switch and AP" \
ingress-filtering=no interface=sfp-sfpplus1 pvid=14
add bridge=bridgeLAN interface=ether4 pvid=60
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeLAN comment="VLAN for Administrator" tagged=sfp-sfpplus1 \
untagged=ether2,ether3 vlan-ids=14
/interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="vlan10 Computers and Printers" list="USER VLANS"
add interface="vlan 20 Rokus & streaming devices" list="USER VLANS"
add interface="vlan30 Game Consoles" list="USER VLANS"
add interface="vlan 40 Cameras" list="Cam VLANS"
add interface="vlan 50 Lab LAN" list="Lab VLANS"
/ip address
add address=95.32.7.1/24 comment="Management VLAN14" interface=bridgeLAN \
network=95.32.7.0
add address=44.33.10.1/24 comment="Computers and printers" interface=\
"vlan10 Computers and Printers" network=44.33.10.0
add address=44.33.20.1/24 comment="ROKUS and streaming devices" interface=\
"vlan 20 Rokus & streaming devices" network=44.33.20.0
add address=44.33.30.1/24 comment="Game Consoles" interface=\
"vlan30 Game Consoles" network=44.33.30.0
add address=44.33.40.1/24 comment=Cameras interface="vlan 40 Cameras" \
network=44.33.40.0
add address=44.33.50.1/24 comment="Lab Network" interface="vlan 50 Lab LAN" \
network=44.33.50.0
add address=44.33.60.1/24 comment="Majick Jack" interface=\
"vlan 60 Majik Jack" network=44.33.60.0
/ip dhcp-client
add comment=defconf interface=ether1
add address=44.33.10.0/24 comment="Computers and Printers" gateway=44.33.10.1
add address=44.33.20.0/24 comment="Rokus & streaming devices" gateway=\
44.33.20.1
add address=44.33.30.0/24 comment="Game Consoles" dns-server=1.1.1.1,1.0.0.1 \
gateway=44.33.30.1
add address=44.33.40.0/24 comment=Cameras dns-server=1.1.1.1,1.0.0.1 gateway=\
44.33.40.1
add address=44.33.50.0/24 comment="LAB LAN" dns-server=1.1.1.1,1.0.0.1 \
gateway=44.33.50.1
add address=44.33.60.0/24 comment="Majik Jack" dns-server=1.1.1.1,1.0.0.1 \
gateway=44.33.60.1
add address=95.32.7.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
95.32.7.1 netmask=24
/ip dns
set use-doh-server=https://doh.cleanbrowsing.org/doh/adult-filter/ \
verify-doh-cert=yes
/ip dns static
add address=95.32.7.1 comment=defconf name=router.lan
/ip firewall address-list
add address=130.44.212.0/24 list=tiktok
add address=130.44.213.0/24 list=tiktok
add address=130.44.214.0/24 list=tiktok
add address=130.44.215.0/24 list=tiktok
add address=139.177.224.0/24 list=tiktok
add address=139.177.225.0/24 list=tiktok
add address=139.177.226.0/24 list=tiktok
add address=139.177.227.0/24 list=tiktok
add address=139.177.229.0/24 list=tiktok
add address=139.177.235.0/24 list=tiktok
add address=139.177.252.0/24 list=tiktok
add address=139.177.255.0/24 list=tiktok
add address=147.160.176.0/24 list=tiktok
add address=147.160.177.0/24 list=tiktok
add address=147.160.178.0/24 list=tiktok
add address=147.160.179.0/24 list=tiktok
add address=147.160.180.0/24 list=tiktok
add address=147.160.181.0/24 list=tiktok
add address=147.160.182.0/24 list=tiktok
add address=147.160.183.0/24 list=tiktok
add address=147.160.184.0/24 list=tiktok
add address=147.160.185.0/24 list=tiktok
add address=147.160.187.0/24 list=tiktok
add address=147.160.188.0/24 list=tiktok
add address=147.160.189.0/24 list=tiktok
add address=147.160.190.0/24 list=tiktok
add address=147.160.191.0/24 list=tiktok
add address=192.64.14.0/24 list=tiktok
add address=199.103.24.0/24 list=tiktok
add address=161.117.0.0/17 list=tiktok
add address=161.117.70.145 list=tiktok
add address=161.117.71.36 list=tiktok
add address=161.117.71.33 list=tiktok
add address=161.117.70.136 list=tiktok
add address=161.117.71.74 list=tiktok
add address=216.58.207.0/24 list=tiktok
add address=47.89.136.0/24 list=tiktok
add address=47.252.50.0/24 list=tiktok
add address=205.251.194.210 list=tiktok
add address=205.251.193.184 list=tiktok
add address=205.251.198.38 list=tiktok
add address=205.251.197.195 list=tiktok
add address=185.127.16.0/24 list=tiktok
add address=182.176.156.0/24 list=tiktok
add address=v16a.tiktokcdn.com list=tiktok
add address=ib.tiktokv.com list=tiktok
add address=v16m.tiktokcdn.com list=tiktok
add address=api.tiktokv.com list=tiktok
add address=log.tiktokv.com list=tiktok
add address=api2-16-h2.musical.ly list=tiktok
add address=mon.musical.ly list=tiktok
add address=p16-tiktokcdn-com.akamaized.net list=tiktok
add address=api-h2.tiktokv.com list=tiktok
add address=v19.tiktokcdn.com list=tiktok
add address=api2.musical.ly list=tiktok
add address=log2.musical.ly list=tiktok
add address=api2-21-h2.musical.ly list=tiktok
add address=161.117.0.0/16 list=tiktok
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="Majick Jack Rule" disabled=yes \
in-interface="vlan 60 Majik Jack"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktok.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktok.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktok.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktok.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktok.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktok.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktokv.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktokv.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktokv.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktokcdn.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktokcdn.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.tiktokcdn.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.byteoversea.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.byteoversea.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.byteoversea.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.ibyteimg.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.ibyteimg.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.ibyteimg.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.ibytedtos.com src-address=\
44.33.10.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.ibytedtos.com src-address=\
44.33.20.0/24
add action=add-dst-to-address-list address-list=tiktok address-list-timeout=\
none-static chain=prerouting content=.ibytedtos.com src-address=\
44.33.30.0/24
add action=add-dst-to-address-list address-list=TikTok address-list-timeout=\
4w2d chain=prerouting content=.myqcloud.com src-address=10.0.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=3400
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system identity
set name=(name)
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
Antoni777
just joined
Posts: 8
Joined: Tue Jan 18, 2022 4:20 am

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 2:22 am

VLAN 60 is the one i'm trying to get out of port 4(in the bridge).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 3:24 am

Your Bridge definition is non-standard REMOVE PVID14 for now. Its not the place to use vlanID normally.
You dont identify the bridge as the managment vlan either,,,,,,, its a bridge!!!

You have 6 vlans and 7 Pools, dont tell me you are using the bridge to also do dhcp etc. ???
If so, keep it simple and consistent take that subnet and make it a vlan aka where is your management vlan ????
In other words simply add VLAN14 LIKE ALL THE OTHERS!!!

bub but but why do you use your management vlan on ether2,3,4 as access ports. ??
Nothing makes sense in your config ???

You seriously need to read this article!!!
AND USE IT!
viewtopic.php?t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Antoni777
just joined
Posts: 8
Joined: Tue Jan 18, 2022 4:20 am

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 4:01 am

Your Bridge definition is non-standard REMOVE PVID14 for now. Its not the place to use vlanID normally.
You dont identify the bridge as the managment vlan either,,,,,,, its a bridge!!!

You have 6 vlans and 7 Pools, dont tell me you are using the bridge to also do dhcp etc. ???
If so, keep it simple and consistent take that subnet and make it a vlan aka where is your management vlan ????
In other words simply add VLAN14 LIKE ALL THE OTHERS!!!

bub but but why do you use your management vlan on ether2,3,4 as access ports. ??
Nothing makes sense in your config ???

You seriously need to read this article!!!
AND USE IT!
viewtopic.php?t=143620
Thanks, the 7th pool was from the default configuration and was on the bridge as a dhcp. I will remove the VLAN from the bridge, and also add the management VLAN to interfaces.
I will read the suggested article and make the changes afterwards. I would like to have access to the management VLAN in ports 2 & 3 only, just in case the access point goes down, then I can still access the management vlan physically at the router location (basement). Port 4 is only for the VOIP. the rest of the vlans with be pushed to switch through the SFP and then to their respective SSIDs.
V/r


Tony
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 6:08 am

Good evening antoni.

My recommendation is two-fold.

a. yes its a good idea, if you have a free port to simply put it as an access port on the management vlan, so that you can plug your PC into the port and be on the management vlan.
b. you dont need two ports to do this, but a Better Idea for the second port i you have another not used, is to make an emergency access port out of it, but one that is OFF the bridge.

In other words if something goes screwy and your configuring the bridge that may make all the associated bridge ports not accessible, simply plug your pc into an off bridge port and you regain access to the router for config.
viewtopic.php?t=181718
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
metik237
just joined
Topic Author
Posts: 14
Joined: Wed Jan 26, 2022 10:30 pm

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 6:02 pm

If you need to use only one port on RB, and you're sure that you won't need more in future (e.g. you won't need to extend same VLANs to another switch in second RB's port), then just remove that port from any existing bridge, add four VLAN interfaces to it, and that's it (aside from IP settings and such).
I think I alreday tried that, but let me check it again. Just tell me, if I need to link IP address (IP address list) to Ethernet4 port or VLAN interfaces?

Additional question related to SG108E...
I understand how tagging/untagging works, but I am still unsure what to do with VLAN1 on that switch. Since the eth1 on SG108E is "uplink", should VLAN1 be tagged instead of default value - untagged?
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 7:49 pm

You're adding VLAN interfaces to get new separate networks, with separate interfaces. So you work with them, same way as if they were physical ethernets. Example:
/interface vlan
add interface=ether4 name=management vlan-id=100
add interface=ether4 name=production vlan-id=200
...
/ip address
add interface=management address=192.168.55.1/24
add interface=production address=10.34.0.0/16
...
As for switch, I don't know this one exactly, but it should be possible to configure VLANs any way you want, if you don't want VLAN 1 on some ports, simply remove it from there.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 9:37 pm

Switch.
PVID table - all trunk ports retain default setting of 1, all access or hybrid ports should have a pvid port of the particular vlan being used on that port (namely tagging traffic coming from the dumb device connected to the port and stripping the the vlanID when return traffic leaves the port heading back to the dumb device.

Trunk ports: all vlans going through a trunk port should be TAGGED for that port.
Access port: Vlan traffic going through an access port should be UNTAGGED for that port.

A port member - vlan1 is a port member for all trunk ports, and NOT a member for access ports.

As far as tagging my recollection is for tplink switches vlan1 is never tagged and never untagged. its just a member or its not and the default pvid of a port is 1 unless its an access port.
I will try to see if I can find other information
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
metik237
just joined
Topic Author
Posts: 14
Joined: Wed Jan 26, 2022 10:30 pm

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 10:22 pm

Vlan 1 on tplink switch is default untagged for all ports.
In theory i would have to change it to tagged, or just put everything blank.
Every non trunk port can have only one untagged vlan (access port), so i can asume this default value has to be changed for vlan1 - from untagged to nothing or tagged.
Additionally, vlan1 on port 1 cannot be untagged as there is no way to pass trough all vlans.

If we check my 1st post with topology, switch configuration should be:

Vlan1:
U: /
T: 1, 5,6,7,8 .. or also /

Vlan100:
U: /
T: 5,6,7,8

Vlan200:
U: /
T: 5,6,7,8

Vlan50:
U: /
T: 5,6,7,8

Vlan88:
U: 3,4
T: /

Am I right?
 
User avatar
k6ccc
Forum Veteran
Forum Veteran
Posts: 918
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 10:58 pm

Why are you using publicly routable IP address ranges for your private LANs? At the very least, that would make it difficult or impossible to reach a internet destination within the address ranges you are using. You normally whould be using one of the private IP address ranges. For small networks, that is most commonly 192.168.x y... There are others.
RB4011iGS+, RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Sat Jan 29, 2022 11:19 pm

Okay then leave it untagged for all ports EXCEPT access ports.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
metik237
just joined
Topic Author
Posts: 14
Joined: Wed Jan 26, 2022 10:30 pm

Re: VLAN Trunk on hEX RB750Gr2

Sun Jan 30, 2022 2:30 pm

Hi, I managed to solve the vlan issue. Now I finally am able to get all necessary vlans from tplink switch.

It is enough to just create a VLANs under Interface menu, and add IP addresses to those VLANs. I found out that I had a problem with vlan1 (U/T).

However, I would just like to ask how can I "connect" some vlans together. For instance. I would like to access some IPs on 192.168.88.0/24 network from 192.168.100.0/24?
I corrected Firewall rules, but aparently something is missing, as I am not getting responses from those devices. What am I missing?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Sun Jan 30, 2022 3:59 pm

Post your latest config
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN Trunk on hEX RB750Gr2

Sun Jan 30, 2022 7:22 pm

Router by default routes everything it can. So if it's sent to it (all involved devices have it as gateway) and you don't block it (with firewall), it must work.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
mkx
Forum Guru
Forum Guru
Posts: 7686
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN Trunk on hEX RB750Gr2

Sun Jan 30, 2022 9:03 pm

Router by default routes everything it can. So if it's sent to it (all involved devices have it as gateway) and you don't block it (with firewall), it must work.

And keep in mind that many devices come with firewall enabled. Windows firewall, for example, blocks anything coming from outside own subnet by default.
BR,
Metod
 
metik237
just joined
Topic Author
Posts: 14
Joined: Wed Jan 26, 2022 10:30 pm

Re: VLAN Trunk on hEX RB750Gr2

Mon Jan 31, 2022 9:26 am

Post your latest config
Here it is:
configexport31-1-2022.rsc
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN Trunk on hEX RB750Gr2

Tue Feb 01, 2022 6:16 am

Oh boy... what is that crazy exercise with input and output chains? Use normal stateful firewall (rules with connection-state), see e.g. here. And I don't think you need most of those rules at all.

As for communication between vlan subnets, current firewall is not blocking that (it's chain=forward and it only blocks new incoming connections from WAN that are not forwarded ports).
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Tue Feb 01, 2022 11:19 am

Based on that comment I wont even look LOL.
But will recommend you review Article B here - viewtopic.php?t=182373
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN Trunk on hEX RB750Gr2

Tue Feb 01, 2022 1:58 pm

@anav: Be strong! As officially recognized guru, you must be able to handle these things. And it's not bad enough to cause any lasting trauma. ;)
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Tue Feb 01, 2022 5:09 pm

jajajajaj okay boss! Wilco!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
metik237
just joined
Topic Author
Posts: 14
Joined: Wed Jan 26, 2022 10:30 pm

Re: VLAN Trunk on hEX RB750Gr2

Tue Feb 01, 2022 10:37 pm

Oh boy... what is that crazy exercise with input and output chains? Use normal stateful firewall (rules with connection-state), see e.g. here. And I don't think you need most of those rules at all.

As for communication between vlan subnets, current firewall is not blocking that (it's chain=forward and it only blocks new incoming connections from WAN that are not forwarded ports).
Thanks for the reply. I know my config is not perfect. The reason is most probably because I am not a Network system engineer or a self taught network guru :P
Anyhow, I didnt quite understood what exactly is causing that subnet 192.168.88.0/24 (from my default configuration) is not communicating with defined vlan subnets?
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN Trunk on hEX RB750Gr2

Wed Feb 02, 2022 12:28 am

That's the problem, I don't see it. One small mistake is that 192.168.88.1/24 should be on bridge2, because ether3-slave-local is member of that bridge. But that's not breaking it. Otherwise if all devices have this router as gateway, it should work. Firewall (chain=forward) is not blocking communication between local intefaces (except new connections from WAN). So check also target device's own firewall, if it accepts traffic from other subnets (some don't allow it by default).
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Wed Feb 02, 2022 1:57 am

Yes your config is what I call a bloated mess and inconsistent.
This is what happens when people use apples and oranges. USE ALL VLANS, forget the bridge doing anything but bridging is my advice,
and keep the vlans with interface Bridge. No reason to assign to etherports directly. Sure it can be done but then it becomes an error prone nightmare
Cmon people KISS!!!!!!

It doesnt take long to see the CARNAGE LOL

Three vlans, with three pools but what about those pools?? Looks like pool2 vlan 200 has got the wrong assignment!!!
WHERE IS POOL FOR VLAN 50 and where is its dhcp server
There is more, a missing interface for one dhcp server and of course, make up your mind on the bridge is it ether3 or bridge LOL............. LIke I said a really poor way of configuring.

/interface vlan
add interface=ether4-TRUNK name="Management VLAN 100" vlan-id=100
add interface=ether4-TRUNK name="Production VLAN 200" vlan-id=200
add interface=ether4-TRUNK name="vMotion VLAN 50" vlan-id=50

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool3 ranges=192.168.100.100-192.168.100.254
POOL FOR VLAN 50??

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge2
name=default

add address-pool=dhcp_pool2 disabled=no name=dhcp1 where is interface ???
add address-pool=dhcp_pool3 disabled=no interface="Management VLAN 100" name=\
dhcp2
dhcp server for vLAN 50??

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether3-slave-local
network
=192.168.88.0[/color]
add address=192.168.100.1/24 interface="Management VLAN 100" network=\
192.168.100.0
add address=192.168.200.1/24 interface="Production VLAN 200" network=\
192.168.200.0
add address=192.168.50.1/24 interface="vMotion VLAN 50" network=192.168.50.0
add address=192.168.99.1/24 disabled=yes network=192.168.99.0

No Sob, please dont make me look at the FW rules...........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Wed Feb 02, 2022 2:05 am

I can only imagine without looking that dhcp-server-network is also wrong or incomplete.................not even bothering....
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
lfoerster
newbie
Posts: 35
Joined: Mon Mar 07, 2022 1:29 pm

Re: VLAN Trunk on hEX RB750Gr2

Tue Mar 15, 2022 5:49 pm

Maybe this documentation helps to clarify the issue:
https://administrator.de/contentid/367186
Screenshots are more or less self explaining...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11798
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk on hEX RB750Gr2

Tue Mar 15, 2022 6:29 pm

Umm why do you post that document to solve every thread LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Bing [Bot] and 9 guests