Two routers, different subnet on one of ports of second router via VLAN how to?

GAAA · Tue Mar 15, 2022 4:02 am

So I've got two hap ac2 connected with an ethernet cable, from router 1 ether2 to router 2 ether1. Router1 is the gateway to the internet with default config. Router2 simply has all interfaces bridged. Router2 ether2 is connected to the neighbor's network, and I want that to function as a separate LAN. (while rest of interfaces on router2 remain bridged for main subnet)

Here is what I've tried, but it did not work.
On router 1, I created vlan2 interface with vlan id 2 on the bridge interface, assigned it an address block, and created a DHCP server for it.

On bridge VLAN, put ether2 tagged for vlan 2

and enabled vlan filtering on the bridge.

And on router 2, set bridge port ether2 PVID to 2:

and in bridge vlan, set vlan 2 tagged on ether1 and untagged on ether2.

But once enabling vlan filtering on bridge of router2, port seems completely unusable. Am I doing this right? Or how should I do it?

anav · Tue Mar 15, 2022 6:56 pm

Post config on router 1 and router 2

GAAA · Tue Mar 15, 2022 11:51 pm

Router 1

# mar/15/2022 14:45:15 by RouterOS 7.1.3
# software id = 6M62-Q2C2
#
# model = RBD52G-5HacD2HnD
# serial number = [redacted]
/interface bridge
add admin-mac=[redacted] auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=secured supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country="united states" disabled=no distance=indoors frequency=2417 hide-ssid=yes installation=indoor mode=ap-bridge security-profile=secured ssid=[redacted] wireless-protocol=\
    802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-Ceee country="united states" disabled=no distance=indoors frequency=5500 hide-ssid=yes installation=indoor mode=ap-bridge security-profile=secured ssid=\
    [redacted] wireless-protocol=802.11 wps-mode=disabled
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=dhcp-lan
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us8843.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=10.39.0.128-10.39.0.254
add name=vlan2dhcp_pool ranges=10.39.2.128-10.39.2.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=vlan2dhcp_pool interface=vlan2 name=vlan2dhcp
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.39.0.1/24 comment=defconf interface=bridge network=10.39.0.0
add address=10.39.2.1/24 interface=vlan2 network=10.39.2.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.39.0.0/24 comment=defconf gateway=10.39.0.1 netmask=24
add address=10.39.2.0/24 gateway=10.39.2.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=10.39.0.230 comment=[redacted] name=EAP
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=10.39.0.128/25 list=dhcp-lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=[redacted]
/ip ipsec policy
add action=none dst-address=10.39.0.128/25 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Router 2

# mar/15/2022 14:49:07 by RouterOS 7.1.3
# software id = JHN7-NCER
#
# model = RBD52G-5HacD2HnD
# serial number = [redacted]
/interface bridge
add name=bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=secure supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country="united states" disabled=no frequency=2437 hide-ssid=yes installation=outdoor mode=ap-bridge security-profile=secure ssid=[redacted] wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-eeeC country="united states" disabled=no frequency=5320 hide-ssid=yes installation=outdoor mode=ap-bridge security-profile=secure ssid=[redacted] \
    wps-mode=disabled
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=wlan2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether2 pvid=2
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=2
/ip address
add address=10.39.0.2/24 interface=bridge network=10.39.0.0
/ip dns
set servers=10.39.0.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.39.0.1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=MikroTik2
/system routerboard settings
set cpu-frequency=auto

Rudios · Wed Mar 16, 2022 7:32 am

Your config output of Router 1 does not show the PVID=2 for ether2 on that router.
Can you check this is properly configured.

Additionally I would move away from VLAN 1 for the remaining parts of your network, put all main subnet interfaces, including the bridges on a dedicated separate VLAN. This gives a more secure segmentation and leaves less possibilites to misuse the default VLAN 1.
As final recommnendation, also put an unused VLAN id on your trunk interface for the same reason and enable ingress-filter set to frame-types=admit-only-vlan-tagged.

[EDIT]
I have reviewed your configs and explanation of your setup again and I have to correct myself her.
You have to setup a trunk connection between R1e2 and R2e1.
As I stated above I would recommend to step away from the usage of VLAN 1 as a whole but it can be done without this change.
but you have to put the following line on Router 1

/interface bridge vlan
add vlan-ids=2 bridge=bridge tagged=ether2 untagged=bridge

anav · Wed Mar 16, 2022 1:55 pm

The issue here is mixing apples and oranges. In other words you are using bridge and then introduce vlans but keep bridge for some dhcp.
I personally do one or the other but a mix is also very common (although it drives me insane to see).

The issue in this case is that you use a trunk port to send traffic from ether1 to ether2 but ONLY one vlan.
You want to send two streams of traffic to second router.
Now its perfectly legit to use the bridge traffic over to router 2 as well but it makes the setup a little bit tricky.

So far what I see on Router 1 is fine except for this line where the missing part is now added.
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=2

Now Router 2...... and this is where it gets tricky due to your way of doing stuff on router 1.
Coming in on ether1 is bridge traffic (think of it as untagged traffic and a vlan). So in effect a HYBRID PORT.

Since you want to take that bridge traffic and spread it out to all ports........... with vlan2 going to ether2 only...........

So I would do it like this. One thing I am not sure of is if the Ip address of the device should use interface=ether1 as I have it or interface=bridge2 as you have it.
/interface bridge
add name=bridge2
/interface vlan
add interface=bridge name=vlan39 vlan-id=39
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=secure supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country="united states" disabled=no frequency=2437 hide-ssid=yes installation=outdoor mode=ap-bridge security-profile=secure ssid=[redacted] wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-eeeC country="united states" disabled=no frequency=5320 hide-ssid=yes installation=outdoor mode=ap-bridge security-profile=secure ssid=[redacted] \
wps-mode=disabled
/interface bridge port
add bridge=bridge2 ingress-filtering=no interface=ether1 pvid=39
add bridge=bridge2 ingress-filtering=no interface=wlan1 pvid=39
add bridge=bridge2 ingress-filtering=no interface=wlan2 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether3 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether4 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether5 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether2 pvid=2
/interface bridge vlan
add bridge=bridge2 tagged=bridge2,ether1 untagged=ether2 vlan-ids=2
add bridge=bridge2 tagged=bridge2 untagged=ether1,wlan1,wlan2,ether3,ether4,ether5 vlan-ids=39
/ip address
add address=10.39.0.2/24 interface=ether1 network=10.39.0.0
/ip dns
set servers=10.39.0.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.39.0.1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=MikroTik2
/system routerboard settings
set cpu-frequency=auto

+++++++++++++++++++++++++++++++++++++

In summary I would not do it this way.
I would create two vlans on Router1 and both would be sent to router 2 on a clear trunk port and then distributed cleanly on Router 2 as required.

GAAA · Tue May 24, 2022 2:05 am

Thanks for the responses. But, should the second router's switch be configured directly, bypassing the cpu and bridge vlan configuration? I looked at the switch configuration but am not sure how/if it can be set up to connect tagged frames from a hybrid trunk port to an isolated access port.

Buckeye · Tue May 24, 2022 10:28 am

Wow, you just pickup as if you were responding to a comment from yesterday.
Are you a computer that just got turned back on after being hibernated 10 weeks ago?

GAAA · Wed May 25, 2022 12:34 am

i didn't get the vlans to work last time and then i was at a different place for a while. what does it matter?

i'm now waiting for a time to try to get this working without interrupting anyone using the network.

would like to know if i should use switch config instead.

erlinden · Wed May 25, 2022 8:50 am

The hAP ac2 does have a switch that can be configured for VLAN.
It has the Atheros8327: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

As mentioned, you should create a trunk on ether2 on Router1 (and the same for ether1 on Router2).
Create the bridge:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes

Now configure the vlan on the switch:

/interface ethernet switch vlan
add ports=ether2 switch=switch1 vlan-id=10
add ports=ether2 switch=switch1 vlan-id=20

Then configure the port:

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing

Accessports can be found in the link as well (you have to strip the VLAN header).

And...that's it

GAAA · Wed May 25, 2022 11:39 pm

i got it working! so thanks to post #5 i figured out that the thing i was missing was adding bridge as tagged on both sides.

then i added vlan2 to LAN interface list to enable internet access with default firewall.

now i can configure the firewall as desired, and figure out what to do for ipv6, as i'm not sure my isp will provide a smaller prefix than 64... (edit: looks like dhcp client was able to get a /60 (edit: working nicely yeey))

GAAA · Wed May 25, 2022 11:41 pm

The hAP ac2 does have a switch that can be configured for VLAN.
It has the Atheros8327: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

As mentioned, you should create a trunk on ether2 on Router1 (and the same for ether1 on Router2).
Create the bridge:
Code: Select all
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
Now configure the vlan on the switch:
Code: Select all
/interface ethernet switch vlan
add ports=ether2 switch=switch1 vlan-id=10
add ports=ether2 switch=switch1 vlan-id=20
Then configure the port:
Code: Select all
/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
Accessports can be found in the link as well (you have to strip the VLAN header).

And...that's it

so from what i read... i guess bridge vlan and switch vlan are effectively the same because bridge vlan will do hardware offload. i read that switch vlan is the old way of configuring it and bridge vlan is the new way.

Buckeye · Thu May 26, 2022 8:55 am

so from what i read... i guess bridge vlan and switch vlan are effectively the same because bridge vlan will do hardware offload. i read that switch vlan is the old way of configuring it and bridge vlan is the new way.

I don't have a hap ac3, only a hEX S. With the hEX v6 had no switch support. V7.1rc5 began to add HW support for switch in the bridge config, and with in recent versions of v7 the vlan-filtering bridge. With v7.2.1 bridging and vlans are hardware offloaded to the MT7621A's included MT7530 switch ASIC. Note well. vlan offloading does not mean inter-vlan routing. But it can have one port with vlan x untagged and another port with vlan x tagged, and traffic between the two ports in the same vlan can happen without CPU intervention, and at near wire speed, i.e. the switch ASIC and do the tagging/untagging without the help from the CPU.

I think to do the same thing (hw support for vlan aware functions) on the hap ac3 will require the combined use of bridge and switch sections if you want the switch chip to do the tagging/untagging for traffic within the same vlan.

Two youtube videos worth watching:

Configuring VLAN's on MikroTik RouterBoard using the Switch Chip by MAICT Consult Maher Haddad

Configure VLAN on built-in switch chip in MikroTik by Inquirinity

Two routers, different subnet on one of ports of second router via VLAN how to?

Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Re: Two routers, different subnet on one of ports of second router via VLAN how to?

Who is online