Community discussions

MikroTik App
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 02, 2022 2:42 am

Good day everyone!

I have an existing CCR1009-7G-1C-1S+ running for my 50 plus PPPoE subscribers and 1 hotspot server.

Objective: to establish multiple hotspot servers with different customized login page to be able to segregate different hotspot per area.

Initial Solution that failed: I created multiple VLANs and created hotspot server on each VLAN with different hotspot login page. The multiple hotspot with individual VLAN assignment worked but when I enabled the VLAN-Filtering at bridge, all my PPPoE accounts as well as the old existing hotspot without VLAN were lost and network traffic was gone.

Question: is VLAN cannot be added on an existing non-VLAN set-up? What is the best solution to be able to establish multiple hotspot servers in a single MT with existing non-VLAN PPPoE subscribers?
It is very hard to migrate my 50+ PPPoE subscribers to VLAN because they are located in different remote sites/areas in which I have to physically visit each customer site to enable VLAN on their CPE ONT/modem to be able to sync with the CCR1009-7G-1C-1S+.

Thank you in advance for your help. Will be highly appreciated.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 02, 2022 6:40 pm

a gentle follow up on this query please. i badly need a solution on how to activate multiple VLANs for the different hotspot without losing my existing non-vlan PPPoE subscribers. thank you.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 02, 2022 7:39 pm

The default config on SOHO class devices (not sure if CCRs are similar in this respect) is that all bridge ports, including bridge interface, have pvid set to 1 and all ports allow any frame types on ingress (untagged and tagged). At the same time ingress-filtering is not enabled. So in theory, if everything is left at default, enabling vlan-filtering on bridge should allow everything untagged to work just as it does when vlan filtering is disabled. Tagged traffic will probably break at this point without proper config in /interface bridge vlan section.

After one enables vlan filtering (and things still work), it's time for gentle changes in the direction wanted. Every time take care not to break running config with VLAN ID 1.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Fri Jun 03, 2022 3:41 am

The default config on SOHO class devices (not sure if CCRs are similar in this respect) is that all bridge ports, including bridge interface, have pvid set to 1 and all ports allow any frame types on ingress (untagged and tagged). At the same time ingress-filtering is not enabled. So in theory, if everything is left at default, enabling vlan-filtering on bridge should allow everything untagged to work just as it does when vlan filtering is disabled. Tagged traffic will probably break at this point without proper config in /interface bridge vlan section.

After one enables vlan filtering (and things still work), it's time for gentle changes in the direction wanted. Every time take care not to break running config with VLAN ID 1.
Thank you very much for your reply. I already tried enabling vlan-filtering in bridge after i configured the desired multiple VLANs for the hotspot servers but unfortunately all existing PPPoE configurations as well as the old hotspot (without VLAN) were gone, hence, I was forced to do MT config restoration using my backup file.


Now, i am thinking to include VLAN 1 in all ports/interfaces config where my non-VLAN PPPoE and Hotspot traffics are passing through (though you already said VLAN 1 is the default ID).

By the way, will Safe Mode can easily revert my old MT configuration should the new config won't work?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Fri Jun 03, 2022 9:06 am

By the way, will Safe Mode can easily revert my old MT configuration should the new config won't work?
Yes, provided the number of changes you make is limited to < 100 in between toggling Safe Mode (each deactivation of Safe mode, clears buffer of changes to revert).
You can prepare almost everything without activating VLAN filtering on bridge so take small steps.

Using a separate ROS device to get the configuration correct might be easier ? A simple mAP could suffice ?
Doing this on a production device is not ideal. Getting the concept of the config and the process to move on a separate environment might be less disruptive for your users.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Fri Jun 03, 2022 3:36 pm

The problem with changing L2 setup (VLAN falls into this category) is that if things are not exactly right, everything falls apart big time (unlike L3 setup which mostly doesn't break just everything at the same time). That's why I mentioned gentle changes. With your "already prepared everything" we can't say which of those gazillion changes actually break things. That's why I mentioned going from existing running non-VLAN setup by first enabling VLAN filtering (again, I'm not entirely sure it's that simple) and only later building additional stuff.

And yes, "safe mode" is your friend. In case your best friend "lab setup" isn't available.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Mon Jun 06, 2022 3:47 am

Hello Everyone!

I just tried putting VLAN ID 1 on all ports/interfaces where non-VLAN PPPoE traffic are passing but to no avail. When I enabled VLAN-Filtering at bridge, all PPPoE accounts were gone.

below is my current interface/brifge config prior to activating vlan-filtering,


[admin@WISP] > interface bridge export
# jun/05/2022 11:24:44 by RouterOS 6.48.3
# model = CCR1009-7G-1C-1S+
/interface bridge
add name=bridge-PPPOE
/interface bridge port
add bridge=bridge-PPPOE comment="olt area-2" interface="ether4 OLT AREA-2 "
add bridge=bridge-PPPOE interface=ether5-OLT AREA-1
add bridge=bridge-PPPOE interface=ether6
add interface="ether7 "
add bridge=bridge-PPPOE interface=combo1
/interface bridge vlan
add bridge=bridge-PPPOE tagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=2221
add bridge=bridge-PPPOE tagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=2222
add bridge=bridge-PPPOE untagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=1
add bridge=bridge-PPPOE tagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=2223
[admin@WISP] > interface export
/interface bridge
add name=bridge-PPPOE
/interface ethernet
set [ find default-name=combo1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether1-PTT-DIA \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-PTT-DSL \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether3-PLDT-DSL \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name="ether4 OLT SMT " \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether5-OLT \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
loop-protect=on name="ether7 " rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,2500M-full,5000M-full,10000M-full
/interface vlan
add interface=bridge-PPPOE name=MGMT-Admin vlan-id=1
add interface=bridge-PPPOE name=VLAN-2221 vlan-id=2221
add interface=bridge-PPPOE name=VLAN-2222 vlan-id=2222
add interface=bridge-PPPOE name=VLAN-2223 vlan-id=2223
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-PPPOE comment="olt area-2" interface="ether4 OLT AREA-2 "
add bridge=bridge-PPPOE interface=ether5-OLT AREA-1
add bridge=bridge-PPPOE interface=ether6
add interface="ether7 "
add bridge=bridge-PPPOE interface=combo1
/interface bridge vlan
add bridge=bridge-PPPOE tagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=2221
add bridge=bridge-PPPOE tagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=2222
add bridge=bridge-PPPOE untagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=1
add bridge=bridge-PPPOE tagged="ether4 OLT AREA-2 ,ether5-OLT AREA-1" vlan-ids=2223
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=bridge-PPPOE service-name=WISP
[admin@WISP] >

Hope someoine can help. Thank you.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Mon Jun 06, 2022 8:25 am

There are (at least) two problems which makes your "smooth" transition from untagged to tagged not possible:
  1. you only have PPPoE server configured on bridge-PPPOE interface which works for untagged ports. You have to configure PPPoE server on all VLAN interfaces where clients will eventually land (e.g. VLAN-2221, etc.)
  2. even if you get the previous bullet right, clients connected to ports with PVID other than 1 set after you enable VLAN filtering. The reason is that they will start talking to different PPPoE server (the one configured on corresponding VLAN interface instead of bridge interface).

While you can avoid problems mentioned in bullet #1, you can't get away from bullet #2.

To make everything right I highly recommend you to set up lab installation in order to make transition with only single drop (due to second bullet). Without it you will possibly have to "try and fail" many more times.
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Mon Jun 06, 2022 9:10 am

Not tried it on Mikrotik but it's common to do that on ubiquiti dream machines ... what you need is a hybrid port

The port contains a PVID (untagged) and any number of VID's (tagged)
Most switches can also do it.

If you can do it on a Mikrotik it would be done the same way .... so I tried it on a CCR1009-8G-1S-1S+ just using winbox
I created a bridge for each VID and one for the PVID
Create each VID VLAN on the ethernet port on the interfaces screen
Now go back to the bridge and on the port settings connect each VLAN on the port to it's bridge "admit only VLAN tagged" and set the VLAN ID with ingress filtering on
Now finally for the PVID on the bridge port connect it to the ethernet port itself with "admit only untagged and priority tagged" with ingress filtering on

As expected you now have a hybrid port with a PVID bridge and a number of VLAN bridges which you can connect the PPPOE to each one
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Mon Jun 06, 2022 9:45 pm

There are (at least) two problems which makes your "smooth" transition from untagged to tagged not possible:
  1. you only have PPPoE server configured on bridge-PPPOE interface which works for untagged ports. You have to configure PPPoE server on all VLAN interfaces where clients will eventually land (e.g. VLAN-2221, etc.)
  2. even if you get the previous bullet right, clients connected to ports with PVID other than 1 set after you enable VLAN filtering. The reason is that they will start talking to different PPPoE server (the one configured on corresponding VLAN interface instead of bridge interface).

While you can avoid problems mentioned in bullet #1, you can't get away from bullet #2.

To make everything right I highly recommend you to set up lab installation in order to make transition with only single drop (due to second bullet). Without it you will possibly have to "try and fail" many more times.
Thank you for the response. Just to avoid any confusion, I have only one bridge created and it was named bridge-PPPOE because the only traffic passing on that bridge
back then were the non-VLAN PPPoE accounts. The Hotspot traffic was just added to this bridge-PPPOE later on, hence, currently all PPPoE traffic are not just the only one passing to that bridge but also the non-VLAN Hotspot traffic.

If I am going to configure another PPPoE Servers on each VLAN, then i need also to reconfigure and enable VLAN on each remote customer's modem/router (ONT CPE) to be able to sync with the mikrorik. Hence, I would just prefer to retain the PPPoE configuration using non-VLAN interfaces.

What I really need to accomplish now is to create multiple hotspot servers using VLAN-2221, VLAN-2222, VLAN-2223 and leave all PPPoE accounts to the non-VLAN interface.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Mon Jun 06, 2022 10:05 pm

Not tried it on Mikrotik but it's common to do that on ubiquiti dream machines ... what you need is a hybrid port

The port contains a PVID (untagged) and any number of VID's (tagged)
Most switches can also do it.

If you can do it on a Mikrotik it would be done the same way .... so I tried it on a CCR1009-8G-1S-1S+ just using winbox
I created a bridge for each VID and one for the PVID
Create each VID VLAN on the ethernet port on the interfaces screen
Now go back to the bridge and on the port settings connect each VLAN on the port to it's bridge "admit only VLAN tagged" and set the VLAN ID with ingress filtering on
Now finally for the PVID on the bridge port connect it to the ethernet port itself with "admit only untagged and priority tagged" with ingress filtering on

As expected you now have a hybrid port with a PVID bridge and a number of VLAN bridges which you can connect the PPPOE to each one
Thank you for your response.
Sorry but i am a little bit confused, can a physical interface (e.g. Ethernet 4, Ethernet 5) be assigned to multiple bridges? my current and only bridge right now is the one i named "bridge-PPPOE" in which all traffic from the PPPoE and Hotspot clients are passing through.

when you say "created bridge for each VID", are you saying i need to create a separate bridge for each of my VID (e.g. VLAN-2221, VLAN-2222, VLAN-2223 and VLAN-1)? Therefore aside from my existing bridge named "bridge-PPPOE" , do i also need to create separate bridges for each VID?
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Tue Jun 07, 2022 4:35 am

For your clearer understanding, I renamed the bridge and interfaces. As you can see both PPPoE (non-VLAN) and Hotspot (non-VLAN) are passing through the same bridge and sent to the two OLTs.



/interface bridge
add name="bridge-PPPoE & Hotspot"
/interface vlan
add interface="bridge-PPPoE & Hotspot" name=MGMT-Admin vlan-id=1
add interface="bridge-PPPoE & Hotspot" name=VLAN-2221 vlan-id=2221
add interface="bridge-PPPoE & Hotspot" name=VLAN-2222 vlan-id=2222
add interface="bridge-PPPoE & Hotspot" name=VLAN-2223 vlan-id=2223
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge="bridge-PPPoE & Hotspot" comment="olt 1" interface="ether4 OLT 1 "
add bridge="bridge-PPPoE & Hotspot" interface="ether5-OLT 2"
add bridge="bridge-PPPoE & Hotspot" interface=ether6
add interface="ether7 "
add bridge="bridge-PPPoE & Hotspot" interface=combo1
/interface bridge vlan
add bridge="bridge-PPPoE & Hotspot" tagged="ether4 OLT 1 ,ether5-OLT 2" \
vlan-ids=2221
add bridge="bridge-PPPoE & Hotspot" tagged="ether4 OLT 1 ,ether5-OLT 2" \
vlan-ids=2222
add bridge="bridge-PPPoE & Hotspot" untagged="ether4 OLT 1 ,ether5-OLT 2" \
vlan-ids=1
add bridge="bridge-PPPoE & Hotspot" tagged="ether4 OLT 1 ,ether5-OLT 2" \
vlan-ids=2223
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface="bridge-PPPoE & Hotspot" service-name=MyWISP



Your further help will be much appreciated. Thank you.
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Tue Jun 07, 2022 7:19 am

This bit is correct ... with question/proviso ... "bridge-PPPoE & Hotspot" is not a valid interface name on my router and OS
Hence I am going to replace it with a standard name ... lets say "PPPoE-Ether" and you don't need pvid 1 that will be the raw port

So your ether?? port interface name I am assuming is "PPPoE-Ether"
/interface vlan
add interface="PPPoE-Ether" name=VLAN-2221 vlan-id=2221
add interface="PPPoE-Ether" name=VLAN-2222 vlan-id=2222
add interface="PPPoE-Ether" name=VLAN-2223 vlan-id=2223
But now each VLAN needs a Bridge because you are going to ingress filter that ONE VLAN PER BRIDGE
So you need 4 bridges one for old customers (untagged) and 3 for new vlans
again slight name change on that illegal name for me
/interface bridge
add name="bridge-PPPoE-Ether"
add name="bridge_vlan2221"
add name="bridge_vlan2222"
add name="bridge_vlan2223"
Now you need to connect the bridges to the vlan interfaces on port and for the PVID to the eth port raw
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=PPPoE-Ether
So you now have 4 bridges ... 3 connected to the eth port vlan sub interfaces you created and one connected to the eth port interface itself

You now have yourself a hybrid port .. untagged goes to "bridge-PPPoE-Ether" and the tagged go to there respective bridges.

Now all you do is connect the 4 PPPOE servers to each bridge and each PPPOE server can only see the filtered traffic to that particular bridge.
Each bridge is really about a point to apply a filter to only allow certain traffic in and onto that bridge
From an outbound (egress perspective) they all mingle on the one ethernet cable.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Tue Jun 07, 2022 8:25 am

If I am going to configure another PPPoE Servers on each VLAN, then i need also to reconfigure and enable VLAN on each remote customer's modem/router (ONT CPE) to be able to sync with the mikrorik. Hence, I would just prefer to retain the PPPoE configuration using non-VLAN interfaces.

I'm sorry but I'm now lost as to what exactly you're trying to achieve.
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Tue Jun 07, 2022 11:15 am

At a guess is trying to make a multi access hotspot via a multi SSID access point .. he sort of describes that in the OP

Each VLAN becomes its own SSID on those AP's and the untagged is the management

So in his case it probably goes something like this
untagged = AP management
2221 = Guest Wifi
2222 = 25/5Mb paying customer
2223 = 50/10Mb paying customers

Ubiquiti, Dlink and Cisco have them but I am sure there are more vendors out there
Here is the dlink setup
https://kb.netgear.com/30611/How-do-I-c ... ple-VLAN-s
Key part that is a hybrid port (3 tagged and 1 untagged)
Image
On ubiquiti I know the untagged management is a server that "adopts the multi SSID access points" and they call it "adopting" you the assign what SSID networks then appear on the device and name it etc.

Whatever the case the guts of it is you need a hybrid port .. a port with 1 PVID and any number of VIDS
I just built one manually using bridges.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Wed Jun 08, 2022 3:17 am

If I am going to configure another PPPoE Servers on each VLAN, then i need also to reconfigure and enable VLAN on each remote customer's modem/router (ONT CPE) to be able to sync with the mikrorik. Hence, I would just prefer to retain the PPPoE configuration using non-VLAN interfaces.

I'm sorry but I'm now lost as to what exactly you're trying to achieve.
Basically, I just want to establish 3 different hotspot servers with individual hotspot log-in page. My current MT set-up is 1 bridge without VLAN carrying both 50 plus PPPoE customers and 1 Hotspot. The only possible way to have 3 different hotspot servers is to assign VLAN for each hotspot server. Let's say for example: VLAN 2221 for Hotspot Server 1, VLAN 2222 for Hotspot Server 2 and VLAN 2223 for Hotspot Server 3. Then leave all PPPoE traffic to the default "no-VLAN" port.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Wed Jun 08, 2022 3:20 am

This bit is correct ... with question/proviso ... "bridge-PPPoE & Hotspot" is not a valid interface name on my router and OS
Hence I am going to replace it with a standard name ... lets say "PPPoE-Ether" and you don't need pvid 1 that will be the raw port

So your ether?? port interface name I am assuming is "PPPoE-Ether"
/interface vlan
add interface="PPPoE-Ether" name=VLAN-2221 vlan-id=2221
add interface="PPPoE-Ether" name=VLAN-2222 vlan-id=2222
add interface="PPPoE-Ether" name=VLAN-2223 vlan-id=2223
But now each VLAN needs a Bridge because you are going to ingress filter that ONE VLAN PER BRIDGE
So you need 4 bridges one for old customers (untagged) and 3 for new vlans
again slight name change on that illegal name for me
/interface bridge
add name="bridge-PPPoE-Ether"
add name="bridge_vlan2221"
add name="bridge_vlan2222"
add name="bridge_vlan2223"
Now you need to connect the bridges to the vlan interfaces on port and for the PVID to the eth port raw
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=PPPoE-Ether
So you now have 4 bridges ... 3 connected to the eth port vlan sub interfaces you created and one connected to the eth port interface itself

You now have yourself a hybrid port .. untagged goes to "bridge-PPPoE-Ether" and the tagged go to there respective bridges.

Now all you do is connect the 4 PPPOE servers to each bridge and each PPPOE server can only see the filtered traffic to that particular bridge.
Each bridge is really about a point to apply a filter to only allow certain traffic in and onto that bridge
From an outbound (egress perspective) they all mingle on the one ethernet cable.
Thank you very much for the help. I just have one question before I implement this set-up, do I need to enable "VLAN-Filtering" on all bridges including the Bridge-PPP0E-Ether?
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Wed Jun 08, 2022 10:14 am

You don't need "vlan filtering" (as in the tick box on a bridge) on any of the bridges the ingress filter makes sure each bridge can only see one set of traffic ... if you tick it probably still works but it will be doing nothing. All the bridge is doing is giving you a place to connect an ethernet sub-interface to a DHCP or PPPOE server.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 09, 2022 3:06 am

You don't need "vlan filtering" (as in the tick box on a bridge) on any of the bridges the ingress filter makes sure each bridge can only see one set of traffic ... if you tick it probably still works but it will be doing nothing. All the bridge is doing is giving you a place to connect an ethernet sub-interface to a DHCP or PPPOE server.



I tried your recommended config but to no avail. Luckily the PPPoE traffic were not lost after implementing the ingress filtering but all the hotspot login pages did not appear when connecting to each assigned AP via VLAN.

Did I missed out something? Please see below my config.

/interface bridge
add name="bridge-PPPoE - Ether"
add name=bridge-VLAN-2221
add name=bridge-VLAN-2222
add name=bridge-VLAN-2223
/interface vlan
add interface="bridge-PPPoE - Ether" name=MGMT-Admin vlan-id=1
add interface="bridge-PPPoE - Ether" name=VLAN-2221 vlan-id=2221
add interface="bridge-PPPoE - Ether" name=VLAN-2222 vlan-id=2222
add interface="bridge-PPPoE - Ether" name=VLAN-2223 vlan-id=2223
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge="bridge-PPPoE - Ether" interface="ether4 OLT 1"
add bridge="bridge-PPPoE - Ether" interface="ether5-OLT 2"
add bridge=bridge-VLAN-2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=\
VLAN-2221 pvid=2221
add bridge=bridge-VLAN-2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=\
VLAN-2222 pvid=2222
add bridge=bridge-VLAN-2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=\
VLAN-2223 pvid=2223
add bridge="bridge-PPPoE - Ether" frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=MGMT-Admin
/interface bridge vlan
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2221
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2222
add bridge="bridge-PPPoE - Ether" untagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=1
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2223
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface="bridge-PPPoE - Ether" service-name=MyWISP

Thank you in advance for your help.
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 09, 2022 8:40 am

Sigh .... I am going to dispense with the stupid names and just leave it as either? as an example this is what you require for a hybrid port

Ether? <==========UNTAGGED FILTER=========> Bridge_VLAN1 <=========> Some Tik service
VLAN 2221 <==== 2221 TAGGED FILTER =======> Bridge_VLAN2221 <=========> Some Tik service
VLAN 2222 <==== 2222 TAGGED FILTER =======> Bridge_VLAN2222 <=========> Some Tik service
VLAN 2223 <==== 2223 TAGGED FILTER =======> Bridge_VLAN2223 <=========> Some Tik service

If you don't need to inject Tik services into each bridge you can do it with 1 bridge which is what the following junk is for
/interface bridge vlan
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2221
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2222
add bridge="bridge-PPPoE - Ether" untagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=1
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2223 

>>>> That didn't come from me so you have merged two totally different concepts in your head <<<<

A bridge allows you to inject IP's, servcies etc from the Tik but at other times the Tik just needs to pass the vlans thru which is when you would use that latter case.
So there are many ways of setting up the bridge use with VLAN depending what you are doing.

Now lets go to you!!!
Clearly you have two ports you are setting up for OLT's on ether4 and ether5 and you need two HYBRID ports
So how about I just connect them for you to the brdiges for you and please don't add or change anything

First create the bridges
/interface bridge
add name="bridge-PPPoE-Ether"
add name=bridge-VLAN-2221
add name=bridge-VLAN-2222
add name=bridge-VLAN-2223
Now create 3 VLAN subinterface VID's on each ether port we will use the ether interface itself for the untagged
/interface vlan
add interface="ether4" name=VLAN-2221_eth4 vlan-id=2221
add interface="ether4" name=VLAN-2222_eth4 vlan-id=2222
add interface="ether4" name=VLAN-2223_eth4 vlan-id=2223
/interface vlan
add interface="ether5" name=VLAN-2221_eth5 vlan-id=2221
add interface="ether5" name=VLAN-2222_eth5 vlan-id=2222
add interface="ether5" name=VLAN-2223_eth5 vlan-id=2223
Now lets connect those two ports to the 4 bridges ... 3 VLANS and 1 Ether Port Interface
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221_eth4
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222_eth4
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223_eth4
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221_eth5
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222_eth5
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223_eth5
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5
We now have 2 HYBRID ports Ether4 and Ether5 connected to the bridges.

Lets draw it at this point so you get what that all does
                         ether4 ======= untagged ======  bridge-PPPoE-Ether (VLAN 1) ======= untagged ===== ether 5
                  VLAN-2221_eth4 ====== tagged 2221 ========== bridge_vlan2221 ============tagged 2221 ====VLAN-2221_eth5
                  VLAN-2222_eth4 ====== tagged 2222 ========== bridge_vlan2222 ============tagged 2222 ====VLAN-2223_eth5
                  VLAN-2223_eth4 ====== tagged 2223 ========== bridge_vlan2223 ============tagged 2223 ====VLAN-2223_eth5
So now you can inject tik services (DHCP/PPPOE) or put Ip's and route thru any of those individual bridges.

Now you obviously have a PPPOE server that needs to go into bridge-PPPoE-Ether.
What service needs to inject into vlan2221, vlan2222 and vlan2223 ???? I am guessing it is DHCP's
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 09, 2022 12:58 pm

Using multiple bridges is the old way of connecting multiple VLANs between ports and/or the Mikrotik services, and has many pitfalls https://help.mikrotik.com/docs/display/ ... figuration.

The suggested configuration has multiple faults, a single VLAN-aware bridge with appropriate configuration is sufficient.
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 09, 2022 3:30 pm

You can't do it the new way it won't work on most hardware as the port is neither pure access or trunk.
So you either do it the old way (and work thru the pitfalls) or not at all in most cases.
There are also pitfalls for the single bridge config many of which are listed on your link so it's no cure all.

If you want to give the OP a 100% fool proof way to do it then he needs to buy a cheap switch which does what he needs with the click of a couple of buttons on the GUI and throw the Mikrotik in the cupboard.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Thu Jun 09, 2022 4:12 pm

You can't do it the new way it won't work on most hardware as the port is neither pure access or trunk.
That is completely incorrect - VLAN-aware bridges support untagged only (access), 1 or more tagged only (trunk), or untagged with 1 or more tagged (hybrid) on any bridge port. The only devices which do not support hybrid operation are those with fast ethernet switch chips when configuring the switch chip directly.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Fri Jun 10, 2022 2:43 am

Sigh .... I am going to dispense with the stupid names and just leave it as either? as an example this is what you require for a hybrid port

Ether? <==========UNTAGGED FILTER=========> Bridge_VLAN1 <=========> Some Tik service
VLAN 2221 <==== 2221 TAGGED FILTER =======> Bridge_VLAN2221 <=========> Some Tik service
VLAN 2222 <==== 2222 TAGGED FILTER =======> Bridge_VLAN2222 <=========> Some Tik service
VLAN 2223 <==== 2223 TAGGED FILTER =======> Bridge_VLAN2223 <=========> Some Tik service

If you don't need to inject Tik services into each bridge you can do it with 1 bridge which is what the following junk is for
/interface bridge vlan
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2221
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2222
add bridge="bridge-PPPoE - Ether" untagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=1
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2223 

>>>> That didn't come from me so you have merged two totally different concepts in your head <<<<

A bridge allows you to inject IP's, servcies etc from the Tik but at other times the Tik just needs to pass the vlans thru which is when you would use that latter case.
So there are many ways of setting up the bridge use with VLAN depending what you are doing.

Now lets go to you!!!
Clearly you have two ports you are setting up for OLT's on ether4 and ether5 and you need two HYBRID ports
So how about I just connect them for you to the brdiges for you and please don't add or change anything

First create the bridges
/interface bridge
add name="bridge-PPPoE-Ether"
add name=bridge-VLAN-2221
add name=bridge-VLAN-2222
add name=bridge-VLAN-2223
Now create 3 VLAN subinterface VID's on each ether port we will use the ether interface itself for the untagged
/interface vlan
add interface="ether4" name=VLAN-2221_eth4 vlan-id=2221
add interface="ether4" name=VLAN-2222_eth4 vlan-id=2222
add interface="ether4" name=VLAN-2223_eth4 vlan-id=2223
/interface vlan
add interface="ether5" name=VLAN-2221_eth5 vlan-id=2221
add interface="ether5" name=VLAN-2222_eth5 vlan-id=2222
add interface="ether5" name=VLAN-2223_eth5 vlan-id=2223
Now lets connect those two ports to the 4 bridges ... 3 VLANS and 1 Ether Port Interface
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221_eth4
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222_eth4
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223_eth4
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221_eth5
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222_eth5
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223_eth5
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5
We now have 2 HYBRID ports Ether4 and Ether5 connected to the bridges.

Lets draw it at this point so you get what that all does
                         ether4 ======= untagged ======  bridge-PPPoE-Ether (VLAN 1) ======= untagged ===== ether 5
                  VLAN-2221_eth4 ====== tagged 2221 ========== bridge_vlan2221 ============tagged 2221 ====VLAN-2221_eth5
                  VLAN-2222_eth4 ====== tagged 2222 ========== bridge_vlan2222 ============tagged 2222 ====VLAN-2223_eth5
                  VLAN-2223_eth4 ====== tagged 2223 ========== bridge_vlan2223 ============tagged 2223 ====VLAN-2223_eth5
So now you can inject tik services (DHCP/PPPOE) or put Ip's and route thru any of those individual bridges.

Now you obviously have a PPPOE server that needs to go into bridge-PPPoE-Ether.
What service needs to inject into vlan2221, vlan2222 and vlan2223 ???? I am guessing it is DHCP's


Thank you very much for your help. Your recommended config works, at least on Ether5 I was able to test VLAN2221/2222/2223 with their respective Hotspot DHCP servers. I haven't been able to test yet on Ether4 because the area is too far from my place and I don't have any remote management to remotely access and configure the CPE (ONT/Modem) and APs.

Now, my next goal is to secure the whole network. I noticed that once I get connected to the hotspot via one of the VLANs, I can already ping all my private IP addresses and redirected to the MT admin login page when I type one of those IPs in my phone/PC browser.

I only have little knowledge on network securities, maybe you have some recommendations on how to secure my network at least to have protection from any unauthorized access to the MT.

Thank you again for your patience.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Fri Jun 10, 2022 2:53 am

Using multiple bridges is the old way of connecting multiple VLANs between ports and/or the Mikrotik services, and has many pitfalls https://help.mikrotik.com/docs/display/ ... figuration.

The suggested configuration has multiple faults, a single VLAN-aware bridge with appropriate configuration is sufficient.

Thank you for your response. Unfortunately, vlan-filtering did not work on my current set-up. My active PPPoE traffic were gone when I tried to set-up VLANs and enabled the vlan-filtering in the bridge.

If you have other solution to establish three VLANs for my Hotspot DHCP servers and retain the PPPoE running on non-VLAN ports, I would highly appreciate your help. Both traffic (VLAN & non-VLAN) need to pass MT Ether4 & Ether5 where my two OLTs are connected.

Who is online

Users browsing this forum: Ahrefs [Bot] and 60 guests