MK to UBNT EdgeSwitch VLANs

Hav0c · Sat May 07, 2022 1:38 pm

Hi all,

I've been using the following script

/interface bridge
add name=bridge_ALL
/interface vlan
add interface=bridge_ALL name=VLAN20 vlan-id=20
add interface=bridge_ALL name=VLAN30 vlan-id=30
add interface=bridge_ALL name=VLAN40 vlan-id=40
add interface=bridge_ALL name=VLAN50 vlan-id=50
/ip pool
add name=VLAN20Pool ranges=192.168.20.10-192.168.20.200
add name=VLAN30Pool ranges=192.168.30.10-192.168.30.200
add name=VLAN40Pool ranges=192.168.40.10-192.168.40.200
add name=VLAN50Pool ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=VLAN20Pool disabled=no interface=VLAN20 name=VLAN20dhcp
add address-pool=VLAN30Pool disabled=no interface=VLAN30 name=VLAN30dhcp
add address-pool=VLAN40Pool disabled=no interface=VLAN40 name=VLAN40dhcp
add address-pool=VLAN50Pool disabled=no interface=VLAN50 name=VLAN50dhcp
/interface bridge port
add bridge=bridge_ALL interface=ether1
add bridge=bridge_ALL interface=ether2
add bridge=bridge_ALL interface=ether3
add bridge=bridge_ALL interface=ether4
add bridge=bridge_ALL interface=ether5
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
/ip dhcp-client
add disabled=no interface=bridge_ALL
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_ALL

on a RB750 ever since Wed Jul 07, 2021 viewtopic.php?t=176608#p866253 without any issues.
In the above setup the VLAN tagging, untagging took place on the Connected Client/s side.

But as in IT things change......

I installed a UBNT EdgeSwtich 24port Lite
Set Port 1 as a T (Trunk/Tagged) port, E (Exclude) ports 17 to 24 from VLAN 1, port 17 and 18 as U (Untagged) VLAN20, port 19 and 20 as U (Untagged) VLAN30 and so on till VLAN50.

Using the above script with NO WAN and using ANY PORT of the RB750 plugged into Port 1 of the ES24, clients on ports 17 to 24 does pull their relevant VLAN IP, DNS and Gateway. Expected none VLAN clients would not pull a DHCP from the main router as it's not connected to the MK.

The moment I plug the WAN into the RB750 it pulls a DHCP lease from the main router and the clients connections to the ES24 fail and no VLAN IPs are pulled nor the none VLAN clients on ports 2 to 16 gets an IP.
Remove the WAN from the MK and clients connected to the Switch gets VLAN IPs assigned again.
Remove the Switch from the MK and plug in the WAN, Clients connected to the MK pulls IPs being it VLAN IPs or DHCP.

Suggestions to resolve ?

cfikes · Sat May 07, 2022 2:01 pm

I'm not seeing in there where you have vlan filtering enabled nor tagged/untagged ports created..

Hav0c · Sat May 07, 2022 2:16 pm

I'm not seeing in there where you have vlan filtering enabled nor tagged/untagged ports created..

Thet tagging and untagging is done on the Switch ?
ALL ports on the MK should be Trunk ports

I have tried

/interface bridge vlan
add bridge=bridge_ALL tagged=bridge_ALL vlan-ids=20,30,40,50

Did not work

/interface bridge
add name=bridge_ALL vlan-filtering=yes

Only gave me under Bridge --> VLANs

Bridge= bridge_ALL VLANIDs= 1 Current Tagged = "Empty" Current Untagged= Shows all ports connect to the MK

Sat May 07, 2022 2:18 pm

/interface bridge port
add bridge=bridge_ALL interface=ether1
add bridge=bridge_ALL interface=ether2
add bridge=bridge_ALL interface=ether3
add bridge=bridge_ALL interface=ether4
add bridge=bridge_ALL interface=ether5

That's a switch-type configuration, not a router configuration. Your LAN is bridged to your WAN. That's not impossibly wrong, but it is suspect given your evident wish to break the network up by VLANs. There should be 5 or 6 routing layers in here somewhere.

/ip dhcp-client
add disabled=no interface=bridge_ALL

You're putting a DHCP client on the same bridge that's running DHCP servers, creating a race condition of who can answer first.

Put it on the WAN port only, facing your Internet router.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_ALL

You're masquerading everything with that move, including internal VLAN traffic. Once again, put it on the WAN interface only.

Your problems go deeper than this, but your description is incomplete, so I'll stop here.

For instance, what's on ports 2-16 of the EdgeSwitch? You leave that unsaid. I can infer VLAN 1 clients, but I don't want to guess, and your posted configuration doesn't say what's supposed to happen to their traffic.

Draw out a diagram with the flows and the intentional blockages showing.

In the above setup the VLAN tagging, untagging took place on the Connected Client/s side.

Without bridge VLAN filtering, you do realize you have no security, right? Anyone can walk up and say, "I'm on VLAN 40", and your switch will believe it. Once you get your inter-VLAN routing working properly, traffic will flow even though that port's labeled on your diagram "VLAN 10" or whatever.

That's also not necessarily wrong. VLANs aren't always for security, but if you mean to allow this behavior, you should say so.

I installed a UBNT EdgeSwtich 24port Lite

I'm curious: why not a CRS326 or similar? You'd have better luck getting help here that way. As it stands, you need an expert in two complicated platforms for optimal results.

Hav0c · Sat May 07, 2022 3:05 pm

That's a switch-type configuration, not a router configuration. Your LAN is bridged to your WAN. That's not impossibly wrong, but it is suspect given your evident wish to break the network up by VLANs. There should be 5 or 6 routing layers in here somewhere.

Yes I know it's switch-type configuration as I use the MK as a switch that hands out VLANs
Route List Routers Tab shows all working and config does work as is for original intended purposes

You're putting a DHCP client on the same bridge that's running DHCP servers, creating a race condition of who can answer first.
Put it on the WAN port only, facing your Internet router.

Initially The clients was assigned Static VLAN IDs so there was no race what so ever as the VLAN DHCP waited for someone asking for a VLAN IP it did not just hand out IPs as see fit
Now the ES should do the allocation based on what port the client is plugged into.

You're masquerading everything with that move, including internal VLAN traffic. Once again, put it on the WAN interface only.

Do not see an issue with this as the scrip does work as is for what it was intendent to do.

Your problems go deeper than this, but your description is incomplete, so I'll stop here.

Okay.

For instance, what's on ports 2-16 of the EdgeSwitch? You leave that unsaid. I can infer VLAN 1 clients, but I don't want to guess, and your posted configuration doesn't say what's supposed to happen to their traffic.
Draw out a diagram with the flows and the intentional blockages showing.

Still the same drawing only thing now is there an ES Switch between MK and Clients viewtopic.php?t=176608#p865838

Without bridge VLAN filtering, you do realize you have no security, right? Anyone can walk up and say, "I'm on VLAN 40", and your switch will believe it. Once you get your inter-VLAN routing working properly, traffic will flow even though that port's labeled on your diagram "VLAN 10" or whatever.
That's also not necessarily wrong. VLANs aren't always for security, but if you mean to allow this behavior, you should say so.

No I did not know that VLAN filtering was for security purposes.
And Yes it was intendent for a STATIC VLANID assigned to a client to be assigned that VLANs IP range. As I am sure a client assigned VLANID 20 would not get an IP from VLANID 30 DHCP range....

I'm curious: why not a CRS326 or similar? You'd have better luck getting help here that way. As it stands, you need an expert in two complicated platforms for optimal results.

As I am not a MK user and I got the ER laying around. Got the MK from someone that wanted to toss it out.

Sat May 07, 2022 3:25 pm

Yes I know it's switch-type configuration as I use the MK as a switch that hands out VLANs

My point is, the WAN port should be outside the bridge, as in the "AP Router" case documented here.

Initially The clients was assigned Static VLAN IDs so there was no race what so ever as the VLAN DHCP waited for someone asking for a VLAN IP it did not just hand out IPs as see fit

I'm not talking about the client machines. What stops the DHCP client on the RouterOS box from getting an answer from the DHCP servers running on the same bridge?

anav · Sat May 07, 2022 4:03 pm

Dont care whats on the ubnt,,,,,,,,,,,,
Showing parts of a config is partly userful...... see the pattern.
This should have been a one and done post. Config--> solution.

Two errors
---> Poor communication by OP
---> Guessing attempts by responders without all the facts..............

Hav0c · Sat May 07, 2022 5:11 pm

@Anav

Dont care whats on the ubnt,,,,,,,,,,,,
Showing parts of a config is partly userful...... see the pattern.
This should have been a one and done post. Config--> solution.

Two errors
---> Poor communication by OP
---> Guessing attempts by responders without all the facts..............

Weren't you the one that said the Original scrip would/could not work and after almost a year later I am still using it ?
But hey Not here to cast stones .....
So without pointing out the errors why did you not solve the problem or ask the correct questions ? and as you elegantly stated "..see the pattern."
And I am not showing parts of a config it's the full MK config that I want to change.

anav · Sat May 07, 2022 5:51 pm

If you have a working config why are you here?
If you know what the problem is, by having the arrogance to show only the part of the config you think is relevant, then solve your own problem!

If you post the complete config I will have a look. Otherwise, I will move on.

........................................... Tom Cruise said it best......
https://www.youtube.com/watch?v=hZM_x-P_AVk

Hav0c · Sat May 07, 2022 6:32 pm

If you have a working config why are you here?
If you know what the problem is, by having the arrogance to show only the part of the config you think is relevant, then solve your own problem!
If you post the complete config I will have a look. Otherwise, I will move on.

You actually read the last two paragraphs where I stated what is wrong ? hmmmmm....
If I knew what the problem was do you really think I would have made a post here or even wast some actually helpers time on this Forum ?
Just an FYI in terminal using export GAVE ME THAT SCRIPT i posted so not sure what "complete config" you are on about.

........................................... Tom Cruise said it best......
https://www.youtube.com/watch?v=hZM_x-P_AVk

What part ?
The part where it stated, not knowing how it feels or where it is there to help others ?
Bit unclear seeing it can be interperated in a couple of ways.

Sat May 07, 2022 6:40 pm

If I knew what the problem was do you really think I would have made a post here

I believe he's reacting to responses like "config does work as is for original intended purposes". If you aren't going to take advice, why are you asking for advice?

terminal using export GAVE ME THAT SCRIPT i posted

You must've edited it afterward, because there are at least two sections, maybe three, that I can see you removed, by comparison to a similar device here. (RB960PGS)

The most important is that you edited out the comments at the top, which give us important details like the RouterOS version you're running and the model number. And yes, I know you said RB750 in the first post, but you see, MikroTik put out 3 classic models in that series, plus 4 still-current ones. You're making us guess which one you've got by not being specific.

These details might matter.

That then makes us wonder what else you've edited out.

anav · Sat May 07, 2022 7:20 pm

Many others like tangent are more patient and are willing to spend time teasing out tidbits of information post after post, till finally enough of a picture is revealed LOL. If you are experienced, and not a beginner then all the pertinent information should be in the first post, which means.
a. diagram
b. full config
c. requirement full stated
d. problems encountered.
e. troubleshooting attempted
etc..
or some reasonable subset of the above, but mostly the full config.

Hav0c · Sat May 07, 2022 7:32 pm

You must've edited it afterward, because there are at least two sections, maybe three, that I can see you removed, by comparison to a similar device here. (RB960PGS)

The most important is that you edited out the comments at the top, which give us important details like the RouterOS version you're running and the model number. And yes, I know you said RB750 in the first post, but you see,
These details might matter.
That then makes us wonder what else you've edited out.

# may/07/2022 18:24:01 by RouterOS 6.48.6
# software id = C8Q7-Y4LI
#
# model = 750
Other than the RouterOS you could gain from the top headers the model is as I stated. Serial number has nothing to do with the workings of anything.
I do not see why I would hide anything if I needed help with a product I do not understand as I only play with the thing as needed and forget about it.

anav · Sat May 07, 2022 7:43 pm

The main reason we ask for the full config is due to the fact that many config items overlap or integrate with one another and thus a config line can interfere or mess with other config settings. Also sometimes OPs dont understand the inter relationships of how different config lines depend on each other or affect one another........ More often than not, the OP doesnt really understand the limitations of the type of ISP connection they have.

Sat May 07, 2022 8:03 pm

# model = 750

Okay, now I can tell you something interesting: that's an eighth RB750 series device not on either list linked above. It appears to be the progenitor of the line, the predecessor to the current hEX Lite, also called the RB750r2.

This is really, really old hardware. (September 2009 newsletter PDF.) The hEX Lite has twice the RAM, over twice the CPU MHz, and a more capable switch chip. Since the differences called out in the latter doc affect VLANs, it's the sort of thing we might need to know, you see?

As it happens, the primary lack in that switch chip compared to the one in the hEX Lite doesn't seem to affect you: it only supports 16 VLAN entries, while you only need 6. (I'm assuming VLAN 1 counts in that table. It might not.) Still, you can see that it's a thing we should wish to check for a question like yours.

Serial number has nothing to do with the workings of anything.

Yes, that's fine to edit out.

More broadly, I think it's fine to edit the config before posting, but then say what you did and why. Don't make us guess at what's missing.

Hav0c · Mon Aug 01, 2022 4:36 pm

Hi,
Been sitting with this problem/issue from some time now.

Finally it seems I got it resolved, so here is my config and hope it helps someone in my shoes.

The untagging is done via the Switch, the Mikrotik just pass all to the switch.

MK config

/interface bridge
add name=bridge_ALL
/interface vlan
add interface=bridge_ALL name=VLAN10 vlan-id=10
add interface=bridge_ALL name=VLAN20 vlan-id=20
add interface=bridge_ALL name=VLAN30 vlan-id=30
add interface=bridge_ALL name=VLAN40 vlan-id=40
add interface=bridge_ALL name=VLAN50 vlan-id=50
/ip pool
add name=VLAN10Pool ranges=172.16.10.10-172.16.10.254
add name=VLAN20Pool ranges=172.16.20.10-172.16.20.254
add name=VLAN30Pool ranges=172.16.30.10-172.16.30.254
add name=VLAN40Pool ranges=172.16.40.10-172.16.40.254
add name=VLAN50Pool ranges=172.16.50.10-172.16.50.254
/ip dhcp-server
add address-pool=VLAN10Pool disabled=no interface=VLAN10 lease-time=12h name=VLAN10dhcp
add address-pool=VLAN20Pool disabled=no interface=VLAN20 lease-time=12h name=VLAN20dhcp
add address-pool=VLAN30Pool disabled=no interface=VLAN30 lease-time=12h name=VLAN30dhcp
add address-pool=VLAN40Pool disabled=no interface=VLAN40 lease-time=12h name=VLAN40dhcp
add address-pool=VLAN50Pool disabled=no interface=VLAN50 lease-time=12h name=VLAN50dhcp
/interface bridge port
add bridge=bridge_ALL interface=ether1
add bridge=bridge_ALL interface=ether2
add bridge=bridge_ALL interface=ether3
add bridge=bridge_ALL interface=ether4
add bridge=bridge_ALL interface=ether5
/interface bridge vlan
add bridge=bridge_ALL vlan-ids=10
add bridge=bridge_ALL vlan-ids=20
add bridge=bridge_ALL vlan-ids=30
add bridge=bridge_ALL vlan-ids=40
add bridge=bridge_ALL vlan-ids=50
/ip address
add address=172.16.10.1/24 interface=VLAN10 network=172.16.10.0
add address=172.16.20.1/24 interface=VLAN20 network=172.16.20.0
add address=172.16.30.1/24 interface=VLAN30 network=172.16.30.0
add address=172.16.40.1/24 interface=VLAN40 network=172.16.40.0
add address=172.16.50.1/24 interface=VLAN50 network=172.16.50.0
/ip dhcp-client
add disabled=no interface=bridge_ALL
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_ALL

EdgeSwitch Setup
I found disabling Spanning Tree Protocol made it work

VLAN setup
Port 1 is my Trunk Port
Port 15, 16 is VLAN 10 and 17, 18 is VLAN 20 and so on for the rest of the VLANs

MK to UBNT EdgeSwitch VLANs [SOLVED]

MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs

Re: MK to UBNT EdgeSwitch VLANs [SOLVED]

Who is online