Community discussions

MikroTik App
 
plarsson
just joined
Topic Author
Posts: 4
Joined: Sat Sep 24, 2022 3:14 pm

Add VLAN tag to Access port

Sat Sep 24, 2022 3:41 pm

Hi,
I have some issues with my setup, this is the first time I'm using mikrotik, so not sure where to start.
My setup that I seem to have issues with is
on my CRS-326 running SwOS,
Port 1 is my incoming internet connection - I want all this traffic on VLAN2
Port 2-20 are access ports for PC's they should be untagged for VLAN5 and no other VLANs should go to them
Port SFP-SFPPLUS2 - hybrid port, untagged traffic should go to VLAN5, All other traffic should be tagged with VLAN appropriately (This port also contains my router, so it tags VLAN2 traffic as WAN)

Note; the PC setup works, I've been running the setup on an Aruba switch for a couple of years and is simply migrating the system to the MikroTik Switch.

so the problem:
Yesterday, I moved everything over and it seemed to be working. but sometime during the morning, the WAN port on the firewall would no longer get an IP and internet stopped working.
When looking at the traffic, there seemed to be some small amount of traffic to the internet (even though my firewall said there was not - and it had no IP)
At first I suspected my internet provider, but as soon as I moved the internet back to the old Switch it started working, when moved it back now it lost the IP. It could from time to time get an IP for 2-3 seconds, then it was cleared out again.

So my question here is - Did I setup the switch properly, so that any traffic that goes into Port1 get tagged with VLAN2 traffic and never get's untagged elsewhere?
anything else that someone can think of?

Link config (Port1 is currently not connected as I'm using internet through my other switch for now)
port1_config.png
SFP_config.png
VLAN:
Vlan_port1_config.png
VLAN_SFP_Config.png
VLANs:
VLANs.png
At first I tried this with routerOS, but had issues to get that setup, but if that is an better option, I would be happy to give that a try (I just didn't really understand the Bridge /interface concept there and how that interacted with VLAN's and addresses.)
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 518
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Add VLAN tag to Access port

Sat Sep 24, 2022 11:55 pm

so the problem:
Yesterday, I moved everything over and it seemed to be working. but sometime during the morning, the WAN port on the firewall would no longer get an IP and internet stopped working.
When looking at the traffic, there seemed to be some small amount of traffic to the internet (even though my firewall said there was not - and it had no IP)
At first I suspected my internet provider, but as soon as I moved the internet back to the old Switch it started working, when moved it back now it lost the IP. It could from time to time get an IP for 2-3 seconds, then it was cleared out again.
Your ISP probably doesn't like getting multiple MAC addresses from you. Or it could be you didn't disable spanning tree protocol on the port connected to the ISP.

In general the port connected to the ISP should not allow management access to the switch, should not be configured for spanning tree protocol, and should have all "switch based" discovery protocols disabled.

It appears that on SWOS, MikroTik Discovery Protocol is a global setting in the System tab, so I don't know if there is an easy was to disable it on a specific port (it may be possible using ACLS but I have never found good documentation for ACLS in SWOS).

If you haven't found the SwOS documentation for the CRS-3xx here is where it lives. CRS3xx and CSS326-24G-2S+ series Manual
Last edited by Buckeye on Sun Sep 25, 2022 9:43 am, edited 1 time in total.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 518
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Add VLAN tag to Access port

Sat Sep 24, 2022 11:59 pm

I have a CSS106-5G-1S (the only type of MikroTik switch I have) and I have never used the "Force VLAN ID" option. In my opinion, it is an option that shouldn't be used unless you are sure you understand what it does and why you would want to classify all traffic into a single VLAN, regardless of whether it was tagged or untagged when it was received. My understanding of what it does is similar to having a "bargain bin" with a sign, all items in this bin are $1 each regardless of any price labels.

If you look at the examples in the documentation, you will see they don't use that option.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1065
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Add VLAN tag to Access port

Sun Sep 25, 2022 9:09 am

I'm largely with Buckeye on this. I do not have Force VLAN ID on any of my untagged port. I looked at a couple of my switches, and for untagged ports, I have VLN mode as Disabled, and VLAN Receive as Only Untagged. On trunk ports, they are set to Strict, Only tagged, and Default VLAN ID is a bogus number. Again, I do not Force VLAN ID.
RB4011iGS+, RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them into submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
plarsson
just joined
Topic Author
Posts: 4
Joined: Sat Sep 24, 2022 3:14 pm

Re: Add VLAN tag to Access port

Sun Sep 25, 2022 3:37 pm

Thank you for the replies!
After the input and doing some reading, I agree that the Force VLAN ID should not be selected. From what I could tell it applies the default VLAN id to all incoming packets (So I'm surprised - and concerned - that anything worked even for a bit when that was enabled)

I de-selected it and tested and it ran good... for a while... The very next morning, the same thing happened again. All the sudden internet stopped working Checked my firewall and WAN IP was cleared out again.
As soon as I moved the internet link back to the old switch it started working again.

I also already had disabled RSTP on that particular port.

Since it takes several hours before there are any issues, I think I need to wait until next weekend to try again.
Though at this time I'm at a loss of what to try next.
Edit - just noticed one more thing that I had missed the last time I read the comments "and should have all "switch based" discovery protocols disabled" - since I'm really not using any other switches I will try to disable that next time I can try.

please let me know if you have any other suggestions. Thanks!
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1065
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Add VLAN tag to Access port

Sun Sep 25, 2022 7:50 pm

What version of SwitchOS are you running? This is almost sounding like an old bug that was fixed a couple years ago.
RB4011iGS+, RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them into submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
plarsson
just joined
Topic Author
Posts: 4
Joined: Sat Sep 24, 2022 3:14 pm

Re: Add VLAN tag to Access port

Mon Sep 26, 2022 12:28 am

2.13 - I think that is the latest?
 
plarsson
just joined
Topic Author
Posts: 4
Joined: Sat Sep 24, 2022 3:14 pm

Re: Add VLAN tag to Access port  [SOLVED]

Wed Sep 28, 2022 1:43 am

Found the issue (or well it's been working for over a day now) turned out to be UserDidNotReadManual issue.
I saw an option called trusted port, and figured; well internet is not trusted and turned it off for incoming traffic... If I would have read, I quickly would have seen that it's stopped DHCP from forwarding...
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 518
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Add VLAN tag to Access port

Wed Sep 28, 2022 4:52 am

Found the issue (or well it's been working for over a day now) turned out to be UserDidNotReadManual issue.
I saw an option called trusted port, and figured; well internet is not trusted and turned it off for incoming traffic... If I would have read, I quickly would have seen that it's stopped DHCP from forwarding...
Yes, that would cause the problem you described, and it wouldn't have an immediate effect (you will only notice it when your dhcp lease expires).

Thanks for updating the issue so others can learn from your experience.
Last edited by Buckeye on Thu Sep 29, 2022 12:21 am, edited 1 time in total.
 
miankamran7100
newbie
Posts: 47
Joined: Tue Sep 17, 2019 9:28 am

Re: Add VLAN tag to Access port

Wed Sep 28, 2022 3:57 pm

hello
Dear all
Hope you ae fine, I'm facing issue with Mikrotik Router V7 CCR2004 16G 2S+
I want to configure vlans
vlan 101 on port1,
vlan 102 on port2,
vlan 103 on port3,
vlan 104 on port4,
vlan 105 on port5,
vlan 106 on port6,
Trunk port ether7 which pass vlan to next firewall/router.
I have tried many times so many ways bridge vlans & manymore. but unable to listen traffic in next Firewall. While I have made access port on cisco switch first 6 port and port7 as trunk it is working fine and ale to listen in firewall.
You are requested please guide me.
few screen shot is attached
Thanks & Regards
Mehar
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 518
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Add VLAN tag to Access port

Wed Sep 28, 2022 8:45 pm

I'm facing issue with Mikrotik Router V7 CCR2004 16G 2S+
I want to configure vlans
Since this thread is marked solved and your problem is not related to this thread, please open a new thread. If you think there is something in this thread that applies to your problem, put a link the the post that is related. But copy your post to a new thread, then delete the one here, and I will delete this post then.
 
miankamran7100
newbie
Posts: 47
Joined: Tue Sep 17, 2019 9:28 am

Re: Add VLAN tag to Access port

Wed Sep 28, 2022 9:13 pm

How to open new thread??
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1065
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Add VLAN tag to Access port

Wed Sep 28, 2022 9:19 pm

On the list of forum topics, click the big green box that says "New Topic"
RB4011iGS+, RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them into submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 518
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Add VLAN tag to Access port

Wed Sep 28, 2022 10:31 pm

Here are pictures.
Select Category.png
New Topic.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 1 guest