Community discussions

MikroTik App
 
dromon
just joined
Topic Author
Posts: 12
Joined: Thu Dec 23, 2021 11:51 pm

VLAN Configuration without Bridge

Tue Dec 27, 2022 3:24 am

Hello all,

Perhaps I missed something in my research but I am having a devil of a time setting up a simple one-port VLAN on my CCR2004-1G-12S+2XS. Here is what I am trying to achieve:

  • I have a site-to-site wireguard VPN which is functioning as expected for years now.
  • I would like to bypass this and route to the great, wide internet for specifically marked traffic. This traffic is marked on a per application instance (ex. there may be some HTTPS traffic destined for the VPN while other traffic needs to bypass direct to the outside world).
  • To mark this traffic, I am creating a VLAN (1050) with the intent that any traffic the router receives on this VLAN will skip the relevant mangle rules. Note that I am not yet even at the mangle step yet so it will not be discussed further.
  • VLAN traffic is expected to arrive on sfp-sfpplus3 along with untagged traffic.

To try to implement this, I have read a bunch of articles, almost all of which seem to involve setting up a bridge. To my (admittedly limited) understanding, the bridge is superfluous as the traffic arriving just needs to be marked and untagged on ingress. Is there a reason I would still want a bridge in this case?

Given the above, I took a stab at it with:

/interface/vlan/add interface=sfp-sfpplus3 name=sfp3_vlan1050 vlan-id=1050 arp=enabled
/ip/address/add interface=sfp3_vlan1050 address=172.16.50.3/24

And then on my Linux PC on that port (connected via dumb switch):

sudo ip link add link eno1 name eno1.1050 type vlan id 1050
sudo ip addr add 172.16.50.103/24 dev eno1.1050
sudo ip link set up eno1.1050

To my understanding, I should be able to ping 172.16.50.3 (the IP on the VLAN interface on the CCR) from 172.16.50.103 (Linux PC) and vice-versa. Is this assumption correct?

Assuming so, here is where the problem occurs; I am not able to ping the remote host in either direction. If I tcpdump on the Linux machine, I see that there is a properly tagged (802.1Q) ARP message formed and sent but no response is ever received. Bummer. Using /tool/sniffer forwarded to wireshark on the Linux PC, I don't see any VLAN traffic received (
/tool/sniffer/set filter-interface=sfp-sfpplus3
). Double bummer.

So, in short, what am I missing here?

Additionally, if there is a better way to achieve different routing rules on a per application instance basis?

Thanks!

Config dump, trimmed for brevity:
# dec/26/2022 17:04:28 by RouterOS 7.1
# software id = QKDK-CKFY
#
# model = CCR2004-1G-12S+2XS
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface wireguard
add listen-port=59999 mtu=1384 name=wireguard-vpn
/interface vlan
add interface=sfp-sfpplus3 name=sfp3_vlan1050 vlan-id=1050
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.100-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=sfp-sfpplus1 lease-time=30m name=dhcp1
add address-pool=dhcp_pool1 interface=sfp-sfpplus2 lease-time=30m name=dhcp2
add address-pool=dhcp_pool2 interface=sfp-sfpplus3 lease-time=30m name=dhcp3
add address-pool=dhcp_pool3 interface=sfp-sfpplus4 lease-time=30m name=dhcp4
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=routes-vpn
/interface bridge port
add interface=sfp-sfpplus3
add interface=sfp28-1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<redacted> endpoint-port=1337 interface=wireguard-vpn persistent-keepalive=25s public-key="<redacted>"
/ip address
add address=172.16.50.3/24 interface=sfp3_vlan1050 network=172.16.50.0
/ip dhcp-client
add interface=sfp28-1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.40.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!pia_wireguard_conn connection-state=established,related hw-offload=no
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=sfp28-1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=sfp28-1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from incorrect subnet (10)" in-interface=sfp-sfpplus1 log=yes log-prefix=not-10net src-address=!192.168.10.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (20)" in-interface=sfp-sfpplus2 log=yes log-prefix=not-20net src-address=!192.168.20.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (30)" disabled=yes in-interface=sfp-sfpplus3 log=yes log-prefix=not-30net src-address=!192.168.30.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (40)" in-interface=sfp-sfpplus4 log=yes log-prefix=not-40net src-address=!192.168.40.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (50)" in-interface=sfp-sfpplus5 log=yes log-prefix=not-50net src-address=!192.168.50.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (60)" in-interface=sfp-sfpplus6 log=yes log-prefix=not-60net src-address=!192.168.60.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (70)" in-interface=sfp-sfpplus7 log=yes log-prefix=not-70net src-address=!192.168.70.0/24
add action=drop chain=forward comment="Subnet 50 routes ONLY to internet" in-interface=sfp-sfpplus5 log=yes log-prefix=50net-not-inet out-interface=!sfp28-1
add action=drop chain=forward comment="Subnet 60 routes NOWHERE" in-interface=sfp-sfpplus6 log=yes log-prefix=60net-not-routable out-interface=!sfp-sfpplus6
add action=drop chain=forward comment="Subnet 70 routes NOWHERE" in-interface=sfp-sfpplus7 log=yes log-prefix=70net-not-routable out-interface=!sfp-sfpplus7
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=syn_flooder
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=port_scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list" disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else!" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input port=22,9022 protocol=tcp src-address=!192.168.30.10
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.0.0/16 new-connection-mark=pia_wireguard_conn src-address=192.168.0.0/16
add action=mark-routing chain=prerouting connection-mark=pia_wireguard_conn new-routing-mark=routes-vpn src-address=192.168.0.0/16
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp routing-mark=routes-vpn tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-vpn
add action=dst-nat chain=dstnat dst-port=9022 in-interface=sfp28-1 protocol=tcp to-addresses=192.168.30.10 to-ports=22
add action=masquerade chain=srcnat out-interface=sfp28-1
/ip route
add dst-address=0.0.0.0/0 gateway=10.25.128.1 routing-table=routes-vpn
add dst-address=0.0.0.0/0 gateway=10.20.128.1 routing-table=routes-vpn
add dst-address=0.0.0.0/0 gateway=10.5.128.1 routing-table=routes-vpn
add dst-address=10.21.128.1/32 gateway=wireguard-vpn routing-table=routes-vpn
add dst-address=0.0.0.0/0 gateway=10.21.128.1 routing-table=routes-vpn
/routing rule
add action=lookup-only-in-table disabled=yes routing-mark=routes-vpn table=routes-vpn
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN Configuration without Bridge

Tue Dec 27, 2022 7:56 pm

Is there a reason I would still want a bridge in this case?
No.

To my understanding, I should be able to ping 172.16.50.3 (the IP on the VLAN interface on the CCR) from 172.16.50.103 (Linux PC) and vice-versa. Is this assumption correct?
Yes.

So, in short, what am I missing here?
Hard to say. As the first step, I'd definitely run just /tool sniffer quick ip-address=172.16.50.0/24 to see whether the frames appear anywhere in the CCR in any form (tagged or tagless).

There is a possibility that the "dumb" switch is not as dumb as you expect and drops VLAN-tagged frames.

Additionally, if there is a better way to achieve different routing rules on a per application instance basis?
There are other ways, but I hesitate to call them better. Instead of assigning a VLAN tag, you can assign a dedicated source address to that specific traffic, or you can assign a specific ToS value, to inform the router that this traffic has to be treated in a specific way. Or you can use an IPIP or GRE tunnel for the same purpose.
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: VLAN Configuration without Bridge

Wed Dec 28, 2022 2:45 am

AFAIK, the "single bridge method" is the preferred way of setting up VLANs with ROS.

For simpler settings, you can create a VLAN-interface and "bind" this to a physical interface. Via this interface you can communicate ingress/egress with this VLAN-Tag. But your are not able to do more advanced stuff, like tag this VLAN on a trunk and untag on another port or such stuff. Its limited, but it works.

The problem with unmanaged switches and VLANs is, their behaviour is not standardized in any IEEE/RFC... It up to the manufacturer how they handle VLAN-frames. Most modern "dumb-switches" will work with VLANs, but it is not sure. Maybe the drop the frame, remove (silently) the tag, flood on every port, hang itself up... Always test unmanaged switch prior deploying in a production enviroment!! If they work, you can imagine them as a 1:n "trunk-to-many" cable.
 
dromon
just joined
Topic Author
Posts: 12
Joined: Thu Dec 23, 2021 11:51 pm

Re: VLAN Configuration without Bridge

Wed Dec 28, 2022 8:58 pm

Thank you both, for the in-depth answers.

I think the problem is the dumb switch as I can see tagged traffic egressing the Linux host but nothing is ever seen in /tool sniffer quick ip-address=172.16.50.0/24. Unfortunately, due to physical constraints, it will take some doing to excise the dumb switch from the chain. As such, I can create another topic if this device is somehow exonerated.

Thanks again for the support!

Who is online

Users browsing this forum: mszru, tesme33 and 46 guests