Community discussions

MikroTik App
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 9:54 pm

This topip is about VLAN so usefull topic to read is: link.

main router: RB750GL with a Atheros 8327 chip
  • ether 1: WAN connection
  • ether 2: trunk to AP/switch
  • ether 3: trunk to switch
  • ether 4: trunk to AP/switch
  • ether 5: maintenace port

Vlan configuration done via /interface/ethernet/switch/vlan (--> reason: Hardware offloading is disabled when using vlan via "bridge Vlan filtering" (reference link)). --> not done via bridge VLAN filtering as mention in the VLAN Topic
  • VLAN 10: main vlan
  • VLAN xx: iot / guest / ...
I now want to create a VLAN100 which gives me the posibility to 'route' a direct WAN connection to some ports on my AP/switches (a computer connected to those ports must receive an external WAN IP)
What I dit was to add ether 1 to the LAN Bridge and ether1 is an access port for VLAN100. I changed my DHCP client from ether 1 to VLAN100, I changed the firewall settings and de NAT settings (VLAN100 is the WAN network).

Problem: VLAN100 does not receive an IP (no external IP) and no Internet connection is possible anymore.

What am I doing wrong?
/interface bridge
add admin-mac=...... auto-mac=no comment="Bridge voor Local Network" name="Bridge LAN" protocol-mode=none
add comment="Bridge voor WAN" disabled=yes name="Bridge WAN" protocol-mode=none
add name=bridge_maintenance protocol-mode=none
/interface vlan
add interface="Bridge LAN" name="VLAN Gasten" vlan-id=20
add interface="Bridge LAN" name="VLAN Main" vlan-id=10
add interface="Bridge LAN" name="VLAN Main_ext" vlan-id=15
add interface="Bridge LAN" name="VLAN VLVO" vlan-id=40
add interface="Bridge LAN" name="VLAN WAN" vlan-id=100
add interface="Bridge LAN" name="VLAN iot" vlan-id=30
/interface ethernet switch port
set 0 default-vlan-id=100 vlan-header=always-strip vlan-mode=fallback
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 4 vlan-mode=secure
/interface bridge port
add bridge="Bridge LAN" ingress-filtering=no interface=ether1
add bridge="Bridge LAN" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether3
add bridge="Bridge LAN" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether4
add bridge="Bridge LAN" frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether2
add bridge=bridge_maintenance ingress-filtering=no interface=ether5
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=40
add independent-learning=no ports=ether1,switch1-cpu,ether2,ether3,ether4 switch=switch1 vlan-id=100

anyone an idea?

thanks
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 9:59 pm

You should not mix VLAN configuration under /interface ethernet switch and under /interface bridge. If you want to have it on switch chip, then configuration under bridge is straight forward without VLANs. Do keep VLAN interfaces, they are necessary in any config scenario.

The config you posted looks quite complete to me. You only have to add ports to bridge ... it's necessary even if you configure VLANs on switch chip.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 10:11 pm

Hold up mkx, this is an old model I doubt with effective switch chip utilization.
Suggest bridge vlan filtering may be the only viable method ????
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 10:35 pm

RB750GL has got a decent switch chip (AR8327) and a slow MIPSBE CPU. Much like RB951G which I own a few and work great when VLANs are configured on switch chip directly.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 10:44 pm

Okay I stand corrected......... Switch chip it is......

Which source/guide applies to this old device.....

P. SWITCH CHIP VLANS
Switch Chip Features - https://help.mikrotik.com/docs/display/ ... p+Features
CRS1 / CRS2 -Switches - https://help.mikrotik.com/docs/pages/vi ... =103841835
CRS3 / CRS5 / CCR2 Switches - https://help.mikrotik.com/docs/display/ ... p+features
L3 Hardware Offloading - https://help.mikrotik.com/docs/display/ ... Offloading
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 11:17 pm

Okay I stand corrected......... Switch chip it is......

Which source/guide applies to this old device.....
I used this reference: Basic VLAN Switching

@mkx
I didn't mix /interface ethernet Switch with /interface bridge (I think) --> every port in the bridge settings has the "ingress-filtering=no" (I thought it disables all VLAN settings in the bridge part)
The config you posted looks quite complete to me. You only have to add ports to bridge ... it's necessary even if you configure VLANs on switch chip.
the ports are added to the bridge (ether 1 to ether 4)

Everything works great, when I use Ether 1 as a 'normal' WAN port, and the VLAN 10-50 on the Bridge. When I try to create the VLAN100 for the WAN, it breaks.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN for WAN to enable access port with direct WAN connection  [SOLVED]

Tue Jan 17, 2023 11:25 pm

Indeed ports are bridge members. I missed that due to useless crap of VLAN config (which, BTW, doesn't do anything because bridge doesn't have vlan-filtering=yes set ... nothing to do with ingress-filtering, that's another functionality).

I think that setting vlan-mode=fallback on ether1 is not correct for access port. I have it set to vlan-mode=secure and works correctly as access port for set default vlan id.
Also verify this: switch1-cpu port (on my RB951G it's the last port with index 5, 0-4 are ether1-5) should be set to vlan-mode=secure.

BTW, I always recommend to enable safe mode when changing settings on switch chip ... if things go wrong, reset to default config (button press or similar) is the only way to regain management access.
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Tue Jan 17, 2023 11:40 pm



I think that setting vlan-mode=fallback on ether1 is not correct for access port. I have it set to vlan-mode=secure and works correctly as access port for set default vlan id.
Also verify this: switch1-cpu port (on my RB951G it's the last port with index 5, 0-4 are ether1-5) should be set to vlan-mode=secure.

BTW, I always recommend to enable safe mode when changing settings on switch chip ... if things go wrong, reset to default config (button press or similar) is the only way to regain management access.
Thanks I will try it tomorow... I also have set ether 5 as a seperated maintenance port as extra safety measure.
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Wed Jan 18, 2023 10:34 pm

Thanks,

setting vlan-mode=secure for the access port and the switch was the solution, I'm now getting an expternal IP-adres on my VLAN-WAN. --> it works.

i'll do some further testing and will post a working config as reference for future readers.
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Sat Jan 21, 2023 11:17 am

Working setting:

Ether1 and 5= Access port for VLAN 100. (set 0 resp. set 3)
Ether1 = connection to provider
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment="Bridge voor Local Network" name="Bridge LAN" protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps

/interface vlan
add interface="Bridge LAN" name="VLAN Gasten" vlan-id=20
add interface="Bridge LAN" name="VLAN Main" vlan-id=10
add interface="Bridge LAN" name="VLAN Main_ext" vlan-id=15
add interface="Bridge LAN" name="VLAN VLVO" vlan-id=40
add interface="Bridge LAN" name="VLAN WAN" vlan-id=100
add interface="Bridge LAN" name="VLAN iot" vlan-id=30

/interface ethernet switch port
set 0 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure

/interface bridge port
add bridge="Bridge LAN" ingress-filtering=no interface=ether1
add bridge="Bridge LAN" ingress-filtering=no interface=ether3
add bridge="Bridge LAN" ingress-filtering=no interface=ether4
add bridge="Bridge LAN" ingress-filtering=no interface=ether2
add bridge="Bridge LAN" ingress-filtering=no interface=ether5

/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=40
add independent-learning=no ports=ether1,switch1-cpu,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=100
But I still have problem getting IP-adresses from my provider.
I receive 1 IP adres for the main router (on the interface VLAN WAN)
But when I connect a computer on ether 5 then he doesn't receive an address.
When I do the samen on one of my AP/switches, and I snif on ether1 (via mirrorport to ether 5 and Wireshark), I can see the DHCP discovery messages on ether 1 (so the LAN part looks OK), but I do not see any responses.
Even more strange. When I create an VLAN interface on my HapAC2 (one of the switch/AP) and set a DCHP client, --> it receives an IP address (and via Wireshark I can see the differnet DCHP handshaking). When I do the samen on the ohter switch/AP hapAX3, no IP-address, and only a DHCP discovery message is 'sniffed'.

Any Ideas?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Sat Jan 21, 2023 1:42 pm

Verify that ether5 really has index number 3 under /interface ethernet switch port, I'm betting it's index number 4. Executing command print shows port names instead of indices.
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Sat Jan 21, 2023 1:59 pm

Verify that ether5 really has index number 3 under /interface ethernet switch port, I'm betting it's index number 4. Executing command print shows port names instead of indices.
Yeah, that looked also strange to me, but:
0 ether1       switch1  secure     always-strip  100            
1 ether3       switch1  secure     leave-as-is   auto           
2 ether4       switch1  secure     leave-as-is   auto           
3 ether5       switch1  secure     always-strip  100            
4 ether2       switch1  secure     leave-as-is   auto           
5 switch1-cpu  switch1  secure     leave-as-is   auto
And port 5 is not connected now, that's confirmed by:
Flags: X, I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE  BRIDGE              HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
0  H ether1     Bridge LAN          yes     1  0x80             10                  10  none   
1  H ether3     Bridge LAN          yes     1  0x80             10                  10  none   
2  H ether4     Bridge LAN          yes     1  0x80             10                  10  none   
3  H ether2     Bridge LAN          yes     1  0x80             10                  10  none   
4 X  ether5     bridge_maintenance          1  0x80             10                  10  none   
5 IH ether5     Bridge LAN          yes     1  0x80             10                  10  none   
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Sat Jan 21, 2023 9:07 pm

Did you perform "cold boot" of your mikrotik after finalizing configuration? In some rare cases actual configuration of hardware (switch chip) did not match shown config. So actual performance seemed to be erratic.
Cold boot (starting from state with power source disconnected) solved that.
 
witje
just joined
Topic Author
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: VLAN for WAN to enable access port with direct WAN connection

Sun Jan 22, 2023 3:21 pm

aaahhhgg,
why didn't I think about "did you restart your device?"

--> I rebooted the router and the providers modem.... --> everything works as a charm.

Thanks @mkx for the support!

Who is online

Users browsing this forum: 0xAA55, Google [Bot] and 43 guests