Hello,

All low- and middle-end models have switch-chip:
http://i.mt.lv/routerboard/files/RB3011 ... 123613.png

high-end models do not have switch chip:
http://i.mt.lv/routerboard/files/CCR101 ... 130439.png

but we need some switch-like vlan functionality for ports on these high-end models:
VLAN Header action for incoming and outgoing packets:
1) add if missing
2) always strip
3) leave as is

Is already available! VLAN interfaces and bridge.

>>Is already available! VLAN interfaces and bridge.

I have already asked, how can i add tag for incoming traffic, and strip tag on outgoing traffic, but got no response: http://forum.mikrotik.com/viewtopic.php?f=2&t=107121

How you propose add tag or strip tag w/o switch-chip??

Create a VLAN interface with parent etherx and desired VLAN tag, and add that VLAN interface to the bridge.

When you ask so many questions yet accept no answers or advise, it is not remarkable that at some point
you get ignored. I would advise you to leave tasks that are above your capability to someone else when you
do not want to study the matter.

>>Create a VLAN interface with parent etherx and desired VLAN tag, and add that VLAN interface to the bridge.

When i create a VLAN interface with parent etherx and desired VLAN tag, i get TAGGED traffic. This interface can receive only packets with tag, and transmit packet with tag.

How can i add tag for incoming (untagged) traffic, and strip tag on outgoing traffic?

Here is the link to VLAN examples which should help:
http://wiki.mikrotik.com/wiki/Vlans_on_ ... nvironment

>>Here is the link to VLAN examples which should help
omg! how it works???
you connect tagged vlan10 interface and untagged ether1 interface. they should not communicate!

It looks like the Mikrotik bridge automatically add tags and strip tags!
But, your bridge documentation (http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge) does not contain any information about this CRITICAL feature!
Mikrotik team, you need to place on the site more detailed documentation!

It looks like the Mikrotik bridge automatically add tags and strip tags!

The virtual vlan interface connected to a physical interface is the one untagging incoming and tagging outgoing traffic.
If you put 2 physical interfaces (without attached vlan interfaces) on a bridge, the ports will behave like trunks, keeping all the tags.
If you bridge only vlan interfaces, the traffic inside the bridge is untagged, being stripped by the vlan interfaces.
The traffic extracted by a vlan interface attached to the physical one will not appear in a bridge in which the physical interface is part of (while all other vlans will).

That is why this works:

>>Here is the link to VLAN examples which should help
omg! how it works???
you connect tagged vlan10 interface and untagged ether1 interface. they should not communicate!

But, how to connect two bridge?? i need communicate from internet to IP1 and IP2.
i tried this:

1) create vlan1 on interface bridge1; add vlan1 to bridge2.
THIS NOT WORK!

2) create vlan1 on interface bridge2; add vlan1 to bridge1.
THIS NOT WORK!

3) create vlan1 on interface bridge1; create vlan2 on interface bridge2; create bridge3; add vlan1 and vlan2 to bridge3.
THIS NOT WORK!

(communication work only when i add ether4 to bridge1)

Why variants 1) 2) 3) do not work?

Why are you even creating VLANS? your explanation is not clear.

Why not create 1 Bridge and then add ether1, ether3 & ether4 to the bridge? Are you trying to tag traffic out ether3 & ether4?

Why are you even creating VLANS? your explanation is not clear.
Why not create 1 Bridge and then add ether1, ether3 & ether4 to the bridge? Are you trying to tag traffic out ether3 & ether4?

please see full story: http://forum.mikrotik.com/viewtopic.php?f=2&t=107046

Ok, should be fine.

Create vlan 10 on ether3
Create vlan 11 on ether3
Create vlan 20 on ether4
Create vlan 21 on ether4

Create 2 bridges

BridgeISP-A
Ether1, vlan10, vlan20

BridgeISP-B
Ether2, vlan11, vlan21

Then tag the esxi host interface with those vlans and you should achieve your goal

omg! see picture and link
traffic should be UNTAGGED!

wow.

With an attitude like that its no wonder you are not getting help.

How can you possibly think that putting two different networks on the same broadcast domain is a smart thing to do.

The issue is not Mikrotik its the way you *think* it needs to be done.

Cheers

>>How can you possibly think that putting two different networks on the same broadcast domain

where you see the two different networks at the picture above?

You know what the problem is? You came here, because you wanted to solve something. Some big goal consisting of several parts/steps. But you don't tell us about big goal and all its details. You just told us about step #1, which you're set on doing in one specific way, and refuse to accept that it might not be the right way. And when you get working solution (that would be ZeroByte's option 3 in the other thread(*)), you start doing something else on top of that and then complain how it does not work. But you don't bother to tell anyone what's the next thing you're trying to do now. Which in fact you should have told us about in advance, because it could influence what the proper solution for step #1 is.

(*) I don't know what's the idea behind spreading your problem over several threads and I don't think it makes things clearer at all.

Don't take it a wrong way, it's meant as friendly advice.

>>How can you possibly think that putting two different networks on the same broadcast domain

where you see the two different networks at the picture above?

Please draw a complete map of the entire solution you want to see with all involved connections and addresses.
Don't use fake addresses all over the place. You can do some fake address for an external address but not
for RFC1918 addresses. And when you use a fake address don't use a RFC1919 value.

Then explain us how it should function (e.g. where it should NAT if anywhere, what it should filter, which incoming
translations there should be if there is NAT, etc)

Only with a complete picture of the situation it is possible to explain how you should approach the problem.
Most likely there will be no bridge involved, and certainly no bridge with more than ether3 and ether4.

I already some times described my configuration, and what I want to get:
http://forum.mikrotik.com/viewtopic.php ... 46#p532057
http://forum.mikrotik.com/viewtopic.php ... 46#p532146

one more time
I have:
1) two utp cables from ISP1 and ISP2
2) Mikrotik CCR
3) two ESXi hosts

ISP1 and ISP2 connected to ether1 and ether2
host1 and host2 connected to ether3 and ether4
all external traffic should be untagged.

I need:
1) one Mikrotik interface should have public IP1 from ISP1
2) another one Mikrotik interface should have public IP2 ftom ISP2
3) some VMs on both ESXi hosts should have public IP addresses (from both ISP)

But, currently this is impossible to implement without external switch.
If necessary, I can buy a Mikrotik CCR with switch-chip.

3) some VMs on both ESXi hosts should have public IP addresses (from both ISP)

1. What are these IP addresses? How do they relate to IP1 and IP2 (external IPs on your ISP-facing CCR interfaces)? Are they in the same subnet?
2. Why do you need the traffic on the ESXi-facing ports to be untagged? (A few posts above you attached a picture telling us that you want that traffic to be untagged)

I already some times described my configuration, ...

... in vague terms and you continue to do so. Don't be affraid to get technical, we can handle it. We do not want "IP1" and "IP2", we want addresses, gateways, netmasks, i.e. description like this:

ISP1: network 1.1.1.0/28, default gw 1.1.1.14 (ISP's router), my router should get 1.1.1.1 and ESXi guests 1.1.1.2-13
ISP2: network 2.2.2.16/29, default gw 2.2.2.17 (ISP's router), my router should get 2.2.2.18 and ESXi guests 2.2.2.19-22

Don't want to share your real addresses with whole world? No problem, make them anonymous. But don't invent something completely fake, just take your real addresses and give us x.x.1.1 instead of 1.1.1.1 and y.y.2.1 intead of 2.2.2.1.

If there are some limitations, like you not being able to touch ESXi settings, fine, we can accept that and think about them as blackboxes instead of configurable ESXis. But you in turn need to accept that it might make simple and straightforward solution impossible and some workaround might be needed instead. And it might not be exactly what you had in mind.

Also, are you sure that you did not forget anything? You were attempting to do something with NAT. So you don't need that anymore, or did you forget to mention it now? Every little detail is important. Future plans are important.

I have provided enough information.
You can use any addresses, that does not matter.

I have provided enough information.
You can use any addresses, that does not matter.

I am afraid you did not.

You did not mention what kind of addresses and routing you get from your two ISPs.
Do you have a subnet from each, where they route everything via one address? (your MikroTik address)

Again, please give actual information with subnet masks for your addresses.
Also specifity how the ESXi systems are confgured. Do they have a subnet and a fixed router, if so at
what address?

As far as I understand it from your limited info I see no reason to switch or bridge, but it can be routed.
But maybe you are withholding crucial details.

Addresses were not the only thing I asked about. Anyway, good luck, this interrogation is no fun.

What you really want is to bridge the isp's net together? From what i can se from what you write - you should just bridge all ethernet togetner, and separate by ip.

The problem here is your solution. I would recomand that you use vlan in your vmware servers.

Make vlan 11 and 12 to esx host 1
Make vlan 13 and 14 to esx host 2

put vlan config your vmware server

then bridge vlan 11 and 13 to isp 1 interface and vlan 13 and 14 to isp2 interface. You will then be able to have both isps traffic to both esxi hosts

I already some times described my configuration, and what I want to get:
http://forum.mikrotik.com/viewtopic.php ... 46#p532057
http://forum.mikrotik.com/viewtopic.php ... 46#p532146

one more time
I have:
1) two utp cables from ISP1 and ISP2
2) Mikrotik CCR
3) two ESXi hosts

ISP1 and ISP2 connected to ether1 and ether2
host1 and host2 connected to ether3 and ether4
all external traffic should be untagged.

I need:
1) one Mikrotik interface should have public IP1 from ISP1
2) another one Mikrotik interface should have public IP2 ftom ISP2
3) some VMs on both ESXi hosts should have public IP addresses (from both ISP)

But, currently this is impossible to implement without external switch.
If necessary, I can buy a Mikrotik CCR with switch-chip.

ccr1009 have a switch on ports eth1 eth2 eth3 and eht4

http://i.mt.lv/routerboard/files/CCR100 ... 142421.png

if you need the power of ccr1016 ccr1036 or ccr1072 just add a switch or a hEX (60 US) and use it as a switch

What you really want is to bridge the isp's net together? From what i can se from what you write - you should just bridge all ethernet togetner, and separate by ip.

It is completely unclear what he really wants, and even worse: he does not want to explain it either.
He mainly wants to whine. He opens tons of questions and feature requests for implementing a
completely obscure network design that should just be re-done or at least documented better.

Unfortunately, if someone doesn't understand something or can't do something, they tend to reject it.
This is the result of education.

It is a simple claim by the questioner:
He wants to connect two (or more) bridges.
Just as you would do with the physical ports of a Mikrotik router from the outside, using a patch cable.
We want to skip these cables and ports.

Otherwise, it currently works with Metarouter.