Community discussions

MikroTik App
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Is it mirror ports what I am looking for?

Thu Apr 20, 2023 1:10 pm

Hi

I have a CRS326-24G-2S+RM switch with RouterOS ver. 6.48.6. My current setup is as follows.
A pfsense machine with 4 ports igb0, igb1, igb2, igb3.
Ig0 is being used for WAN. From igb1 there is a physical connection with the first port of the switch ether1 and through there
every device gets the private network ips like 192.168.10.0/24 network. Recently I created
2 VLANS lets say VLAN10,VLAN20 and via the igb2 interface of pfsense and through a physical
connection, it connects to port 18 of the switch (ether18).
If I tag port 18 with vlan10 and vlan20 and untag each of the vlans to a different port it plays ok.
What I am trying to accomplish though is somehow to connect switch to a unifi access point and from there transfer those vlans
(10 and 20). I thought the only thing I need to do is create a mirror port of the trunk port 18
lets say 17 and afterwards just connect that port (17) to the access point. From there
I have already created the appropriated vlans. Well It doesn t play, but if I connect directly that
igb2 of pfsense and bypass the switch at all to the access point, it understands both vlans.

So my questions are

1.How to accomplish this via the switch (I need to do it with they way I describe and not pfsense ->AP way directly)
2.Why it gives the ability for only one port to be mirrored? Switch->Switch 1->and there
specify Source and Target ports. After that no other ports can be mirrored. Even that doesn t work.
3. I ve read somewhere that the option Switch all ports (inside the switch1 menu) is just a way for ether1 to participate
on the mirror or not but I don think I need this for my specific use case scenario right now.

Any help would be highly appreciated since I am trying for this almost a week. Microtik guides on net
not an easy thing to find.

Thank you in advance
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Thu Apr 20, 2023 8:11 pm

..... is it so difficult what i am seeking to accomplish ?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Is it mirror ports what I am looking for?

Thu Apr 20, 2023 11:53 pm

It's difficult to understand what you are trying to do. If you want more eyes on the problem, make it easy to understand. Hint: create a network diagram and post it using the "attachments" then "post inline" so the diagram shows up in the post without someone needing to go offsite to download it.

Remember, you are the fisherman. Make the bait attractive to the "fish".

New User Posting For Assistance
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 12:21 am

2.Why it gives the ability for only one port to be mirrored? Switch->Switch 1->and there
specify Source and Target ports. After that no other ports can be mirrored. Even that doesn t work.
Because you don't understand what the purpose of a mirror port is. It is to be able to monitor traffic on other ports that it would not normally see. E.g. a network tap for wireshark to be able to capture unicast traffic between hosts on two other ports (different than the mirror port).

What you want is to configure two switch ports in an identical fashion, using the same tagged/untagged as is on the pfsense igb2 port.

Is the UniFi access point expecting its management traffic to be untagged? That's the default unless you go out of your way to change it.

So questions for you:
How is the pfsense igb2 port configured? You talk about two vlans, VLAN10 and VLAN20. Are they both tagged (subinterfaces)? Is there also an ip address on the igb2 interface (untagged)?

What MikroTik documentation have you read?

Although this is from the v7 docs, I think it should apply to v6 as well. It shows an example with tagged only trunk and hybrid trunks (trunks with traffic using an untagged vlan). VLAN Example - Trunk and Hybrid Ports
(disclaimer, I have no CRS switches, the only MikroTik switches I have are RB260GS (CSS106-5G-1S) that uses SwOS, and the only other "MikroTik devices I have are an RB760iGS (hEX S) and an RB5009 (both of which have vlan-aware switches built in).
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 1:01 am

First of all thank you for your time and reply.
Because you don't understand what the purpose of a mirror port is. It is to be able to monitor traffic on other ports that it would not normally see. E.g. a network tap for wireshark to be able to capture unicast traffic between hosts on two other ports (different than the mirror port).
Probably since if I knew that specific portion of the network part I wouldn t been asking at first place, So It is not a port mirror that I am looking for , nice to know and thank you for the short explanation of the term. Some videos showing how to achieve the mirror port didn t mention the reason they were doing it, on top of that I thought that was what I needed and therefore the confusion.
What you want is to configure two switch ports in an identical fashion, using the same tagged/untagged as is on the pfsense igb2 port.
..... and how is that process called? Hybrid ports that you mentioned below ?
Since that identical port is going to be connected directly to the AP needs to stay tagged. I don t think a port can be at the same time tagged and untagged . It would be either one or the other state.
(New edit : Hybrid VLAN is a port in which there is a Trunk Port and Access Port simultaneously)
Anyway the pfsense igb2 port is tagged (and couldn t be otherwise) and physically connected to the ether18 port of the Micro switch. How am I going ether17 port to have that same inf ofo the vlans as ether18 has so to physically connect that port with the AP. As I mentioned in my first post directly from igb2 of pfsense to the AP it is working. But I want to include the switch as well. It seems weird to me that ether17 (needed port to be identical with ether18 which is connected with pfsense) can have that same info wihtout being physically connected to pfsense as well. Another reason I thought thatr mirror port is what I need.
Is the UniFi access point expecting its management traffic to be untagged? That's the default unless you go out of your way to change it.
I believe now you are opening a new topic with this question. It is another thing how I manage the AP (a unify controller needed s/w or h/w and is on the default vlan1 which has access to both vlan10 and 20) and how does it expects the vlans. It expects them tagged and I can say this by trying it out with pfsense directly (since igb2 of PFsense contains info of vlan10 and 20 so it is tagged).

So questions for you:
How is the pfsense igb2 port configured? You talk about two vlans, VLAN10 and VLAN20. Are they both tagged (subinterfaces)?
As mentioned above,, igb2 transfers tagged vlan10 and vlan20 to Microtik through port 18 which I have configured in vlan section of routeros to be tagged with vlan10 and configured it again (since you cant do it 2 times in the same window). The fact that also said at which ports those vlans would come out physicall/untagged it is irrelevant with the part I m trying to accomplish.
Is there also an ip address on the igb2 interface (untagged)?
Can t answer that. igb2 is a port on PFsense. On top of that port you crete an interface. Inside options of that interface you give it a staic ip and create a dhcp service and a pool of ip addresses.You create rules about that interface as well and thats it. I don t know if that answers your question, because I dont have a direct answer to that,
VLAN10 and VLAN20. Are they both tagged (subinterfaces)?
I don t know any option in Pfsens to specify the port or the interface as tagged or not . So maybe this and the above questions are irrelevant. Maybe, not sure,

What MikroTik documentation have you read?
From Mikeotik wiki but then again, I told you, I thought I should read about mirroring. If you have no clue what to read you ask. It s like going to a car mechanic and ask him what to do to change oils and he gives me a book for the mechanics for the whole car and saying to me somewhere inside is the answer. I feel like that occasion.
Although this is from the v7 docs, I think it should apply to v6 as well. It shows an example with tagged only trunk and hybrid trunks (trunks with traffic using an untagged vlan). VLAN Example - Trunk and Hybrid Ports
(disclaimer, I have no CRS switches, the only MikroTik switches I have are RB260GS (CSS106-5G-1S) that uses SwOS, and the only other "MikroTik devices I have are an RB760iGS (hEX S) and an RB5009 (both of which have vlan-aware switches built in).
I ll read this as well. Thank you once more.
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 1:08 pm

Although this is from the v7 docs, I think it should apply to v6 as well. It shows an example with tagged only trunk and hybrid trunks (trunks with traffic using an untagged vlan). VLAN Example - Trunk and Hybrid Ports
Probably, managed to do it, Guide helped, but at the same time didnt . What I did (I hope in case it is right to help others as well) I am describing below

1. Create a new bridge, name it as you want (I named mine bridgeVlans) and before pressing ok make sure that VLan Filtering option is unchecked

2. Create a new VLan (based on the newly created bridge) with options as below
Enabled -> ticked
Bridge -> bridgeVlans (the one I created)
VLAN IDs -> 40 and 50 (with the down facing arrow at the left side, you can add as many as needed)
Tagged -> ether18 (the one with the physical connection to pfsense coming from igb2 carrying VLAN40 and VLAN50)
-> ether17 (the one that I will connect physically with Access Point, so I want to transfer both vlans 40 and 50 tagged)
Untagged -> ether19 (this will be the access port for any of the 2 Vlans depending on which PVID I will give afterwards to it's option page)

Current Tagged ether18 (those ports will show up only if you have made already the cable connections between the router - switch)
ether17

3a. Go to ports tab and edit port 18 (the one physically connected to pfsense), port 17 (the one i want to physically connect with Access Point so it has to contain same vlans as port 18 which are vlan10 vlan) and change the option Bridge -> BridgeVlans (the new you created).

3b. Go to port 19 (that will be the access port) and change the option Bridge -> BridgeVlans (the new you created) and PVID to
40 if you want each device connected to port 17 to be assigned with vlan40 (for example 192.168.40.0/24) ip segment range, or set it to 50 if you want each device connected to port 19
to be assigned with vlan50 ip segment range (for example 172.16.50.0/24).

4. Last but not least, go to newly created bridge (bridgeVlan for me) and enable VLan Filtering option (Apply and ok)

That's it!!!! Now Access point can broadcast bot valns with their corresponding SSIDs, whatever device I connect to port 19 (my currently only untagged one) will give teh connected device the ip according to what PVid number I gave to that port earlier (that would be 40 or 50).


Now the weird (at least for me things)
-bridgevlans traffic from RouterOS page bot at Tx and Rx is always 0 even if at that time running speedtests / downloading from clients.

-At Vlans window page it seems that along with bridgevalns I have created with VLAN IDs 40 and 50, one extra show up with the same name bridgevalns and VLAN IDs 1 and Current Untagged ports
bridgevlans, ether18, ether19. Is it because the specific ports have as PVID 1 ??? What should I put there?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 3:17 pm

Now the weird (at least for me things)
-bridgevlans traffic from RouterOS page bot at Tx and Rx is always 0 even if at that time running speedtests / downloading from clients.
Bridge has multiple personalities, very well explained in this article. The traffic stats is about the "the switch-facing interface of the router" ... and when other devices communicate with each other and router only acts as a switch, then counters will not increase.
Or is it about the "the router-facing port of the virtual switch"? But the stats will be pretty static in this case as well.


-At Vlans window page it seems that along with bridgevalns I have created with VLAN IDs 40 and 50, one extra show up with the same name bridgevalns and VLAN IDs 1 and Current Untagged ports
bridgevlans, ether18, ether19. Is it because the specific ports have as PVID 1 ??? What should I put there?
Quite a few settings in /interface/bridge are about "the router-facing port of the virtual switch" ... and implicit default setting for pvid on any of bridge ports (including the before mentioned bridge facing switch port) is PVID=1. The only way of getting rid of this setting entirely (on trunk ports) is to set the port to "frame-types=admit-only-vlan-tagged" ... and this as well applies also to "the router-facing port of the virtual switch" ... in which case PVID setting (either implicit default or explicitly set) is ignored and port is not added as untagged port to VID in question.
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 3:35 pm

Quite a few settings in /interface/bridge are about "the router-facing port of the virtual switch" ... and implicit default setting for pvid on any of bridge ports (including the before mentioned bridge facing switch port) is PVID=1. The only way of getting rid of this setting entirely (on trunk ports) is to set the port to "frame-types=admit-only-vlan-tagged" ... and this as well applies also to "the router-facing port of the virtual switch" ... in which case PVID setting (either implicit default or explicitly set) is ignored and port is not added as untagged port to VID in question.
I ll deal with this first, since I didn t get much from what you said about the traffic. So one thing at a time.
I could set the frame-types option as you said to the bridge level and at the port / ports level as well. Default practice here (for my use case scenario- probably there are plenty of ways to implement thigns) is to ....
-set this option to both bridge and ports (tagged and untagged)
-only to bridge
-only to ports (tagged and untagged)
-only to tagged ports

New edit: ok I did a little error n trial method and noticed that if you set frame types as admit-only-vlan-tagged that extra vlan is still there mentioning ports 17 and 18. After going to each port and setting that parameter as well to admit-only-vlan-tagged then that extra auto-created Vlan disappeared,. So was that the right way?

Weird thing is that the info @Buckeye provided above to his post, mentions to <<Optional step is to set frame-types=admit-only-vlan-tagged on the bridge interface in order to disable the default untagged VLAN 1 (pvid=1).>> . Soi it dictates only to the bridge level which didn t take care of the auto-created vlan with PVID1 issue How possible is that info needs some additional input there to include the tagged ports as well.

By the way what do you mean with the expression <<router-facing port of the virtual switch>> In my case which port would that be?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 8:57 pm

Did you read (and understand) the article about bridge personalities? If you manage to understand it, you'll understand other details much easier. For example: there's no "bridge level" setting of certain properties, e.g. frame-types. The setting on items in /interface bridge (as opposed to /interface bridge port) is for "router-facing port of the virtual switch" ... and please, do read (and try to understand) the article I linked, it really does explain a lot, including what is "router-facing port of the virtual switch" (I copied the term from that article).
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Is it mirror ports what I am looking for?

Fri Apr 21, 2023 10:13 pm

In addition to @sindy's first post in RouterOS bridge mysteries explained referenced by @mkx, you should read the thread Slow Hex file transfer speed, the discussion of frame-types starts with post #7 and goes through post #18.

I have never gotten any feedback from those posts, so perhaps my interpretation is incorrect, but my experiments seem to agree with my interpretation. Note that I made modification to what @sindy said in the first post of bridge mysteries, and I generally take what @sindy and @mkx say with higher confidence than general posts, so consider the source.

Some day when I get time, I should create a post with configs from an RB5009 as a router with a single non-bridge port configured as a hybrid trunk port connected to an RB760iGS (hEX S) configured as a switch, the same config using an RB260GS (CSS106-5G-1S) SwOS switch in place of the hEX S, and then do the same thing using only the RB5009 bridge and bridge-ports. In other words, a sort of MikroTik vlan rosetta stone. But doing that properly will take multiple hours (at least for me). If I was going to do that, I would probably also show the same config using several other vlan-aware switches I have as well (NetGear GS908E, TP-Link TL-SG108E, TP-Link TL-SG2008 V3), but probably wouldn't post those configs here (may be put it on Tom Lawrence's forum, which is more vendor agnostic). For a "rosetta stone" with 3 common consumer "smart switches", you can watch Doug Johnson Productions VLANs Part 2 - Configuring Three Ethernet Switches
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Sat Apr 22, 2023 1:13 am

Thank you @Buckeye and @mkx for your answers and time. I will read the links you ve posted above but you didn t care to answer about my whole guide thought, if it was right. Yes it was , yes up until that point, you could better implement this like that....etc.

I don t need to be a Microtik expert (even though that might happen in time). I occupy myself both in work and home with way many different things on IT department (including everything about h/w pc / laptop / server, cabling, rack installations, Hypervisors, WinServers including ADDS, RDS , erp -crm programs, voip phone systems (Yealinks, 3CX), VPNs, troubleshooting and help-desking for 70 persons in my job and hundreds of customers we have in private schools). I manage to install - monitor - maintain - update all that equipment from different brands (Dell mostly, Aruba networks, a few cisco ones but they are going to be replaced due to costs / licensing) Do you know how many people the IT department has? Well guess again ......... only me and after 5 years they hired one more to help me cause I m not Hydra or goddess Kali having multiple heads and hands.

In conclusion ......
Give a new member some slack and try to help him on what he asks and not <<force>> him to what he needs to study in general. I like to learn things when I need them and not read hundreds of pages just in case I ll need something. That is why I came here at first place. To ask a couple of questions, get some answers and involve to these parts I need.
I don t have an attitude in my way of saying all that but I ve noticed this type of answering many times in forums. Old guys care to answer and even though they have the straight answer they puzzle the forum member even more with links, extra info (when not asked or needed - not in this case though).

Thanks again
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Is it mirror ports what I am looking for?

Sat Apr 22, 2023 1:35 am

In conclusion ......
Give a new member some slack and try to help him on what he asks and not <<force>> him to what he needs to study in general. I like to learn things when I need them and not read hundreds of pages just in case I ll need something. That is why I came here at first place. To ask a couple of questions, get some answers and involve to these parts I need.
I don t have an attitude in my way of saying all that but I ve noticed this type of answering many times in forums. Old guys care to answer and even though they have the straight answer they puzzle the forum member even more with links, extra info (when not asked or needed - not in this case though).
I am not sure how to respond to that. Perhaps you should sign up with openai and ask chatgpt if all you want is a "plausible sounding" answer.

It is much easier to make comments on an export than a list of things you did to get to a configuration.

It seems that you said in post #6 that it was working. So perhaps that is all you want, and don't care anything about the why. Different personality types.
Last edited by Buckeye on Sat Apr 22, 2023 11:30 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is it mirror ports what I am looking for?

Sat Apr 22, 2023 11:52 am

If I may add to what @Buckeye wrote: personally I always try to answer direct questions with direct reply. However, when I sense that person asking question lacks knowledge of some concept, then I either try to explain that concept ... or I point at a good explanation. Because understanding concepts is sometimes key to understanding answer to a particular question. Specially so when questions are asked in a tone which indicates that the person asking is trying to understand the subject (as opposed to asking for a recipe).

In particular case where I jumped in in this thread I sensed that OP lacked understanding the concept of bridge in ROS (which, BTW, is the case for many users, even if they are not exactly new to ROS). And it would take me a lot to explain for OP to correctly understand the answer to his question ... and article by @sindy explains things quite well, so why should I try to do the mediocre job instead of pointing @OP at the article?
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Sat Apr 22, 2023 2:02 pm

I am not sure how to respond to that.
Maybe you don t have to respond to how a person feels about something. It is not a psychotherapy forum after all. Just said it let it go. It won t help others in a technical way this conversation.
It is much easier to make comments on an export than a list of things to did to get to a configuration.
True.
It seems that you said in post #6 that it was working. So perhaps that is all you want, and don't care anything about the why. Different personality types.
Yes that was all I wanted, The fact though that it worked, doesn t mean that it wouldn't complicate things in long term usage of this configuration, That it were I d like you or anyone else to stand and say yes it works but you ll have these kinds of problems or nope you re ok just for that? Isn' t that also an answer? Would you be sounding like a chatGPt bot? In case you think yes well I believe you wouldn t. Straight answers are just for humans as well and not a bot thing.

I ll stop here, since continue this won t make me more knowledgeable in any tech field or something. Thanks again for your time - answers / links
 
ieronymous
just joined
Topic Author
Posts: 8
Joined: Thu Apr 20, 2023 12:52 pm

Re: Is it mirror ports what I am looking for?

Sat Apr 22, 2023 2:12 pm

If I may add to what @Buckeye wrote: personally I always try to answer direct questions with direct reply. However, when I sense that person asking question lacks knowledge of some concept, then I either try to explain that concept ... or I point at a good explanation. Because understanding concepts is sometimes key to understanding answer to a particular question. Specially so when questions are asked in a tone which indicates that the person asking is trying to understand the subject (as opposed to asking for a recipe).

In particular case where I jumped in in this thread I sensed that OP lacked understanding the concept of bridge in ROS (which, BTW, is the case for many users, even if they are not exactly new to ROS). And it would take me a lot to explain for OP to correctly understand the answer to his question ... and article by @sindy explains things quite well, so why should I try to do the mediocre job instead of pointing @OP at the article?
Totally understandable. Specially the part <<Specially so when questions are asked in a tone which indicates that the person asking is trying to understand the subject (as opposed to asking for a recipe).>> explains why you answered the way you did. Nothing more to say here.

Thank you too.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 35 guests