Community discussions

 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Mikrotik 3011 VLAN setup voice + data

Mon Oct 29, 2018 2:15 pm

Experts,

I have currently switched from Peplink to Mikrotik and trying to figure out the config for Mikrotik already configured for dual static WAN load balancer with single LAN network. This works just great.

However, I need to start creating vlan for voice and data. The switches I used are Cisco 3560 and Cisco SG200 & SG300. I would like to configure ETH ports as trunks and connect each Mikrotik ETH port as a trunk to a single switch.

On the switch I will configure eaith switchport for single VLAN device or trunkport for phone and computer or phone and other network device. Picture attached.

My understanding would be:

192.168.100.1/24 current LAN network and that would be untagged

VLANS: 180 192.168.180.1/24 voice
170 192.168.179.1/24 data
171 192.168.179.1/24 wifi
172 192.168.172.1/24 printers
173 192.168.173.1/24 guest

I am new to mikrotik and wonder how that configuration would look like, and if this is possible at all. Thank You
You do not have the required permissions to view the files attached to this post.
 
mixig
Member Candidate
Member Candidate
Posts: 255
Joined: Thu Oct 27, 2011 2:19 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Oct 29, 2018 7:18 pm

Try with this:

/interface bridge
add name=bridge vlan-filtering=no

/interface vlan
add interface=bridge name=vlan_170 vlan-id=170
add interface=bridge name=vlan_171 vlan-id=171
add interface=bridge name=vlan_172 vlan-id=172
add interface=bridge name=vlan_173 vlan-id=173

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=171,172,173,174

/interface bridge port
add interface=ether1 bridge=bridge
add interface=ether2 bridge=bridge
add interface=ether3 bridge=bridge
add interface=ether4 bridge=bridge

/ip address
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
add address=192.168.170.1/24 interface=vlan_170 network=192.168.170.0
add address=192.168.171.1/24 interface=vlan_171 network=192.168.171.0
add address=192.168.172.1/24 interface=vlan_172 network=192.168.172.0
add address=192.168.174.1/24 interface=vlan_173 network=192.168.173.0

/interface bridge set bridge vlan-filtering=yes

P.S. by default PVID for bridge port is pvid=1, if I changed that to pvid=180 I cannot connect to the router any more.
If you are using vlan 180 as untagged/native VLAN on switches I believe it will be OK because traffic will be untagged between mikrotik and switches (vlan 180 is locally on the switch)
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Mon Oct 29, 2018 8:03 pm

Just to give some information about this setup.
It is the old way by using many VLAN.
From 6.41 you can use Bridge aware VLAN.

Se some example here:
viewtopic.php?t=138232
 
User avatar
xvo
Member
Member
Posts: 321
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Mikrotik 3011 VLAN setup voice + data

Tue Oct 30, 2018 12:11 am

Just to give some information about this setup.
It is the old way by using many VLAN.
From 6.41 you can use Bridge aware VLAN.

Se some example here:
viewtopic.php?t=138232
...and the config above is exactly a vlan-aware bridge. Aka "the new way".

"The old way" would be а set of vlan-interfaces on top of each port, then bridged together by separate bridges - one for each vlan.

:)
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Tue Oct 30, 2018 2:18 am

thank you all for info provided here, I will try over the weekend and let you know how it works thank you again
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Tue Oct 30, 2018 8:14 am

I did not see the vlan-filtering=yes at the bottom.

My fault
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Sat Nov 10, 2018 10:52 pm

is this should work?

/interface bridge
add name=bridge vlan-filtering=no

I cannot even type it in terminal, V6.35.4 any thoughts?
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 11, 2018 1:56 am

Okay for the setup provided, I see one possible error
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=171,172,173,174

Should be
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=170, 171,172,173

To answer your question BEFORE YOU START configuring the router put into SAFE MODE!!!!
Best strategy as outlined is start with the bridge vlan filtering set to off (which is I believe the default).
Once you have completed the setup, the very last step is to check the box for bridge vlan filtering.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 11, 2018 2:07 am

How to make that port to be workinglike trunk, in cisco it clear 4 - 5 lines of code and done here is tragedy
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 11, 2018 3:26 am

This my config:

# nov/09/2018 18:07:53 by RouterOS 6.35.4
# software id = Z0NI-ZVVR
#
/interface bridge
add name=trunk
/interface ethernet
set [ find default-name=ether6 ] name=LAN
set [ find default-name=ether2 ] name=WAN-Cable
set [ find default-name=ether3 ] name=WAN-DHCP
set [ find default-name=ether1 ] name=WAN-Fiber
set [ find default-name=ether10 ] name=ether7

set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=trunk name="vlan 169 CAMS" vlan-id=169
add interface=trunk name="vlan 180 VOICE" vlan-id=180
/ip pool
add name=dhcp-pool ranges=192.168.168.50-192.168.168.254
add name=dhcp-voice ranges=192.168.180.100-192.168.180.200
add name=cams ranges=192.168.169.2-192.168.169.100
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=dhcp-pool disabled=no interface=LAN lease-time=24m name=\
dhcp-lan
add address-pool=dhcp-voice disabled=no interface="vlan 180 VOICE" \
lease-time=24m name=dhcp-voice
add address-pool=cams disabled=no interface="vlan 169 CAMS" lease-time=24m \
name=dhcp-cams
/interface bridge port
add bridge=trunk interface=LAN
/ip address
add address=192.168.168.1/24 interface=LAN network=192.168.168.0
add address=192.168.180.0/24 interface="vlan 180 VOICE" network=192.168.180.0
add address=192.168.169.1/24 interface="vlan 169 CAMS" network=192.168.169.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=WAN-Fiber use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=WAN-Cable use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1 \
netmask=24
add address=192.168.169.0/25 dns-server=8.8.8.8 gateway=192.168.169.1 \
netmask=24
add address=192.168.180.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.180.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=WAN-Fiber protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN-Cable protocol=udp
add action=drop chain=input dst-port=53 in-interface=WAN-Fiber protocol=tcp
add action=drop chain=input dst-port=53 in-interface=WAN-Cable protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
new-connection-mark=WAN1 nth=2,1 src-address=192.168.168.0/24
add action=mark-connection chain=prerouting connection-state=new \
new-connection-mark=WAN2 nth=2,2 src-address=192.168.168.0/24
add action=mark-routing chain=prerouting connection-mark=WAN1 \
new-routing-mark=WAN1 src-address=192.168.168.0/24
add action=mark-routing chain=prerouting connection-mark=WAN2 \
new-routing-mark=WAN2 src-address=192.168.168.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.168.0/24
/ip route
add distance=1 gateway=WAN gateway routing-mark=WAN1
add distance=1 gateway=WAN-cable-IP routing-mark=WAN2
add distance=1 gateway=192.168.180.1
add disabled=yes distance=1 gateway=WAN gateway
add disabled=yes distance=2 gateway=WAN-cable-IP
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set protected-routerboot=disabled

what only works is

interface GigabitEthernet3/0/4
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!

from:

vlan 169,180
!
!
!
interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/0/2
switchport access vlan 180
switchport mode access
!
interface GigabitEthernet3/0/3
switchport mode access
!
interface GigabitEthernet3/0/4
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!
interface GigabitEthernet3/0/5
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast

there is something wrong with tagged vlan 1 ...............
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 11, 2018 8:38 am

# nov/09/2018 18:07:53 by RouterOS 6.35.4
You are running a router that does have a big security risk.
Do upgrade before you do any more configuration.
When you go above 6.41 you do also get the then VLAN aware bridges.
So again, do UPGRADE.

Read this post:
viewtopic.php?f=21&t=140165
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 11, 2018 7:35 pm

Concur, upgrade to the latest config and then we can talk apples to apples.
I did have some observations though to think about.
What is the difference beween WAN Cable and WAN DHCP and WAN FIBER
Can you describe these in more detail?? ( I can understand WAN cable and WAN fiber but what the heck is WAN DHCP???)

Also why did you take ether10 and name it ether7 that is very confusing????
Then you took ether7 and renamed it ether7-LAN, also very confusing??
What is being accomplished by this twisted nomenclature??

Your bridge ports are screwed up.
They should simply include a list of the physical interface you want on the bridge.

Your sourcenat rule needs work and your are missing one of the WANS anyway.

Your IP firewall filter rules are missing many necessary rules.

I would have to look at your mangle and routing rules after all the above is sorted out.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 12, 2018 4:36 am

I am sorry for the confusion in my earlier config. I update the OS and did config from scratch.

Here is my config:
# nov/11/2018 14:19:12 by RouterOS 6.43.4
# software id = Z0NI-ZVVR
#
# model = RouterBOARD 3011UiAS
# serial number = 71A00530D6DD
/interface bridge
add dhcp-snooping=yes fast-forward=no name=localnetwork
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-Fiber
set [ find default-name=ether2 ] name=ether2-WAN-Cable
set [ find default-name=ether6 ] name=ether6-LAN
/interface vlan
add interface=localnetwork name=vlan_169_cams vlan-id=169
add interface=localnetwork name=vlan_170_dispatch vlan-id=170
add interface=localnetwork name=vlan_180_voice vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-dhcp ranges=192.168.168.50-192.168.168.220
add name=vlan-voice ranges=192.168.180.50-192.168.180.100
add name=vlan-cams ranges=192.168.169.2-192.168.169.10
add name=vlan-dispatch ranges=192.168.170.50-192.168.170.100
/ip dhcp-server
add address-pool=lan-dhcp disabled=no interface=localnetwork name=lan-dhcp
add address-pool=vlan-voice disabled=no interface=vlan_180_voice lease-time=\
    24m name=vlan-voice
add address-pool=vlan-cams disabled=no interface=vlan_169_cams lease-time=24m \
    name=vlan-cams
add address-pool=vlan-dispatch disabled=no interface=vlan_170_dispatch \
    lease-time=24m name=vlan-dispatch-dhcp
/interface bridge port
add bridge=localnetwork interface=ether6-LAN
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork untagged=\
    vlan_169_cams,vlan_170_dispatch,vlan_180_voice vlan-ids=180,169,170
/ip address
add address=192.168.168.1/24 interface=localnetwork network=192.168.168.0
add address=50.238.23.x/29 interface=ether1-WAN-Fiber network=\
    50.238.x.x
add address=96.70.x.x/29 interface=ether2-WAN-Cable network=96.70.x.x
add address=192.168.180.1/24 interface=vlan_180_voice network=192.168.180.0
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.169.1/24 interface=vlan_170_dispatch network=\
    192.168.169.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1 \
    netmask=24
add address=192.168.169.0/24 dns-server=8.8.8.8 gateway=192.168.169.1 \
    netmask=24
add address=192.168.170.0/24 dns-server=8.8.8.8 gateway=192.168.170.1 \
    netmask=24
add address=192.168.180.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.180.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether1-WAN-Fiber new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether2-WAN-Cable new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=\
    wan1-out passthrough=yes
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=\
    wan2-out passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-type=!local in-interface=localnetwork new-connection-mark=\
    wan1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-type=!local in-interface=localnetwork new-connection-mark=\
    wan2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface=\
    localnetwork new-routing-mark=wan1output passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface=\
    localnetwork new-routing-mark=wan2output passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-Fiber
add action=masquerade chain=srcnat out-interface=ether2-WAN-Cable
/ip route
add check-gateway=ping distance=1 gateway=50.238.x.x routing-mark=\
    wan1output
add check-gateway=ping distance=2 gateway=96.70.x.x routing-mark=\
    wan2output
add check-gateway=ping distance=1 gateway=50.238.x.x
add check-gateway=ping distance=2 gateway=96.70.x.x
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set silent-boot=no
WAN1 = Fiber = 50.238.x.x
WAN2 = Cable=96.70.x.x

now it should be more visible what is what so I did not have a chance to test loadbalance yet,but at least my vlans with cisco catalyst work partially, of course vlan filtering OFF !!!!!!!!!!!!!!!!!
oherwise it would not work,

vlan 169,180
!
!
!
interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/0/2 THIS WORKSWHEN PLUGGED LAPTOP HAS 180 IP
switchport access vlan 180
switchport mode access
!

interface GigabitEthernet3/0/3 THIS DOES NOW WORK!!!!!!!!!!!!!!!!
switchport mode access
!
interface GigabitEthernet3/0/4 THIS WORKS WHEN PLUGGED LAPTOP HAVE 169 IP
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!
interface GigabitEthernet3/0/5 THIS WORKS WHEN PLUGGED LAPTOP HAVE 168 IP
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast

interface GigabitEthernet3/0/6   works ok when plugged laptop have 168 ip
OF COURSE next step would be to plug phone to

switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast

and I should get on the phone 180 ip and on the laptop 169 ip but i will check that later. Also next step would be to check that on SG200 cisco.

With load balance voip is not going work since it should be prioritize to use only with WAN - fiber - is there a way to achieve that?

once again thank you allforhelp here,
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 12, 2018 8:32 am

As far as I do understand VLAN on the Mikrotik.
When you connect VLAN to the Bridge, you need VLAN filtring ON.
Or else it does not underestand that you have more than one VLAN.

I do not see what interface VLAN 180,169, and 170 is connected to.

You may try some like this. Interface bridge vlan does connects to ports and bridge, not to the VLAN itself
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=170
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=180
Since all are equal, this may be shorten to some like this: (not testet so can not confirm this)
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169,170,180
Now VLAN 1 should came untagged on port 6 and vlan 169.170 and 180 tagged on port 6

See my post at 9:15am here: viewtopic.php?t=138232
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 12, 2018 9:33 am

You have the same IP for voice and dispatch in your config.
Here is a visio layout with VLAN filter on for the bridge.
.
sprintership.jpg
You do not have the required permissions to view the files attached to this post.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Tue Nov 13, 2018 12:15 am

Thank you for replying, my point was having tagged vlan 1, and untagged 169,170 & 180,

vlan 1 = 192.168.168.1/24 for management
vlan 169 192.168.169.0/24 for data
vlan 170 192.168.170.0/24 for dispatch
vlan 180 192.168.180.0/24 for voice

I have in that way on Peplink and all worked fine. I connected Polycom phone to the cisco port and have phone on voice - 180 vlan and my laptop having vlan 170 so I think its ok
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Tue Nov 13, 2018 7:59 am

You can only have one untagged VLAN pr port, so to help you, list what port you like to have what VLAN (both tagged and untagged)
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Wed Nov 14, 2018 2:39 am

should be fixed:
# nov/13/2018 18:29:21 by RouterOS 6.43.4
# software id = Z0NI-ZVVR
#
# model = RouterBOARD 3011UiAS
# serial number = 71A00530D6DD
/interface bridge
add dhcp-snooping=yes fast-forward=no name=localnetwork vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-Fiber
set [ find default-name=ether2 ] name=ether2-WAN-Cable
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=localnetwork name=vlan_169_cams vlan-id=169
add interface=localnetwork name=vlan_170_dispatch vlan-id=170
add interface=localnetwork name=vlan_180_voice vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
pfs-group=none
/ip pool
add name=lan-dhcp ranges=192.168.168.50-192.168.168.220
add name=vlan-voice ranges=192.168.180.50-192.168.180.100
add name=vlan-cams ranges=192.168.169.2-192.168.169.10
add name=vlan-dispatch ranges=192.168.170.50-192.168.170.100
add name=VPN-L2tp ranges=10.10.10.10-10.10.10.30
/ip dhcp-server
add address-pool=lan-dhcp disabled=no interface=localnetwork name=lan-dhcp
add address-pool=vlan-voice disabled=no interface=vlan_180_voice lease-time=\
24m name=vlan-voice
add address-pool=vlan-cams disabled=no interface=vlan_169_cams lease-time=24m \
name=vlan-cams
add address-pool=vlan-dispatch disabled=no interface=vlan_170_dispatch \
lease-time=24m name=vlan-dispatch-dhcp
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.1 name=VPN-L2TP \
remote-address=VPN-L2tp use-encryption=required
/interface bridge port
add bridge=localnetwork interface=ether6-LAN
add bridge=localnetwork interface=ether7-LAN
/interface bridge vlan
add bridge=localnetwork tagged=vlan_169_cams,vlan_170_dispatch,vlan_180_voice \
untagged=localnetwork vlan-ids=169,170,180
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-L2TP enabled=yes \
keepalive-timeout=disabled
/ip address
add address=192.168.168.1/24 interface=localnetwork network=192.168.168.0
add address=50.238/29 interface=ether1-WAN-Fiber network=\
50.238
add address=96.70/29 interface=ether2-WAN-Cable network=96.70
add address=192.168.180.1/24 interface=vlan_180_voice network=192.168.180.0
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.169.1/24 interface=vlan_170_dispatch network=\
192.168.169.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1 \
netmask=24
add address=192.168.169.0/24 dns-server=8.8.8.8 gateway=192.168.169.1 \
netmask=24
add address=192.168.170.0/24 dns-server=8.8.8.8 gateway=192.168.170.1 \
netmask=24
add address=192.168.180.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.180.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new \
in-interface=ether1-WAN-Fiber new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
in-interface=ether2-WAN-Cable new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=\
wan1-out passthrough=yes
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=\
wan2-out passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=localnetwork new-connection-mark=\
wan1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-state=new \
dst-address-type=!local in-interface=localnetwork new-connection-mark=\
wan2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface=\
localnetwork new-routing-mark=wan1output passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface=\
localnetwork new-routing-mark=wan2output passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-Fiber
add action=masquerade chain=srcnat out-interface=ether2-WAN-Cable
add action=masquerade chain=srcnat comment="NAT L2TP/IPSEC" src-address=\
10.10.10.0/24
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override \
passive=yes secret=12345
/ip route
add check-gateway=ping distance=1 gateway=50.238. routing-mark=\
wan1output
add check-gateway=ping distance=2 gateway=96.70. routing-mark=\
wan2output
add check-gateway=ping distance=1 gateway=50.238.
add check-gateway=ping distance=2 gateway=96.70.
/lcd
set time-interval=daily
/ppp secret
add name=test password=test profile=VPN-L2TP service=l2tp
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set silent-boot=no
I will check this with cisco catalyst. theoretically all should be ok now, I dont know but I have feeling like that load balance does not work properly, most data goes thought Cable ISP which is a way slower, also ideally would be send all traffic http https + voip only thought Fiber isp
I have ipsec vpn setup but I can connect to the WAN IP but later cannot access any internal resources.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Wed Nov 14, 2018 5:09 am

i just tested with cisco catalyst and looks like after disabling vlan filtering on bridge = localnetwork ports with above configuration works fine, when I enable vlan filtering nothing works
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Wed Nov 14, 2018 8:03 am

This is the wrong part
/interface bridge vlan
add bridge=localnetwork tagged=vlan_169_cams,vlan_170_dispatch,vlan_180_voice \
untagged=localnetwork vlan-ids=169,170,180
You are connecting the Bridge/Vlan to the VLAN interface. It should be connected to the physical Interfaces .

You need to list what Vlan you like to get out of interface 6 and 7
Eks
Untagged vlan 1
Tagged 168,170, 180
If that is the case it should be
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork, ether6-LAN, ether7-LAN vlan-ids=169,170,180
Bridge localnetwork need to be tagged as well.


You still have the same IP on VLAN 169 and 170. That does not work.
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.169.1/24 interface=vlan_170_dispatch network=192.168.169.0
Change to
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.170.1/24 interface=vlan_170_dispatch network=192.168.170.0
II also suggest that your Router is DNS for all network. And netmask is missing for your 180.0/24 network.
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1 netmask=24
add address=192.168.169.0/24 dns-server=192.168.168.1 gateway=192.168.169.1 netmask=24
add address=192.168.170.0/24 dns-server=192.168.168.1 gateway=192.168.170.1 netmask=24
add address=192.168.180.0/24 dns-server=192.168.168.1 gateway=192.168.180.1 netmask=24
Updated Viso:
sprintership2.jpg
You do not have the required permissions to view the files attached to this post.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 4:03 am

I see now "You are connecting the Bridge/Vlan to the VLAN interface. It should be connected to the physical Interfaces"

But regarding load balance and all mangle rules I think that configuration does not work like it should. There are many examples but from what I see not all of them works like they are saying. Do you know by a chance a good working load balance example fitting my configuration?

thank you for your help here
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 7:37 am

I see now "You are connecting the Bridge/Vlan to the VLAN interface. It should be connected to the physical Interfaces"
This is the correct way to do it for the new Vlan aware Bridge configuration in Router OS 6.41 or larger.

VLAN connects to Bridge
Bridge/Vlan connects to Bridge

Older version og Router OS you connected the VLAN to the physical Interface.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 8:10 pm

i have added:

/interface bridge vlan
add bridge=localnetwork tagged=localnetwork, ether6-LAN, ether7-LAN vlan-ids=169,170,180

this works just fine, but when I try to add:

/interface bridge vlan
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0 I have bad command name add (line 1 collumn1) I dont think I should add this line under interface bridge vlan

I think it should be
/interface vlan
add name=vlan_169_cams vlan-id=169 interface=ether6-LAN disabled=no
in thgis case yeaaaa vlan_169_cams is created under physical intyerfcace of ether6-LAN

let me know if I am on the right route
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 10:24 pm

If I have 6.43.4 my vlan supposed to be configured under bridge called localnetwork not under physical interface ethr6-LAN. Based on:

VLAN connects to Bridge
Bridge/Vlan connects to Bridge

Older version og Router OS you connected the VLAN to the physical Interface.

I should have all vlan listed under bridged > localnetworks not like now:

ether6-LAN> vlans
/interface bridge
add fast-forward=no name=localnetwork
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=ether6-LAN name=vlan_169_cams vlan-id=169
add interface=ether6-LAN name=vlan_170_dispatch vlan-id=170
add interface=ether6-LAN name=vlan_171_acct vlan-id=171
add interface=ether6-LAN name=vlan_172_printers vlan-id=172
add interface=ether6-LAN name=vlan_173_warehouse vlan-id=173
add interface=ether6-LAN name=vlan_180_voice vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-pool ranges=192.168.168.50-192.168.168.200
add name=vlan170-pool ranges=192.168.170.50-192.168.170.100
add name=vlan169-pool ranges=192.168.169.20-192.168.169.50
add name=vlan180-pool ranges=192.168.180.50-192.168.180.100
add name=vlan171-pool ranges=192.168.171.50-192.168.171.100
add name=vlan172-pool ranges=192.168.172.50-192.168.172.100
add name=vlan173-pool ranges=192.168.173.50-192.168.173.100
/ip dhcp-server
add address-pool=lan-pool disabled=no interface=localnetwork lease-time=24m \
name=dhcp1-localLAN
add address-pool=vlan169-pool disabled=no interface=vlan_169_cams lease-time=\
24m name=dhcp_vlan169
add address-pool=vlan170-pool disabled=no interface=vlan_170_dispatch \
lease-time=24m name=dhcp_vlan170
add address-pool=vlan171-pool disabled=no interface=vlan_171_acct lease-time=\
24m name=dhcp_vlan171
add address-pool=vlan172-pool disabled=no interface=vlan_172_printers \
lease-time=24m name=dhcp_vlan172
add address-pool=vlan180-pool disabled=no interface=vlan_180_voice \
lease-time=24m name=dhcp_vlan180
/interface bridge port
add bridge=localnetwork interface=ether6-LAN
add bridge=localnetwork interface=ether7-LAN
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN,ether7-LAN vlan-ids=\
169,170,171,172,173,180
/ip address
add address=50.238.x.x/29 interface=ether1-WAN1 network=50.238.x.x
add address=96.70.x.x/29 interface=ether2-WAN2 network=96.70.x.x
add address=192.168.168.1/24 interface=localnetwork network=192.168.168.0
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.170.1/24 interface=vlan_170_dispatch network=\
192.168.170.0
add address=192.168.171.1/24 interface=vlan_171_acct network=192.168.171.0
add address=192.168.172.1/24 interface=vlan_172_printers network=\
192.168.172.0
add address=192.168.173.1/24 interface=vlan_173_warehouse network=\
192.168.173.0
add address=192.168.180.1/24 interface=vlan_180_voice network=192.168.180.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1
add address=192.168.169.0/24 dns-server=192.168.169.1 gateway=192.168.169.1 \
netmask=24
add address=192.168.170.0/24 dns-server=192.168.170.1 gateway=192.168.170.1 \
netmask=24
add address=192.168.171.0/24 dns-server=192.168.171.1 gateway=192.168.171.1 \
netmask=24
add address=192.168.172.0/24 dns-server=192.168.172.1 gateway=192.168.172.1 \
netmask=24
add address=192.168.173.0/24 dns-server=192.168.173.1 gateway=192.168.173.1 \
netmask=24
add address=192.168.180.0/24 dns-server=192.168.180.1 gateway=192.168.180.1 \
netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-WAN1 \
new-connection-mark=WAN1_connmark passthrough=yes
add action=mark-connection chain=input in-interface=ether2-WAN2 \
new-connection-mark=WAN2_connmark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_connmark \
new-routing-mark=ke_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_connmark \
new-routing-mark=ke_WAN2 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=localnetwork new-connection-mark=WAN1_connmark passthrough=\
yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!multicast \
in-interface=localnetwork new-connection-mark=WAN2_connmark passthrough=\
yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_connmark \
in-interface=localnetwork new-routing-mark=ke_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_connmark \
in-interface=localnetwork new-routing-mark=ke_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=ke_WAN1
add distance=1 gateway=10.20.30.1 routing-mark=ke_WAN1
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=ke_WAN2
add distance=2 gateway=10.20.30.2 routing-mark=ke_WAN2
add distance=1 dst-address=8.8.8.8/32 gateway=50.238.x.x scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=96.70.x.x scope=10
add check-gateway=ping distance=1 dst-address=10.20.30.1/32 gateway=8.8.8.8 \
scope=10
add check-gateway=ping distance=1 dst-address=10.20.30.2/32 gateway=8.8.4.4 \
scope=10
/system routerboard settings
set silent-boot=no
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 10:26 pm

I have attached picture my current vlans under bridge:

current tagged and untagged, if I can have only 192.168.168.1 untagged and rest vlans untagged this is still wrong according to this picture
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 10:39 pm

Why would you not add the vlan to the bridge interface when identifying the VLAN (and not eth6)
Eth6 is already identified as a bridge port is it not?

you have it all wrong from the way I set up vlans.
All my vlans are identifed with the bridge interface when I make them
All the etherports that carry vlans are identified as bridge ports.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Fri Nov 16, 2018 11:10 pm

 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Sat Nov 17, 2018 1:14 am

ok please look at the picture attached to this reply, simply where should I include my all vlans?

Under Bridge where I have local network bridge and ether6-LAN & ether7-LAN (physical all included) or under ether-LAN6 or ether-LAN7 ????????

Reading hundreds reply from both posts and with new 6.41 UP I can use that localnetwork bridge and place all valns exactly under that bridge - am I correct?
You do not have the required permissions to view the files attached to this post.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Sat Nov 17, 2018 2:48 am

thats how vlans under bridge localnetworks looks like now: please look at picture, I can have only one utagged vlan per port / vlan - yes I do have and I have other vlans tagged

is this correct now?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Sat Nov 17, 2018 10:56 am

No, its not correct.

1. VLAN connects to Bridges.
2. Bridge Vlan tells how VLAN are handled withint the bridge,
3. Pvid tells what untaged VLAN should be on the port.

All VLAN needs to be tagged in the Bridge (localnetwork) except one.
You have told that all VLAN in the Bridge should be untagged.

If your goal is.
2 outside network.
2 lan if (eth6 and 7) where 192.168.168.0/24 is your untagged VLAN and these goes out tagged 169,170,171,172,173,180


The Bridge setup with vlan-filtering on so it handles VLAN
/interface bridge
add fast-forward=no name=localnetwork vlan-filtering=yes
Interfaces
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
Vlan connected to the Bridge, not the interfaces (old way)
/interface vlan
add interface=localnetwork name=vlan_169_cams vlan-id=169
add interface=localnetwork name=vlan_170_dispatch vlan-id=170
add interface=localnetwork name=vlan_171_acct vlan-id=171
add interface=localnetwork name=vlan_172_printers vlan-id=172
add interface=localnetwork name=vlan_173_warehouse vlan-id=173
add interface=localnetwork name=vlan_180_voice vlan-id=180
All VLAN tagged in the bridge and on the interfaces.
add bridge=localnetwork tagged=localnetwork,ether6-LAN,ether7-LAN vlan-ids=169,170,171,172,173,180
This is correct from your config
/ip address
add address=50.238.x.x/29 interface=ether1-WAN1 network=50.238.x.x
add address=96.70.x.x/29 interface=ether2-WAN2 network=96.70.x.x
add address=192.168.168.1/24 interface=localnetwork network=192.168.168.0
add address=192.168.169.1/24 interface=vlan_169_cams network=192.168.169.0
add address=192.168.170.1/24 interface=vlan_170_dispatch network=192.168.170.0
add address=192.168.171.1/24 interface=vlan_171_acct network=192.168.171.0
add address=192.168.172.1/24 interface=vlan_172_printers network=192.168.172.0
add address=192.168.173.1/24 interface=vlan_173_warehouse network=192.168.173.0
add address=192.168.180.1/24 interface=vlan_180_voice network=192.168.180.0
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 18, 2018 5:21 am

I think its either broken mikrotik piece or cisco switch since this:

/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=170
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=180

does not work, if I check from cli and winbox there are two different things ........ lets stop this nightmare here since I am about to give up and probably give a try something easier than this. Iw as able to set up cisco ASA with catalyst and vlans are working just fine, so I want to believe its me not mikrotik but who knows ..........where is the devil its just too much time

Now I want to apologize piece of shit I called the other day peplink but for its simplicity is a king here

You either have a tagged vlan or you don't. You just push those around to whatever port you want them to go, and they go there. There's a little bit more to it than that in areas, but basically that's all it is.

I would really like to see this idea of a "native" vlan in MikroTik, because it's an easy concept to grasp, especially on a trunk link between devices (ISL as it's called). Or to an edge port for a device that wants tagged traffic.

I never wanted to know if the CPU has to "deal with it" or not, although I suppose on smaller not so integrated devices it's a pretty important thing to know.

Sindy or netflow (or anyone) - is this explanation valid for both SwOS and RouterOS? I really need to dig deeper into vlan config and trunk ports in MikroTik despite my incredulity at the complexity of it. Hopefully it will make more sense once I practice at it.
Last edited by sprintership on Sun Nov 18, 2018 3:33 pm, edited 1 time in total.
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 18, 2018 5:36 am

I can understand your confusion.
I am tired for this evening but will put fresh eyes on it tomorrow!
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 18, 2018 10:29 am

This:
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=170
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=180
Can be shorten to:
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN vlan-ids=169,170,180
An it tells that the bridge (localnetwork) will sends out VLAN (169,170,180) tagged to the bridge and interface 6.

Redo your first drawing and port number to it. Also add what equipment are on the other side of the trunk link and how these device needs VLAN configuration..
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Sun Nov 18, 2018 6:58 pm

The main changes are using the localnetwork as the parent interface for vlans and as jotne pointed out, configuring one bridge vlan entry. Just not sure why he excluded eth7, it should be included. This should work for your vlan.
All the DHCP stuff seemed good.
I didnt venture into your route rules or your mangle rules which are often problem areas.

/interface bridge
add fast-forward=no name=localnetwork
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=localnetwork name=vlan_169_cams vlan-id=169
add interface=localnetwork name=vlan_170_dispatch vlan-id=170
add interface=localnetwork name=vlan_171_acct vlan-id=171
add interface=localnetwork name=vlan_172_printers vlan-id=172
add interface=localnetwork name=vlan_173_warehouse vlan-id=173
add interface=localnetwork name=vlan_180_voice vlan-id=180
/interface bridge port
add bridge=localnetwork interface=ether6-LAN
add bridge=localnetwork interface=ether7-LAN
/interface bridge vlan
add bridge=localnetwork tagged=localnetwork,ether6-LAN,ether7-LAN vlan-ids=\
169,170,171,172,173,180
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 2:40 am

okay, I redo the diagram and using only local lan and vlan for simplicity so erasing all config:

bridge1 - 192.168.168.1/24 lets say this can be management VLAN,
v169 - 192.168.169.1/24
v170 - 192.168.170.1/24
v171 -192.168.171.1/24
v172 - 192.168.172.1/24
v173 - 192.168.173.1/24
v180-192.168.180.1/24 as voice vlan, rest vlan names are irrelevant so lets use just v<number>

preparing a diagram and basic config ............
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 3:13 am

this is my new configuration I build:
[admin@MikroTik] > 
[admin@MikroTik] > 
[admin@MikroTik] > 
[admin@MikroTik] > 
[admin@MikroTik] > interface bridge 
[admin@MikroTik] /interface bridge> add fast-forward=no name=bridge1 vlan-filtering=no
[admin@MikroTik] /interface bridge> /
[admin@MikroTik] > interface ethernet 
[admin@MikroTik] /interface ethernet> set [ find default-name=ether6 ] name=ether6-LAN
[admin@MikroTik] /interface ethernet> set [ find default-name=ether7 ] name=ether7-LAN  
[admin@MikroTik] /interface ethernet> /
[admin@MikroTik] > interface vlan
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan169 vlan-id=169
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan170 vlan-id=170  
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan171 vlan-id=171 
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan172\ vlan-id=172 
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan172 vlan-id=172 
failure: already have interface with such name
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan173 vlan-id=173 
[admin@MikroTik] /interface vlan> add interface=bridge1 name=vlan180 vlan-id=180  
[admin@MikroTik] /interface vlan> 
[admin@MikroTik] /interface vlan> 
[admin@MikroTik] /interface vlan> 
[admin@MikroTik] /interface vlan> /       
[admin@MikroTik] > interface bridge vlan
[admin@MikroTik] /interface bridge vlan> add bridge=bridge1 tagged=bridge1,ether6-LAN,ether7-LAN vlan-ids=169,170,171,172,173,180
[admin@MikroTik] /interface bridge vlan> /
[admin@MikroTik] > interface bridge 
[admin@MikroTik] /interface bridge> add vlan-filtering=yes
[admin@MikroTik] /interface bridge> 
[admin@MikroTik] /interface bridge> 
[admin@MikroTik] /interface bridge> 
[admin@MikroTik] /interface bridge> /
[admin@MikroTik] > ip address 
[admin@MikroTik] /ip address> add address=192.168.168.1/24 interface=bridge1 network=192.168.168.0
[admin@MikroTik] /ip address> add address=192.168.169.1/24 interface=vlan169  network=192.168.169.0    
[admin@MikroTik] /ip address> add address=192.168.170.1/24 interface=vlan170  network=192.168.170.0      
[admin@MikroTik] /ip address> add address=192.168.171.1/24 interface=vlan171  network=192.168.171.0   
[admin@MikroTik] /ip address> add address=192.168.172.1/24 interface=vlan172  network=192.168.172.0   
[admin@MikroTik] /ip address> add address=192.168.173.1/24 interface=vlan173  network=192.168.173.0   
[admin@MikroTik] /ip address> add address=192.168.180.1/24 interface=vlan180  network=192.168.180.0      
[admin@MikroTik] /ip address> 
[admin@MikroTik] /ip address> 
[admin@MikroTik] /ip address> 
[admin@MikroTik] /ip address> /
[admin@MikroTik] > ip pool        
[admin@MikroTik] /ip pool> 

[admin@MikroTik] /ip pool> add name=lan ranges=192.168.168.50-192.168.168.100  
[admin@MikroTik] /ip pool> add name=v169 ranges=192.168.169.50-192.168.169.100     
[admin@MikroTik] /ip pool> add name=v170 ranges=192.168.170.50-192.168.170.100       
[admin@MikroTik] /ip pool> add name=v171 ranges=192.168.171.50-192.168.171.100   
[admin@MikroTik] /ip pool> add name=v172 ranges=192.168.172.50-192.168.172.100   
[admin@MikroTik] /ip pool> add name=v173 ranges=192.168.173.50-192.168.173.100   
[admin@MikroTik] /ip pool> add name=v180 ranges=192.168.180.50-192.168.180.100      
[admin@MikroTik] /ip pool> 
[admin@MikroTik] /ip pool> /
[admin@MikroTik] > ip dhcp-server 


[admin@MikroTik] /ip dhcp-server network> add address=192.168.169.0/24 gateway=192.168.169.1 dns-server=192.168.169.1
[admin@MikroTik] /ip dhcp-server network> add address=192.168.170.0/24 gateway=192.168.170.1 dns-server=192.168.170.1       
[admin@MikroTik] /ip dhcp-server network> add address=192.168.168.0/24 gateway=192.168.168.1 dns-server=192.168.168.1       
failure: such network already exists
[admin@MikroTik] /ip dhcp-server network> add address=192.168.171.0/24 gateway=192.168.171.1 dns-server=192.168.171.1      
[admin@MikroTik] /ip dhcp-server network> add address=192.168.172.0/24 gateway=192.168.172.1 dns-server=192.168.172.1   
[admin@MikroTik] /ip dhcp-server network> add address=192.168.173.0/24 gateway=192.168.173.1 dns-server=192.168.173.1   

[admin@MikroTik] /ip dhcp-server> add name=bridge1 address-pool=lan interface=bridge1 lease-time=00:24:00 
[admin@MikroTik] /ip dhcp-server> 
[admin
@Mikro
Tik] /
ip dhc
p-serv
[admin@MikroTik] /ip dhcp-server> add name=v169 address-pool=v169  interface=vlan169  lease-time=00:24:00 disabled=no           
[admin@MikroTik] /ip dhcp-server> add name=v170 address-pool=v170  interface=vlan170  lease-time=00:24:00 disabled=no      
[admin@MikroTik] /ip dhcp-server> add name=v171 address-pool=v171  interface=vlan171  lease-time=00:24:00 disabled=no   
[admin@MikroTik] /ip dhcp-server> add name=v172 address-pool=v172  interface=vlan172  lease-time=00:24:00 disabled=no   
[admin@MikroTik] /ip dhcp-server> add name=v173 address-pool=v173  interface=vlan173  lease-time=00:24:00 disabled=no   
[admin@MikroTik] /ip dhcp-server> add name=v180 address-pool=v180  interface=vlan180  lease-time=00:24:00 disabled=no
[admin@MikroTik] /ip dhcp-server network> add address=192.168.180.0/24 gateway=192.168.180.1 dns-server=192.168.180.1  
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 3:14 am

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=bridge1 name=vlan169 vlan-id=169
add interface=bridge1 name=vlan170 vlan-id=170
add interface=bridge1 name=vlan171 vlan-id=171
add interface=bridge1 name=vlan172 vlan-id=172
add interface=bridge1 name=vlan173 vlan-id=173
add interface=bridge1 name=vlan180 vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan ranges=192.168.168.50-192.168.168.100
add name=v169 ranges=192.168.169.50-192.168.169.100
add name=v170 ranges=192.168.170.50-192.168.170.100
add name=v171 ranges=192.168.171.50-192.168.171.100
add name=v172 ranges=192.168.172.50-192.168.172.100
add name=v173 ranges=192.168.173.50-192.168.173.100
add name=v180 ranges=192.168.180.50-192.168.180.100
/ip dhcp-server
add address-pool=lan disabled=no interface=bridge1 lease-time=24m name=bridge1
add address-pool=v169 disabled=no interface=vlan169 lease-time=24m name=v169
add address-pool=v170 disabled=no interface=vlan170 lease-time=24m name=v170
add address-pool=v171 disabled=no interface=vlan171 lease-time=24m name=v171
add address-pool=v172 disabled=no interface=vlan172 lease-time=24m name=v172
add address-pool=v173 disabled=no interface=vlan173 lease-time=24m name=v173
add address-pool=v180 disabled=no interface=vlan180 lease-time=24m name=v180
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6-LAN,ether7-LAN vlan-ids=169,170,171,172,173,180
/ip address
add address=192.168.168.1/24 interface=bridge1 network=192.168.168.0
add address=192.168.169.1/24 interface=vlan169 network=192.168.169.0
add address=192.168.170.1/24 interface=vlan170 network=192.168.170.0
add address=192.168.171.1/24 interface=vlan171 network=192.168.171.0
add address=192.168.172.1/24 interface=vlan172 network=192.168.172.0
add address=192.168.173.1/24 interface=vlan173 network=192.168.173.0
add address=192.168.180.1/24 interface=vlan180 network=192.168.180.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1
add address=192.168.169.0/24 dns-server=192.168.169.1 gateway=192.168.169.1
add address=192.168.170.0/24 dns-server=192.168.170.1 gateway=192.168.170.1
add address=192.168.171.0/24 dns-server=192.168.171.1 gateway=192.168.171.1
add address=192.168.172.0/24 dns-server=192.168.172.1 gateway=192.168.172.1
add address=192.168.173.0/24 dns-server=192.168.173.1 gateway=192.168.173.1
add address=192.168.180.0/24 dns-server=192.168.180.1 gateway=192.168.180.1
/system routerboard settings
set silent-boot=no
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 3:17 am

attached is picture of bridge and vlans
You do not have the required permissions to view the files attached to this post.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 3:30 am

interface GigabitEthernet3/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet3/0/2
switchport access vlan 180
switchport mode access
!
interface GigabitEthernet3/0/3
switchport mode access
!
interface GigabitEthernet3/0/4
switchport access vlan 169
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
!
interface GigabitEthernet3/0/5
switchport mode access
switchport voice vlan 180
srr-queue bandwidth share 10 10 60 20
queue-set 2
spanning-tree portfast
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 7:55 am

For the first you do not need to post so many posts, all can be done in one. If you do some wrong, you can just use the edit post to change it.
Click the pencil above the post to edit it.

Your drawing does not contain any VLAN, what should go as tagged/untagget to what port.
So I assume that port 6 should be equal port 7

Then you do miss the connection of the bridge to the interface. Without it, interface would not get any data.
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=1
add bridge=bridge1 interface=ether7 pvid=1
On the cisco I do see that you have set the port to trunk, but since you have not postet complete configuration, VLAN may be missing.
Also not listet where the VLAN should go there.
vlan 169
 name vlan_169
vlan 170
 name vlan_170
etc
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 3:42 pm

Good pickup jotne, yes the bridge ports are missing!
My questions is why is fast forward disabled? On my vlan configuration fast forward is selected.
Specifically on the Bridge Definition!!
Last edited by anav on Mon Nov 19, 2018 5:48 pm, edited 1 time in total.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 5:34 pm

Where do you see configuration about Fast Forward in VLAN?
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 5:46 pm

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-LAN
/interface vlan
add interface=bridge1 name=vlan169 vlan-id=169
add interface=bridge1 name=vlan170 vlan-id=170
add interface=bridge1 name=vlan171 vlan-id=171
add interface=bridge1 name=vlan172 vlan-id=172
add interface=bridge1 name=vlan173 vlan-id=173
add interface=bridge1 name=vlan180 vlan-id=180
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan ranges=192.168.168.50-192.168.168.100
add name=v169 ranges=192.168.169.50-192.168.169.100
add name=v170 ranges=192.168.170.50-192.168.170.100
add name=v171 ranges=192.168.171.50-192.168.171.100
add name=v172 ranges=192.168.172.50-192.168.172.100
add name=v173 ranges=192.168.173.50-192.168.173.100
add name=v180 ranges=192.168.180.50-192.168.180.100
/ip dhcp-server
add address-pool=lan disabled=no interface=bridge1 lease-time=24m name=bridge1
add address-pool=v169 disabled=no interface=vlan169 lease-time=24m name=v169
add address-pool=v170 disabled=no interface=vlan170 lease-time=24m name=v170
add address-pool=v171 disabled=no interface=vlan171 lease-time=24m name=v171
add address-pool=v172 disabled=no interface=vlan172 lease-time=24m name=v172
add address-pool=v173 disabled=no interface=vlan173 lease-time=24m name=v173
add address-pool=v180 disabled=no interface=vlan180 lease-time=24m name=v180
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6-LAN,ether7-LAN vlan-ids=169,170,171,172,173,180
/ip address
add address=192.168.168.1/24 interface=bridge1 network=192.168.168.0
add address=192.168.169.1/24 interface=vlan169 network=192.168.169.0
add address=192.168.170.1/24 interface=vlan170 network=192.168.170.0
add address=192.168.171.1/24 interface=vlan171 network=192.168.171.0
add address=192.168.172.1/24 interface=vlan172 network=192.168.172.0
add address=192.168.173.1/24 interface=vlan173 network=192.168.173.0
add address=192.168.180.1/24 interface=vlan180 network=192.168.180.0
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1
add address=192.168.169.0/24 dns-server=192.168.169.1 gateway=192.168.169.1
add address=192.168.170.0/24 dns-server=192.168.170.1 gateway=192.168.170.1
add address=192.168.171.0/24 dns-server=192.168.171.1 gateway=192.168.171.1
add address=192.168.172.0/24 dns-server=192.168.172.1 gateway=192.168.172.1
add address=192.168.173.0/24 dns-server=192.168.173.1 gateway=192.168.173.1
add address=192.168.180.0/24 dns-server=192.168.180.1 gateway=192.168.180.1
/system routerboard settings
set silent-boot=no
The post from sunday at 9:14 pm.

After some reading, the OP is correct, I need to fix my own router (set it to no) as I have more than two interfaces connected on my hex.
I wonder if having it set to YES has had any negative affects on my router and setup as I have not noticed anything??
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 6:37 pm

yes in my config fast-forward=no

and here is the digram what I try to achieve = using trunk between mikrotik and cisco or juniper I want to send all vlans (whatever is set on the mikrotik, like you mentioned before 192.168.168.1/24 untagged vlan and then all tagged (all vlans -169,170,171,172,173,180)
You do not have the required permissions to view the files attached to this post.
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 6:38 pm

for example eth30/03 just simple network device assigned to in this case v170 (computer, whatever)
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 6:50 pm

if all is ok with this why then trunk properly send untagged and tagged networks? my only concern is the bridge vlans tab with all tagged & untagged
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 7:46 pm

When reading about Fast-Forward, its is default on, but most setup would have more than two ports, so it would not do any thing.
Same with Hardware Offloading that is on on my router.
 /interface bridge settings print
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: yes
      bridge-fast-path-active: yes
     bridge-fast-path-packets: 0
       bridge-fast-path-bytes: 0
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0
So not packet on my router.

More info:
https://wiki.mikrotik.com/wiki/Manual:I ... st_Forward
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Mon Nov 19, 2018 10:40 pm

wooooooooowwwwwwww looks like i have v170 working on juniuper i thik it works , now time for cisco switch
 
anav
Forum Veteran
Forum Veteran
Posts: 952
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Mikrotik 3011 VLAN setup voice + data

Tue Nov 20, 2018 12:26 am

It should work, the configuration with the last changes from jotne seems ready for prime time!
 
sprintership
newbie
Topic Author
Posts: 31
Joined: Thu Oct 25, 2018 2:28 pm

Re: Mikrotik 3011 VLAN setup voice + data

Tue Nov 20, 2018 12:33 am

whooooooooooooooooooooo it works with cisco as well !!!!!!!!! thank you all for your help here with the vlans !!!!!!

Who is online

Users browsing this forum: mkx, RizONE and 12 guests