Community discussions

MikroTik App
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

VLAN configuration RB4011IGS+RM once again

Mon Nov 01, 2021 9:44 pm

Hi everyone,
after days of reading how-tos (e.g. viewtopic.php?t=143620 and many others) and struggling with the configuration I head to you and ask for help.

Attached you can find a diagram of the network I want to achieve and an rsc file with the configuration my latest configuration. Running firmware 6.49.

- WAN on ether1
- Some access ports (cameras, Raspberry, SmartHome)
- Some trunk ports (for WiFi, Switch to other room, and server)
- The WiFi controller will add VLAN tags based on the SSID.

In the end some of the networks should have internet access and communication between VLANs should be restricted. But for now I'd be happy if every device would have internet connection and free routing between all VLANs.

How I tried to configure the device:
- Factory reset with button
- Connect with winbox
- Remove default configuration
- Open terminal in Winbox and execute the lines in the rsc file

I tried to change a lot of small details but in the end I was always locked out after the last step (activate vlan-filtering)
/interface bridge set bridge1 vlan-filtering=yes

On the access ports DHCP is not responding. Manually configuring an IP matching the network on the corresponding port didn't help.
On my linux machine I setup VLAN 99 (MGMT vlan) and tried to connect on a trunk port. Without success.
sudo ip link add link enp37s0 name enp37s0.99 type vlan id 99
sudo ip addr change 192.168.30.242/24 brd 192.168.30.255 dev enp37s0.99
sudo ifconfig enp37s0.99 up

192.168.30.1 unreachable.
When using the trunk port wireshark showed that the packets were tagged (802.1Q ID99) but even the ARP request are not answered by the router.

Mikrotiks seem to be very powerful but I underestimated how steep the learning curve is. Quite frustrating.
You do not have the required permissions to view the files attached to this post.
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Mon Nov 01, 2021 10:31 pm

Btw: Once I configured Patton VoIP gateways and they had different configurations (running and startup). Every change you made was on running config. Before rebooting you had to save the running to the startup config. This had the benefit that a simple reboot returned to the startup configuration in case you did something stupid and locked yourself out. I couldn't find something like that for Mikrotik. Did I just miss that?

To make sure I don't lock out over and over again I ordered a serial cable ;)
Last edited by jokakilla on Mon Nov 01, 2021 10:32 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Wed Nov 03, 2021 1:32 pm

Well what I would do is take one port on the router, take it off the bridge, give it an IP address of 192.168.5.2, add it to the interface list members that winboxmac server uses and make sure in input chain firewall rules it can reach the router. Then such an etherport lets say ether5, name it ether5emerg-access, can be accessed any time the config/bridge burps by connecting a laptop to ether5
and just put on an IP on the laptop of 192.168.5.5 for example.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Wed Nov 03, 2021 2:12 pm

Config Review

(1) Problem number one, I hate reviewing configs in that stilted and incomplete format you have used, vice the natural format of
/export hide-sensitive file=anynameyouwish,

(2) Your firmware is out of date, recommend the latest LONG TERM version of firmware.

(3) (wrong) FROM
/interface bridge vlan
add bridge=bridge1 untagged=ether2,ether3,ether4,ether10 vlan-ids=100,110,110,99
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 [find vlan-ids=100]
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 [find vlan-ids=110]
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 [find vlan-ids=120]
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 [find vlan-ids=99]

TO
/interface bridge vlan
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 untagged=ether2 vlan-ids=100
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 untagged=ether3,ether4 vlan-ids=110
set bridge=bridge1 tagged=bridge1,ether9 vlan-ids=120
set bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 untagged=ether6,ether10 vlan-ids=99

Notes:
-I removed ether5 from vlan99 as this will be a non-port emerg access to the router ether5emerg-access
-All smart devices should get an IP address from the management LAN.
-Only ether9, needs vlan120 going through it.


(4) Firewall chain rules are weak and for a new person they should stick to default until they understand them.
They are incomplete.

INPUT CHAIN
Replace with these deafult rules...........
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

Then add for Admin access
add chain=input action=accept in-interface=MGMT_VLAN comment="Allow MGMT_VLAN Full Access"

Since VLAN users have no need for full access to the router we do not provide them with any for starters......
They may need DNS or NTP and not much else.

Then add: (if the router is providing DNS services, if not, then not required)
add action=accept chain=input comment="DNS for VLAN" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="DNS for VLAN" dst-port=53 \
in-interface-list=LAN protocol=udp

add action=drop chain=input comment="Drop All Else"


FORWARD CHAIN:
Ensure you have these default rules.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

Then ADD rules which traffic you want to permit.
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add action=accept chain=forward comment="defconf: Allow Port Forward" \ { this rule onlly required if you will port forward to a server }
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add chain=forward action=drop comment="Drop"

(5) Interface list members is incomplete
/interface list member
add interface=ether1 list=WAN
add interface=IOT_VLAN list=VLAN
add interface=VIDEO_VLAN list=VLAN
add interface=GAST_VLAN list=VLAN
add interface=MGMT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT

add interface=ether5emerg-access list=MGMT (optional if creating this function)
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Wed Nov 03, 2021 11:03 pm

Thanks for the extensive review.
First of all: In general it's now working and I can go on going into details. Trunk ports are fine and on the access ports DHCP is giving me an IP depending on the VLAN of the access port. Thanks!

Regarding your points
(1) TBH Still new to the whole stuff. Different formats are confusing to me but I'll use the export in the future.

(2) Whats the benefit of using the long-term (6.48.5) compared to the stable (6.49) I'm using?

(3) I guess that was the main reason why nothing was working as expected before. I'll definitely add the emergency interface to ether5 or 6. Good point.

(4) I'll get into details of the firewall in my next configuration steps and double check everything. But thanks for the hint!

(5) Thanks....missed to add MGMT_VLAN to the VLAN list. Totally makes sense.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Sat Nov 06, 2021 3:53 am

Thanks for the extensive review.
First of all: In general it's now working and I can go on going into details. Trunk ports are fine and on the access ports DHCP is giving me an IP depending on the VLAN of the access port. Thanks!

Regarding your points
(1) TBH Still new to the whole stuff. Different formats are confusing to me but I'll use the export in the future.

(2) Whats the benefit of using the long-term (6.48.5) compared to the stable (6.49) I'm using?

(3) I guess that was the main reason why nothing was working as expected before. I'll definitely add the emergency interface to ether5 or 6. Good point.

(4) I'll get into details of the firewall in my next configuration steps and double check everything. But thanks for the hint!

(5) Thanks....missed to add MGMT_VLAN to the VLAN list. Totally makes sense.
2. Less issues overall, tends more to fit the wording of stable LOL.

4. Anytime you want to review just post.
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: VLAN configuration RB4011IGS+RM once again

Mon Nov 08, 2021 11:43 am

Hi everyone,
after days of reading how-tos (e.g. viewtopic.php?t=143620 and many others) and struggling with the configuration I head to you and ask for help.

Attached you can find a diagram of the network I want to achieve and an rsc file with the configuration my latest configuration. Running firmware 6.49.
...
Mikrotiks seem to be very powerful but I underestimated how steep the learning curve is. Quite frustrating.
How should one set 192.168.0.1/24, 192.168.1.1/24, 192.168.2.1/24 and 192.168.3.1/24 addresses ?

Should you :
1. create VLAN Interfaces with your main bridge as a its parent interface
2. allocate these 192.168.X1/24 to these interfaces ?

I'm asking because I've got a similar setup but I'm currently banging on how to allocate addresses within VLANs served by my router.

My current config:
/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7 pvid=10
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=combo1
/interface bridge vlan
add bridge=bridge1 comment="Guest LAN" tagged=\
    ether3,ether4,ether5,ether6,vlan10 untagged=ether7 vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
add interface=ether2 list=WAN
/ip address
add address=192.168.1.221/24 comment=defconf interface=bridge1 network=\
    192.168.1.0
add address=10.119.0.1/19 interface=vlan10 network=10.119.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Paris
When I either ping 10.119.0.1 from ether3 or ether7, I've got no answer.
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: VLAN configuration RB4011IGS+RM once again

Mon Nov 08, 2021 2:40 pm

When I either ping 10.119.0.1 from ether3 or ether7, I've got no answer.
For an unknown reason, my config started to work, so I'm sorry for the noise.

Anyway, may I re-iterate that for reference, IMHO, adding details on the way addresses are set, should help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Mon Nov 08, 2021 7:11 pm

You have to be kidding me right?

That is your config/.......................

(1) Missing IP pool for bridge network
(2) Missing DHCP server for bridge network
(3) Missing DHCP server network for bridge network

(4) Your /interface bridge vlan settings are wrong. You have identified an entity that is not even a bridge port, and doesnt exist on your /bridge port settings either.
/interface bridge vlan
add bridge=bridge1 comment="Guest LAN" tagged=\
ether3,ether4,ether5,ether6,vlan10 untagged=ether7 vlan-ids=10

(5) Change this
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=bridge1 list=LAN
add interface=ether2 list=WAN


TO
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=vlan10 list=LAN

(6) The one existing DHCP Server Network.............
See anything fishy with this ;-))))
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Sun Dec 05, 2021 1:49 am

Overall the configuration is running quite solid for a few weeks now. But there are some problems that I could not solve yet. If someone could have one more look at my configuration (in general but especially regarding the following points).

1. Emergency port not working yet
- Selected port 5 as an emergency port (as recommended) that is not part of the bridge to avoid locking out of the system when something goes wrong.
- Under IP->Addresses added 192.168.3.1/24 with network 192.168.3.0
- Added firewall input chain rule allow dst.address 192.168.3.1 from in interface ether5
- IP Services winbox, added available from 192.168.3.0/24
- Attached notebook with static IP 192.168.3.2 to port 5
No ping response, no winbox connection. Any ideas?

2. Artefacts in RTSP Video streams from IP cameras
- Two IP cameras with static IPs (192.168.1.243, 192.168.1.244) on mikrotik port 6 and 7
- NVR (AgentDVR) running in Docker container with ipvlan driver (192.168.1.242) on server on mikrotik port 8
The cameras and NVR were already running for month on my old router (FritzBox 7590) without any issues. Since using the Mikrotik video is breaking up when looking at the live stream.
Recordings downloaded and played back using VLC locally are also a total mess.

On NVR server side the only thing that has changed is that ipvlan driver is now used on the server because the container should be in the video VLAN 110 and of course the router ;-).
If google results didn't trick me the layer ipvlan adds should be pretty thin and usually does not cause trouble.

On Mikrotik side I tried some things:
- Changing ports (before that cameras and server were not on the same switch chip)
- Checked MTU (1500 on mikrotik and server, cameras have no option to show/change the value)
- Set bridge STP mode from none to MSTP (read the recommendation and thought it shouldn't be wrong even if theoretically loops etc. shouldn't be an issue here)
- Set flow control (tx/rx) "on" for all involved ports
- Upgrading to testing firmware 7.1 (hoped to get HW offloading but it is still shown as off)
- Capturing stream with wireshark to analyze it (packet sniffer, streaming to my PC running wireshark. No data from cameras. Probably because it is not passing the CPU?)
- Capture the video stream on the NVR server with tshark. Analysis of the RTP stream showed some high delta values around 50ms. Struggling to get what that means? High latency?

The rest of the network is rock-stable and I could not see any packet-loss or high latency. The next best thing that comes to my mind is QoS. But is that really required on a 1Gbit link where nearly no other data is transferred and video streams consume something like 10 Mbit. When streaming directly from the cameras to VLC on my PC in MGMT network it is working perfectly fine even though routing is involved. So I'd guess it must be related to the NVR server or the server port.
You do not have the required permissions to view the files attached to this post.
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: VLAN configuration RB4011IGS+RM once again

Sun Dec 05, 2021 3:34 am

Problem #1:
add port 5 to mngt_vlan interface list
Problem#2:
you need to rule the mikrotik in/out by trying a different switch
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Sun Dec 05, 2021 4:47 am

smyers is bang on, and I never said to use .1 for address!!
/ip address
add address=192.168.3.2/24 interface=ether5_emergency network=192.168.3.0

Due to this........ which is fine and good.
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Ensure;;;;;
/interface list member
add interface=MGMT_VLAN list=MGMT
add interface=ether5_emergency list=MGMT

I would adjust this rule slightly.............
/ip firewall filter
add action=accept chain=input comment="Allow emergency access on Port 5" \
in-interface=ether5_emergency src-address=192.168.3.5

Log into the router on ether five by setting ipv4 on your laptop to an IP address of 192.168.3.5 gateway 192.168.3.1 and netmask 255.255.255.0

Should work!
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Sun Dec 05, 2021 9:58 pm

Thanks for your support :) The emergency port is working fine now!

Regarding the second problem (just for better understanding):
Next step would be configuring a switch with VLAN support (e.g. I have a Unifi Flex Mini) like this:
1. Port (uplink to Mikrotik)
2. Port Access Port Video VLAN for camera 1
3. Port Access Port Video VLAN for camera 2
4. Port Trunk Port for server (NVR sets Video VLAN tags on it's own)

In that case the packets between Cameras and Server should not need to pass the Mikrotik and would simply be passed between Port 2, 3 and 4 by the switch right?
If the problems disappear there is something wrong with my Mikrotik configuration or firmware. Otherwise somewhere else (cameras, cabling, server).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Mon Dec 06, 2021 1:54 am

Thanks for your support :) The emergency port is working fine now!

Regarding the second problem (just for better understanding):
Next step would be configuring a switch with VLAN support (e.g. I have a Unifi Flex Mini) like this:
1. Port (uplink to Mikrotik)
2. Port Access Port Video VLAN for camera 1
3. Port Access Port Video VLAN for camera 2
4. Port Trunk Port for server (NVR sets Video VLAN tags on it's own)

In that case the packets between Cameras and Server should not need to pass the Mikrotik and would simply be passed between Port 2, 3 and 4 by the switch right?
If the problems disappear there is something wrong with my Mikrotik configuration or firmware. Otherwise somewhere else (cameras, cabling, server).
Your description/scenario is not clear.
I dont have a visual on what vlans are going to what ports on the unifi and mikrotik, a mini network diagram would help.
Assuming the vlans come from the Mikrotik there are two cases.
a. mikrotik is a switch in which case its pretty much transparent
b. mikrotik is a router in which case traffic goes tot he router everytime a firewall rule needs to get matched that affects that vlan.
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Wed Dec 08, 2021 7:44 pm

I tried to bypass the router by connecting cameras and server on a managed switch with an uplink to the Mikrotik Router. This way I could rule out that the Mikrotik is the root of evil ;)
The video streaming artefacts also appear when data is only passing the managed switch.
testing.png
The switch ports have been set to "Access Port VLAN 110 (video)". All other ports are transparent. Video NVR server has interface in VLAN 110.
To be absolutely sure data is not going through the router I removed the uplink.

I guess the problem won't be the cameras because the stream directly from camera to VLC on PC is working fine. Maybe it has something to do with the docker ipvlan interface used to have a tagged network interface in the video VLAN.

Maybe I'll just try to treat my server with a second network card and configure an access port in VLAN 110 for the video server ;)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Wed Dec 08, 2021 8:31 pm

Id get rid of the UNIFI (and get any other managed switch) or set it up as a NORMAL managed switch where all VLANS go to it are TRUNKED on port 1.

In any case, if you insist .........
The RB4011 setup for port 8 would look like

/interface bridge ports
bridge=bridge interface=ether8 ingress-filtering=yes pvid=99

/interface bridge vlans
bridge=bridge tagged=bridge untagged=ether8 vlan-ids=99
bridge=bridge tagged=bridge,ether8,ether6,ether7 vlan-ids=110
bridge=bridge tagged=bridge,ether8,ether4,ether3 vlan-ids=100

Notes: The unifi should have an IP address on the subnet of vlan99.
Hybrid Port8 Carries both 110 and 100 to the unifi for onward use.
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Wed Dec 08, 2021 9:01 pm

Thx anav. This configuration was just for testing purposes. As the video stream problems persist I'll get rid the unifi switch between the components.
At least the Mikrotik router is doing just fine and the root cause must be somewhere else.

And yes I've already noticed limitations on the Unifi Flex Mini switches. You can't configure custom port profiles. Your only options for each port are "Access Port" or "Untagged (all VLANs allowed)". So no hybrid port configuration possible on the "small" Unifi switch. If I need more I'll think about a RB260GS.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: VLAN configuration RB4011IGS+RM once again

Wed Dec 08, 2021 9:33 pm

If I need more I'll think about a RB260GS.
I have a couple of those and they work well.
 
jokakilla
just joined
Topic Author
Posts: 20
Joined: Sat Oct 30, 2021 11:09 pm

Re: VLAN configuration RB4011IGS+RM once again

Fri Dec 10, 2021 1:40 pm

The video streaming problems are fixed! The streaming protocol was set to "auto" which is (for AgentDVR) UDP. After switching to TCP the problems are gone.
I can happily live with that but wonder what the reason is? Wrong order or lost packets that are corrected by the TCP protocol?

Who is online

Users browsing this forum: BioMax, sutrus and 49 guests