How to configure VLAN?
Hello. My ISP provides its services on different VLANs (Internet is on VLAN 10 and IP-address can only be obtained using DHCP-Client on router). My router is connected to ISP through Ether1 (DHCP-Client is running on this interface). Ether2-Ether10 are for clients and are in one bridge. This bridge has DHCP-server assigned to it. How do I configure my router so that I can access Internet on my clients and they get IP address only from my DHCP-server?
-
-
spynappels
Member Candidate
- Posts: 106
- Joined:
- Location: Northern Ireland
- Contact:
Re: How to configure VLAN?
Is it just your WAN interface that gets it's public IP using DHCP-CLient over VLAN10? Or do all the clients get their IPs from your ISPs DHCP Server in some way?
In either case you will need to have a VLAN interface on ether1 with VLAN ID 10, but I'm sure the rest depends on how you would answer the questions above.
In either case you will need to have a VLAN interface on ether1 with VLAN ID 10, but I'm sure the rest depends on how you would answer the questions above.
Re: How to configure VLAN?
During my previous attempt to configure router all my clients got IP from ISPs DHCP Server (VLAN Interface was in the same bridge as other interfaces, bridge also got address from ISPs DHCP). What I need is that only WAN interface gets public IP and my clients have only local IP, which they have to get from local DHCP Server. During first attempts I had my bridge configured with something like this:Is it just your WAN interface that gets it's public IP using DHCP-CLient over VLAN10? Or do all the clients get their IPs from your ISPs DHCP Server in some way?
Code: Select all
/interface bridge vlan
add bridge=Main tagged=vlan10 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
Re: How to configure VLAN?
If you only need VLANs on your WAN interface (i.e. you don't use VLANs in your LAN infrastructure), then you only need vlan interface on top of WAN port, such as this:
Make sure ether1 is not part of any bridge.
After that base your WAN setup upon this interface:
The last part (adding interface to WAN interface list) is necessary for (default) firewall setup to work it's magic (protection on ingress and NAT on egress).
Code: Select all
/interface vlan
add name=wan-vlan10 interface=ether1 vlan-id=10
Make sure ether1 is not part of any bridge.
After that base your WAN setup upon this interface:
Code: Select all
/ip dhcp-client
add interface=wan-vlan10
/interface list member
add interface=wan-vlan10 list=WAN
The last part (adding interface to WAN interface list) is necessary for (default) firewall setup to work it's magic (protection on ingress and NAT on egress).
Re: How to configure VLAN?
Thank you for your answer. My ISP also provides IPTV services on VLAN 20 (ISP has another DHCP server on that VLAN). Right now my TVs are connected to ports in another bridge (not the one with Internet clients). How do I configure router so that my TVs have access to IPTV service from VLAN 20, and at the same time have Internet access from VLAN 10? However, I don't want everything from VLAN 20 to be available on my Internet clients. TVs also get local IP from DHCP server on my router (another server). I suppose that I have to add some Firewall Filter rules for that.If you only need VLANs on your WAN interface (i.e. you don't use VLANs in your LAN infrastructure), then you only need vlan interface on top of WAN port, such as this:
-
-
spynappels
Member Candidate
- Posts: 106
- Joined:
- Location: Northern Ireland
- Contact:
Re: How to configure VLAN?
To set up the WAN/ISP side of this is quite simple and is the same as the solution provided by mkx earlier:
The second part is a little more complex. How do your TVs currently get an IP? From a local DHCP server with traffic routed to the IPTV WAN connection? Or do they pull an IP directly from the ISP IPTV service? Do the TVs have any Internet access through the IPTV service or is it only TV service? I think the answer here is going to be "It depends" as it will depend on how your IPTV is provided to the TVs, how your ISP routes IPTV traffic and what your TVs are capable of.
Code: Select all
/interface vlan
add name=IPTV interface=ether1 vlan-id=20Re: How to configure VLAN?
Right now I have VLAN 20 interface that gets IP (different from IP on VLAN 10) from ISP using DHCP Client. On VLAN 20 it is only TV service, no Internet. TVs get IP from local DHCP Server and the traffic from VLAN 20 is routed to bridge with TVs.The second part is a little more complex. How do your TVs currently get an IP? From a local DHCP server with traffic routed to the IPTV WAN connection? Or do they pull an IP directly from the ISP IPTV service? Do the TVs have any Internet access through the IPTV service or is it only TV service? I think the answer here is going to be "It depends" as it will depend on how your IPTV is provided to the TVs, how your ISP routes IPTV traffic and what your TVs are capable of.
Re: How to configure VLAN?
In this case you'll have to go with all ports part of single bridge. ether1 will be trunk port for VLANs 10 and 20. The rest of ether ports will be either trunk ports for VLAN 20 (the IPTV ports) or hybrid ports (untagged for LAN, let's say LAN will be VLAN 30, and taged for VLAN 20) - for IPTV boxes that might need access to LAN for some reason - or simple access ports for LAN (for LAN machines). You'll have two vlan interfaces: WAN with VID 10 and LAN with VID 30. No need for bridge to have anything above L2 for VLAN 20.
E.g.
It is extremely important that you get the L2 setup (bridge and LANs) in this case right ... The way your ports ether2-X will be configured highly depend on how IPTV set-top boxes expect things to work. In my case ISP delivers IPTV multicasts tagged (and set-top boxes require it tagged with same VID), but set-top boxes also want to have normal internet connectivity untagged (I created a separate LAN subnet for them) ... and normal internet connectivity is used by them to download EPG and to access some 3rd party services (youtube, deezer, ...). They can also play contents served by local DLNA servers but I don't want that set-top box to have anything to do with my LAN.
E.g.
Code: Select all
/interface bridge
add bridge frame-types=admit-only-vlan-taggedvlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=yes # pyhsical WAN port
add bridge=bridge interface=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=yes # IPTV port with VID 20 tagged if that's the way set-top box requires it
add bridge=bridge interface=ether3 pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes # IPTV access port if IPTV set-top box expects it untagged
add bridge=bridge interface=ether4 pvid=30 frame-ftype=admit-all ingress-filtering=yes # hybrid port - untagged LAN and tagged IPTV
add brdige=bridge interface=ether5 pvid=30 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes # LAN untagged only
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=ether1,ether2 untagged=ether3,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether3 untagged=ether4,ether5 vlan-ids=30
#
# Note: in /interface bridge vlan specifying ports as untagged is entirely optional as ROS will add relevant ports as they have pvid setting under /interface bridge port
#
/interface vlan
add interface=bridge name=WAN-v10 vlan-id=10
add interface=bridge name=LAN-v30 vlan-id=30
#
/interface list
add name=LAN
add name=WAN
/interface list member
add interface=WAN-10 list=WAN
add interface=LAN-10 list=LAN
....
/ip dhcp-client
add interface=WAN-v10
/ip address
add interface=LAN-v30 address=<LAN IP>/24
...
etc
It is extremely important that you get the L2 setup (bridge and LANs) in this case right ... The way your ports ether2-X will be configured highly depend on how IPTV set-top boxes expect things to work. In my case ISP delivers IPTV multicasts tagged (and set-top boxes require it tagged with same VID), but set-top boxes also want to have normal internet connectivity untagged (I created a separate LAN subnet for them) ... and normal internet connectivity is used by them to download EPG and to access some 3rd party services (youtube, deezer, ...). They can also play contents served by local DLNA servers but I don't want that set-top box to have anything to do with my LAN.
Re: How to configure VLAN?
It will be helpful to post your complete config when done.
/export hide-sensitive file=anynameyouwish
AND....
A network diagram showing the physical connections between them (vlans etc to which ports) including down to PCs, Access points, Switches etc........
IN that regard we can match up the config to what you have setup physically, much easier to understand.
/export hide-sensitive file=anynameyouwish
AND....
A network diagram showing the physical connections between them (vlans etc to which ports) including down to PCs, Access points, Switches etc........
IN that regard we can match up the config to what you have setup physically, much easier to understand.
Who is online
Users browsing this forum: Ahrefs [Bot], xixihaga and 30 guests