I'm trying to implement a basic VLAN configuration with:
- A Mikrotik HAP AC2 as a router, DHCP server (switch chip Atheros 8327) (config attached)
- A Mikrotik CRS-109 as managed switch (config attached)
VLANS:
- VLAN 5: It will be used for Access Point that is connected to Mikrotik CRS-109 (192.168.5.0/24)
- VLAN 10: It will be used for every PC wired connected to CRS-109 (192.168.10.0/24)
- VLAN 99: It will be used as managed network (192.168.99.0/24)
Mikrotik HAP AC2:
- Connects to ISP router/modem, and with a dynamic IP address (192.168.0.2/24)
- Creates 3 VLANS and provides a dynamic IP to every of them (as DHCP server).
- Connects to managed switch through a trunk port and send the three VLANS (55,10,99) through port 5
- For VLANS, I'm using switch chip (Atheros 8327)
Mikrotik CRS-109:
- It receives the 3 VLANS (5,10,99) through port SFP1. This port (SFP1) is configured as Trunk Port
- Ports 2 and 3 are configured as Access Ports for VLAN 10 (192.168.10.0/24)
- Port 8 is configured as Trunk Port to send to an Access Point (VLANS 5,10)
- It's also using switch chip
What is working?
- Access point is connected to port 8 from CRS109 and receives every VLAN and is working great (trunk port)
- A Windows PC is connected to port 2 from CRS109 (access port), receives an IP address from VLAN 10, and have internet
- A Linux PC (Raspberry PI) is connected to port 3 from CRS109 (access port), and receives an IP address from VLAN10
Issues:
- Linux PC (Raspberry PI) connected to port 2 from CRS109 (access port), DOES NOT ping gateway and DOES NOT have internet connection
- When I sniff ARP in Linux PC, I see that VLAN 10 seems to be tagged (802.1Q ID=10) (snapshot attached)
What did I try?
- I tried to create VLANs in router (HAP AC2), and assign them to interface (Port 5) -> Same result
- I tried to use "Eg. VLAN Translation" from CRS-109 -> still receives tagged info
Code: Select all
/interface ethernet switch egress-vlan-translation
add customer-vid=10 new-customer-vid=0 ports=ether2,ether3,ether4
- Router config (HAP AC2)
Code: Select all
/interface bridge
add name=PT_VLAN
/interface vlan
add interface=PT_VLAN name=vlan_5 vlan-id=5
add interface=PT_VLAN name=vlan_10 vlan-id=10
add interface=PT_VLAN name=vlan_99 vlan-id=99
/interface ethernet switch port
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool_10 ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool_99 ranges=192.168.99.50-192.168.99.254
add name=dhcp_pool_5 ranges=192.168.5.50-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool_10 disabled=no interface=vlan_10 name=dhcp_10
add address-pool=dhcp_pool_99 disabled=no interface=vlan_99 name=dhcp_99
add address-pool=dhcp_pool_5 disabled=no interface=vlan_5 name=dhcp_5
/interface bridge port
add bridge=PT_VLAN interface=ether5
/interface ethernet switch vlan
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=5
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=PT_VLAN list=LAN
/ip address
add address=192.168.10.1/24 interface=vlan_10 network=192.168.10.0
add address=192.168.5.1/24 interface=vlan_5 network=192.168.5.0
add address=192.168.99.1/24 interface=vlan_99 network=192.168.99.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="DROP External DNS Requests (UDP)" in-interface-list=WAN protocol=udp
add action=drop chain=input comment="DROP External DNS Requests (TCP)" in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="IPSEC policy in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC policy out" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
Code: Select all
/interface bridge
add name=PT_VLAN
add admin-mac=E4:8D:8C:9D:D7:58 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no
/interface vlan
add interface=PT_VLAN name=vlan_99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether3,ether4,ether8,sfp1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.69.50-192.168.69.254
/interface bridge port
add bridge=PT_VLAN comment=defconf interface=ether2
add bridge=PT_VLAN comment=defconf interface=ether3
add bridge=PT_VLAN comment=defconf interface=ether4
add bridge=PT_VLAN comment=defconf interface=ether5
add bridge=PT_VLAN comment=defconf interface=ether8
add bridge=PT_VLAN comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether7,ether8,sfp1 vlan-id=10
add tagged-ports=ether7,ether8,sfp1,switch1-cpu vlan-id=99
add tagged-ports=ether7,ether8,sfp1 vlan-id=5
/interface ethernet switch egress-vlan-translation
add customer-vid=10 disabled=yes new-customer-vid=0 ports=ether2,ether3,ether4
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether4,ether2,ether3
/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether8,sfp1 vlan-id=10
add ports=ether7,ether8,sfp1,switch1-cpu vlan-id=99
add ports=ether7,ether8,sfp1 vlan-id=5
add ports=ether7,ether8,sfp1 vlan-id=2
/interface list member
add comment=defconf interface=sfp1 list=WAN
add interface=PT_VLAN list=LAN
/ip address
add address=192.168.99.2/24 interface=vlan_99 network=192.168.99.0
/ip dns
set allow-remote-requests=yes servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
Code: Select all
Thank you in advance! and Merry Christmas!!