Community discussions

MikroTik App
 
miki1982es
just joined
Topic Author
Posts: 1
Joined: Fri Dec 24, 2021 9:33 am

CRS109 VLANS issue - untagged are tagged

Fri Dec 24, 2021 11:20 am

Good morning everyone!

I'm trying to implement a basic VLAN configuration with:
- A Mikrotik HAP AC2 as a router, DHCP server (switch chip Atheros 8327) (config attached)
- A Mikrotik CRS-109 as managed switch (config attached)

VLANS:
- VLAN 5: It will be used for Access Point that is connected to Mikrotik CRS-109 (192.168.5.0/24)
- VLAN 10: It will be used for every PC wired connected to CRS-109 (192.168.10.0/24)
- VLAN 99: It will be used as managed network (192.168.99.0/24)

Mikrotik HAP AC2:
- Connects to ISP router/modem, and with a dynamic IP address (192.168.0.2/24)
- Creates 3 VLANS and provides a dynamic IP to every of them (as DHCP server).
- Connects to managed switch through a trunk port and send the three VLANS (55,10,99) through port 5
- For VLANS, I'm using switch chip (Atheros 8327)

Mikrotik CRS-109:
- It receives the 3 VLANS (5,10,99) through port SFP1. This port (SFP1) is configured as Trunk Port
- Ports 2 and 3 are configured as Access Ports for VLAN 10 (192.168.10.0/24)
- Port 8 is configured as Trunk Port to send to an Access Point (VLANS 5,10)
- It's also using switch chip

What is working?
- Access point is connected to port 8 from CRS109 and receives every VLAN and is working great (trunk port)
- A Windows PC is connected to port 2 from CRS109 (access port), receives an IP address from VLAN 10, and have internet
- A Linux PC (Raspberry PI) is connected to port 3 from CRS109 (access port), and receives an IP address from VLAN10

Issues:
- Linux PC (Raspberry PI) connected to port 2 from CRS109 (access port), DOES NOT ping gateway and DOES NOT have internet connection
- When I sniff ARP in Linux PC, I see that VLAN 10 seems to be tagged (802.1Q ID=10) (snapshot attached)

What did I try?
- I tried to create VLANs in router (HAP AC2), and assign them to interface (Port 5) -> Same result

- I tried to use "Eg. VLAN Translation" from CRS-109 -> still receives tagged info
/interface ethernet switch egress-vlan-translation
add customer-vid=10 new-customer-vid=0 ports=ether2,ether3,ether4
Configuration:
- Router config (HAP AC2)
/interface bridge
add name=PT_VLAN
/interface vlan
add interface=PT_VLAN name=vlan_5 vlan-id=5
add interface=PT_VLAN name=vlan_10 vlan-id=10
add interface=PT_VLAN name=vlan_99 vlan-id=99
/interface ethernet switch port
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp_pool_10 ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool_99 ranges=192.168.99.50-192.168.99.254
add name=dhcp_pool_5 ranges=192.168.5.50-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool_10 disabled=no interface=vlan_10 name=dhcp_10
add address-pool=dhcp_pool_99 disabled=no interface=vlan_99 name=dhcp_99
add address-pool=dhcp_pool_5 disabled=no interface=vlan_5 name=dhcp_5
/interface bridge port
add bridge=PT_VLAN interface=ether5
/interface ethernet switch vlan
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=5
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=PT_VLAN list=LAN
/ip address
add address=192.168.10.1/24 interface=vlan_10 network=192.168.10.0
add address=192.168.5.1/24 interface=vlan_5 network=192.168.5.0
add address=192.168.99.1/24 interface=vlan_99 network=192.168.99.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="DROP External DNS Requests (UDP)" in-interface-list=WAN protocol=udp
add action=drop chain=input comment="DROP External DNS Requests (TCP)" in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="IPSEC policy in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC policy out" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
- Switch config (CRS 109)
/interface bridge
add name=PT_VLAN
add admin-mac=E4:8D:8C:9D:D7:58 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no
/interface vlan
add interface=PT_VLAN name=vlan_99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether3,ether4,ether8,sfp1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.69.50-192.168.69.254
/interface bridge port
add bridge=PT_VLAN comment=defconf interface=ether2
add bridge=PT_VLAN comment=defconf interface=ether3
add bridge=PT_VLAN comment=defconf interface=ether4
add bridge=PT_VLAN comment=defconf interface=ether5
add bridge=PT_VLAN comment=defconf interface=ether8
add bridge=PT_VLAN comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether7,ether8,sfp1 vlan-id=10
add tagged-ports=ether7,ether8,sfp1,switch1-cpu vlan-id=99
add tagged-ports=ether7,ether8,sfp1 vlan-id=5
/interface ethernet switch egress-vlan-translation
add customer-vid=10 disabled=yes new-customer-vid=0 ports=ether2,ether3,ether4
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether4,ether2,ether3
/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether8,sfp1 vlan-id=10
add ports=ether7,ether8,sfp1,switch1-cpu vlan-id=99
add ports=ether7,ether8,sfp1 vlan-id=5
add ports=ether7,ether8,sfp1 vlan-id=2
/interface list member
add comment=defconf interface=sfp1 list=WAN
add interface=PT_VLAN list=LAN
/ip address
add address=192.168.99.2/24 interface=vlan_99 network=192.168.99.0
/ip dns
set allow-remote-requests=yes servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
¿Anyone could help me to see the way to send REAL untagged information to Access port (as it should be)?

Thank you in advance! and Merry Christmas!!
You do not have the required permissions to view the files attached to this post.
 
emunt6
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Fri Feb 02, 2018 7:00 pm

Re: CRS109 VLANS issue - untagged are tagged

Sun Jan 16, 2022 4:14 pm

Hi!

This switch doesn't have a "real" switch-chip (CRS109 switch-ASIC: Qualcomm QCA-XXX) like the other CRS switches (CRS3xx: switch-ASIC: marvell dx ), so the "bridge-filter" will not work.
Your configuration is not wrong, but your device physically cannot do what you asking from it.
Your configuration is need to change to the "CPU" based VLAN filtering ( it will be slow ).

Here is the proof:
1., https://fccid.io/TV7CRS109-8G2HND/Inter ... os-2269918
2., https://help.mikrotik.com/docs/display/ ... Offloading
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS109 VLANS issue - untagged are tagged

Sun Jan 16, 2022 5:03 pm

Some errors noted..........
Mikrotik HAP AC2:
- Connects to ISP router/modem, and with a dynamic IP address (192.168.0.2/24)
- Creates 3 VLANS and provides a dynamic IP to every of them (as DHCP server).
- Connects to managed switch through a trunk port and send the three VLANS (55,10,99) through port 5 should be vlan 5?
- For VLANS, I'm using switch chip (Atheros 8327)

- Port 8 is configured as Trunk Port to send to an Access Point (VLANS 5,10) MISSING 99.
THe smart access point also needs an IP address from the management network.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS109 VLANS issue - untagged are tagged

Sun Jan 16, 2022 5:56 pm

This switch doesn't have a "real" switch-chip (CRS109 switch-ASIC: Qualcomm QCA-XXX) like the other CRS switches (CRS3xx: switch-ASIC: marvell dx ), so the "bridge-filter" will not work.
Your configuration is not wrong, but your device physically cannot do what you asking from it.
Your configuration is need to change to the "CPU" based VLAN filtering ( it will be slow ).
This is incorrect, the CRS109 has a separate switch chip https://i.mt.lv/cdn/product_files/CRS10 ... 150452.png which is configured as descibed here https://wiki.mikrotik.com/wiki/Manual:C ... s_examples

Nothing immediately jumps out as being incorrect with the OP's switch setup. As the hAP appears to only be using one port on the 'LAN' side then .using the switch chip is pointless as all the traffic is handled by the CPU in any case, using a VLAN-aware bridge would be more straightforward / less prone to error.

Who is online

Users browsing this forum: CGGXANNX, Google [Bot], mantouboji and 49 guests