Community discussions

MikroTik App
 
laotse
just joined
Topic Author
Posts: 10
Joined: Fri Jan 21, 2022 11:40 am

VLAN Setup hEX & CRS125

Fri Jan 21, 2022 12:21 pm

I'm starting my first setup for a SOHO environment. I intend to use a hEX as router / firewall and a CRS125-24G-1S-RM for distribution to the client devices. I want to use VLAN to separate classes of clients e.g., business workstations, private PC of the kids, common services, etc. The router shall enforce access policies. However, it might not be the best idea to route the NFS / Samba traffic from the CRS to the hEX and back. So any more optimal approach is appreciated.

I roughly followed https://administrator.de/tutorial/mikro ... 67186.html to setup the hEX and https://help.mikrotik.com/docs/display/ ... +switching to setup the CRS. However, I configured the hEX to NAT on the WAN port and of course I used my own VLAN IDs. Attaching my client to ether4 I receive DHCP and can access the internet hopefully via "clients-trusted-vlan". Next step, was to set up a trunk connection in between the hEX and the CRS. To me it looks sufficiently similar to the tutorials, but if I try to ping the hEX from the CRS I get "host unreachable".

I have no idea to further troubleshoot the matter. What am I missing?

Update: Using the setup for the hEX made ether2 another tagged port and connected it to a linux server, where I let the kernel sort out the VLAN. It works perfectly, so I assume that the set-up of the hEX ist fine. I also found this https://wiki.mikrotik.com/wiki/Manual:C ... s_ports.29 tutorial, but still I cannot ping in between the two switches.

This is the relevant part of the hEX configuration:
/interface bridge
add name=vlan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=Trunk-eth5
set [ find default-name=ether1 ] name=WAN-eth1
/interface vlan
add interface=vlan-bridge name=admin-vlan vlan-id=110
add interface=vlan-bridge name=clients-trusted-vlan vlan-id=131
add interface=vlan-bridge name=services-vlan vlan-id=115
add interface=vlan-bridge name=vlan1 vlan-id=1
/interface bridge port
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=131
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=110
add bridge=vlan-bridge interface=Trunk-eth5
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge vlan-ids=1
add bridge=vlan-bridge tagged=vlan-bridge,Trunk-eth5 untagged=ether4 vlan-ids=131
add bridge=vlan-bridge tagged=vlan-bridge,Trunk-eth5 vlan-ids=110
add bridge=vlan-bridge tagged=vlan-bridge,Trunk-eth5 vlan-ids=115
/ip address
add address=172.18.1.1/24 interface=admin-vlan network=172.18.1.0
add address=172.18.32.1/24 interface=clients-trusted-vlan network=172.18.32.0
add address=172.18.16.1/24 interface=services-vlan network=172.18.16.0
And this is the configuration excerpt from the CRS:
/interface bridge add name=vlan-bridge vlan-filtering=yes
/interface vlan
add interface=vlan-bridge name=admin-vlan vlan-id=110
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether9
/interface bridge port
add bridge=vlan-bridge interface=ether1
add bridge=vlan-bridge interface=ether10
add bridge=vlan-bridge interface=ether9
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=110
add tagged-ports=ether1 vlan-id=115
add tagged-ports=ether1 vlan-id=131
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=131 ports=ether9
/interface ethernet switch vlan
add ports=ether1,ether9 vlan-id=131
add ports=ether1,switch1-cpu vlan-id=110
/ip address
add address=172.18.1.2/24 interface=admin-vlan network=172.18.1.0
 
laotse
just joined
Topic Author
Posts: 10
Joined: Fri Jan 21, 2022 11:40 am

Re: VLAN Setup hEX & CRS125

Mon Jan 24, 2022 10:56 am

Having found this https://mikrotik-routeros.com/2019/01/r ... n-v6-43-x/ post and with a decent level of frustration I configured the CRS very similar to the hEX i.e., without any special care for the switch chip. Two observations:
  • It works!
  • The bridge ports have HW Offload set i.e., it seems that the switch chip is used
So I guess that this is the config that I wanted.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: VLAN Setup hEX & CRS125

Mon Jan 24, 2022 1:39 pm

A bridge with vlan-filtering=yes on a CRS1xx/2xx will disable hardware offload. Setting hw=yes on bridge ports only makes the port eligible for hardware offload as long as all the other requirements are met.

In your original CRS configuration you have vlan-filtering=yes so all of the switch configuration rules are ignored, and whilst your latest configuration works it will not be using hardware offload - you will not achieve wire-speed switching between ports.

Who is online

Users browsing this forum: anav and 30 guests