Community discussions

MikroTik App
 
AmateurAtMikrotik
just joined
Topic Author
Posts: 3
Joined: Sun Apr 10, 2022 11:54 am

1st "complex" routerOS build issue

Sun Apr 10, 2022 12:04 pm

Hello all, I'm trying to setup a CRS112 to be the core switch of my home network and i've run into a snag. The layout is a Firewall (Internet, DHCP, DNS) to the CRS112 (via ether1, VLANs 20,30,40,50,99). The CRS112 then need to have those VLANs tagged out to some hAPac2 devices (for wireless and ethernet). If I connect via ether2 I can ping the CRS112 (192.168.99.2) but not the firewall (192.168.99.1).

I've been following https://wiki.mikrotik.com/wiki/Manual:C ... ith_Trunks but i've missed something. Can anyone assist?
# jan/02/1970 01:42:03 by RouterOS 6.49.1
# software id = VN4B-PGTV
#
# model = CRS112-8P-4S
# serial number = ##########
/interface bridge
add admin-mac=C4:AD:34:53:61:B3 auto-mac=no comment=defconf name=bridge
add name=bridge1

/interface vlan
add interface=bridge1 name=VLAN99 vlan-id=99
add interface=bridge name=VLAN20 vlan-id=20
add interface=bridge name=VLAN30 vlan-id=30
add interface=bridge name=VLAN40 vlan-id=40
add interface=bridge name=VLAN50 vlan-id=50

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
add bridge=bridge1 interface=ether2

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether6,ether7,ether8 vlan-id=20
add tagged-ports=ether1,ether6,ether7,ether8 vlan-id=30
add tagged-ports=ether1,ether6,ether7,ether8 vlan-id=40
add tagged-ports=ether1,ether6,ether7,ether8 vlan-id=50

/interface ethernet switch ingress-vlan-translation
add new-customer-vid=99 ports=ether2
add new-customer-vid=20 ports=ether3,ether4,ether5

/interface ethernet switch vlan
add ports=ether1,ether3,ether4,ether6,ether7,ether8 vlan-id=20
add ports=ether1,ether6,ether7,ether8 vlan-id=30
add ports=ether1,ether6,ether7,ether8 vlan-id=40
add ports=ether1,ether6,ether7,ether8 vlan-id=50
add ports=switch1-cpu,ether1,ether6,ether7,ether8 vlan-id=99

/ip address
add address=192.168.99.2/24 interface=VLAN99 network=192.168.99.0
/ip dns
set servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 1st "complex" routerOS build issue

Sun Apr 10, 2022 4:05 pm

This may be a helpful video, from a certified trainer.
https://www.youtube.com/watch?v=Rj9aPoyZOPo
 
AmateurAtMikrotik
just joined
Topic Author
Posts: 3
Joined: Sun Apr 10, 2022 11:54 am

Re: 1st "complex" routerOS build issue

Mon Apr 11, 2022 7:34 am

Thanks for the suggestion anav. I tried following that video and all was well until the 12:50 mark where my system and his didn't match. I did end up following the YouTube link below from "The Network Trip" and managed to get it working.
https://www.youtube.com/watch?v=swXS4sO8smE
 
AmateurAtMikrotik
just joined
Topic Author
Posts: 3
Joined: Sun Apr 10, 2022 11:54 am

Re: 1st "complex" routerOS build issue

Sat Apr 16, 2022 8:47 am

Just in case this can help someone else. The config below is what I used on a CRS112 and hAP ac2 to get user VLANs, and management IP's with CAPsMAN.
192.168.99.1 is my router/firewall (config not included)
192.168.99.2 is my CRS112 switch/PoE supply, and CAPsMAN.
Port 1 goes to 192.168.99.1 with all the VLANs
Ports 2,3,4 are for user devices / VLAN 20
Ports 5,6,7,8 are for the hAP ac2 devices to connect to.
192.168.99.3+ are my Wireless AP/PoE switches

VLAN 99 is for switch communications.

This config is functional but may need extra bits around the user credentials, and doesn't have any additional security features (cross VLAN traffic is via the router/firewall). For the CRS112 I reccomend connecting via the console port so you don't loose your connection.
############# CRS112 config
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
/interface vlan
add interface=bridge name=vlan99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5 mac-level-isolation=no


/interface bridge port
add bridge=bridge edge=no interface=ether1 point-to-point=no
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8

## Assign outbound/egress VLANs
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether5,ether6,ether7,ether8 vlan-id=20
add tagged-ports=ether1,ether5,ether6,ether7,ether8 vlan-id=30
add tagged-ports=ether1,ether5,ether6,ether7,ether8 vlan-id=40
add tagged-ports=switch1-cpu,ether1,ether6,ether7,ether8 vlan-id=99
add tagged-ports=ether1,ether6,ether7,ether8 vlan-id=1

## Assign inbound/ingress VLANs
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=20 ports=ether4
add customer-vid=0 new-customer-vid=20 ports=ether2

## Assign ports to VLANs
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-id=20
add ports=ether1,ether5,ether6,ether7,ether8 vlan-id=30
add ports=ether1,ether5,ether6,ether7,ether8 vlan-id=40
add ports=switch1-cpu,ether1,ether6,ether7,ether8 vlan-id=99

## Assign IP address (management) to a VLAN
/ip address
add address=192.168.99.2/24 interface=vlan99 network=192.168.99.0

# CAPsMAN Bits, with my locality setup for Australia update it for your location.
/caps-man configuration
add country=australia datapath.interface-list=all datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag distance=\
    indoors installation=indoor name=Config_homeusers security.authentication-types=wpa2-psk ssid=homeusers
add country=australia datapath.interface-list=all datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag distance=\
    indoors installation=indoor name=Config_guests security.authentication-types=wpa2-psk ssid=guests
add country=australia datapath.interface-list=all datapath.local-forwarding=no datapath.vlan-id=40 datapath.vlan-mode=use-tag distance=indoors \
    hide-ssid=yes installation=indoor name=Config_IoT security.authentication-types=wpa2-psk ssid=IoT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=ether6
add disabled=no interface=ether7
add disabled=no interface=ether8
add disabled=no interface=bridge

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_homeusers slave-configurations=Config_guests,Config_IoT

############# hAP ac2 configs

## Setup the bridge
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface wireless

## Setup the VLANs. VLAN 20 is made available on the 4 ethernet ports on the device.
/interface vlan
add interface=bridge1 name=mgmt vlan-id=99
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=20
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
add bridge=bridge1 tagged=ether1 vlan-ids=40
add bridge=bridge1 tagged=ether1 vlan-ids=30

## Setup the wireless as a CAP, and to talk to the CAPsMAN via an IP address.
/interface wireless cap
set bridge=bridge1 caps-man-addresses=192.168.99.2 enabled=yes interfaces=wlan1,wlan2

## Assign the IP address to the device, the IP address needs to be changed so there are no duplicates.
/ip address
add address=192.168.99.3/24 interface=mgmt network=192.168.99.0

/ip route
add distance=1 gateway=192.168.99.1

############# General config on all devices, for my locality in Australia

/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=192.168.99.1
/system clock
set time-zone-name=Australia/Sydney
/system ntp client
set enabled=yes server-dns-names=au.pool.ntp.org
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: 1st "complex" routerOS build issue

Sat Apr 16, 2022 10:54 am

Do use code display tags please
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: 1st "complex" routerOS build issue

Sat Apr 16, 2022 3:22 pm

If you do actually use capsman on such a slow device as a crs112, I world suggest not using capsman forwarding.

Who is online

Users browsing this forum: EmuAGR, GoogleOther [Bot] and 50 guests