Community discussions

MikroTik App
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

ROS7 - VLAN Switch chip

Sun May 15, 2022 12:23 am

Trying to get my head around VLANs using switch chip.

Using bridge I think I got it figured out, as in: it works.
But the CPU load is noticeable.
btest between both ac3's gives me max 560mpbs, CPU hovering around 50-70% on both sides.
(I know, I know, shouldn't be testing directly between those devices ...)

Since ROS7 allows HW offload using switch chip, I tried using it but somehow it doesn't work...
Used these instructions;
https://help.mikrotik.com/docs/display/ ... switchchip

Setup:
Hex connected to ISP modem, handing out subnet 192.168.2.0/24
hAP AC3 (AC3-1, ROS7), connected to Hex via hub on ether1, using port5 for POE to another hAP AC3 (AC3-2, Ros6).
ether5 is untagged vlan30 with subnet 192.168.30.0/24 and DHCP server (at least, that is the intention...).
Second AC3 is pretty default configured, access port on ether1. DHCP client on ether1.
On AC3-1, 2 subnets. One coming from Hex further up, second on VLAN30.
hAP AC3 has Atheros8327 switch chip so it should be able to handle the VLAN stuff.

When using bridge based VLAN, I get an IP adres from VLAN30 pool. Nicely as intented.
When using switch based VLAN, I either get no IP, no connection, or (as config is now) address from Hex range.

Where am I going wrong with that switch setup ?

Config attached (removed everything wifiwave2 related for now, I first want to see how this works using regular ethernet ports)
# may/14/2022 23:02:40 by RouterOS 7.3beta40
# software id = LB29-6B5U
#
# model = RBD53iG-5HacD2HnD
# serial number = <edited>
/interface bridge
add comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
/interface vlan
add interface=bridge1 name=VLAN30 vlan-id=30
/interface ethernet switch port
set 4 default-vlan-id=30 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=VLAN30 ranges=192.168.30.100-192.168.30.199
/ip dhcp-server
add address-pool=VLAN30 interface=VLAN30 name=VLAN30
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1
/interface ethernet switch vlan
add independent-learning=yes ports=ether5,ether1,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add comment=defconf interface=bridge1 list=LAN
add interface=ether1 list=LAN
add interface=VLAN30 list=LAN
/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge1 network=192.168.2.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-server network
add address=192.168.30.0/32 dns-server=192.186.2.1 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.91,192.168.2.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept Winbox from LAN" dst-port=8291 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=hAPAC3
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: ROS7 - VLAN Switch chip

Sun May 15, 2022 12:28 am

Think you are trying both bridge and switch vlan filtering. Think bridge should not have vlan filtering active.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Sun May 15, 2022 12:43 am

Damn, leftover from previous config. Good catch !
Removed it.

Still the same. IP address from Hex range comes through.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Sun May 15, 2022 9:58 am

Strange thing, when I remove switch cpu from the vlan config, all access via romon to ac3-2 is lost.

Why is that ?
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: ROS7 - VLAN Switch chip

Sun May 15, 2022 10:54 am

Not sure why, I know that is shouldn't be there (as well):
/interface vlan
add interface=bridge1 name=VLAN30 vlan-id=30

Can you please make a network diagram to show what you are trying to accomplish?
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Sun May 15, 2022 2:42 pm

Not sure why, I know that is shouldn't be there (as well):
/interface vlan
add interface=bridge1 name=VLAN30 vlan-id=30
Removed as well for testing. No difference.
BUT ... if that VLAN interface is not there anymore, how should the DHCP server work then ?? It needs an interface to be attached to.
For an access port that could possibly be the corresponding physical port but what with a trunk port ?
I think it needs to be connected on the bridge. The examples shown on Help pages using switch for MGMT interface also have this VLAN interface connected to bridge.
Activated again.

I'll post latest config and drawing later today.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 11:36 am

Drawing:

ISP modem
Connected to Hex
Hex to hAP AC3-1 (with hub in between, not shown for simplicity)
hAP AC3-1 ether5 configured as VLAN30, POE out. DHCP server configured on VLAN30
hAP AC3-2 blank config, DHCP client on ether1 so I would like to see it get an IP address from VLAN30-pool

I first would like to understand how it works for 1 switch port.
Bridge VLAN I have setup already, that works.

Next step I would like to understand is how to use wifiwave2 port with VLANs on hAP AC3-1. But my guess is this would not be possible using switch (since only HW ether ports are available there to select from).
So bridge VLAN only ?
And then gradually grow (I already have the final config in my head, it will start from Hex).

But I first want to understand the basic building block using switch ... (and yes, I know the switch on Hex is different from AC3)
2022-05-16_10-29-13.jpg
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 1:16 pm

What is the purpose of using a VLAN in between the two hAP ac 3's?
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 1:47 pm

What is the purpose of using a VLAN in between the two hAP ac 3's?
Errm ... to learn how it needs to be done ?
It's a test setup.

Ultimately there will be a larger setup with all regular wireless being on separate VLAN, Guest on separate VLAN, IOT-wifi on separate VLAN, all "normal" devices on separate VLAN...
But I first need to learn how to walk before I run, no ?
And I am not sure either if my Hex will survive in that final setup or if it will be replaced with AC3.

I know the concepts how to do it using Bridge VLAN approach. Already did a POC with that approach and it works.
I want to learn how to do it using switch VLAN approach.
If AC3-2 is getting a DHCP lease from HEX bypassing AC3-1, something is not correct with the VLAN settings for that part. I want to know what.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 3:14 pm

Okay, makes sense. And only want to help you!

I used this help page to configure my hEX POE switches:
https://help.mikrotik.com/docs/display/ ... +switching

But you already linked that URL.

And regarding a previous remark: I think you have to configure the VLAN's on the bridge as well. That is required to be able to bind the DHCP server to the corresponding interfaces.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 3:17 pm

And only want to help you!
I know, it's appreciated !
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 3:25 pm

hAP AC3-2 blank config, DHCP client on ether1 so I would like to see it get an IP address from VLAN30-pool
I think you should have a vlan tagged (trunk) port on the hAP AC3-2. Or make the ether5 on the hAP AC3-1 an accessport.
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 3:30 pm

hAP AC3-2 blank config, DHCP client on ether1 so I would like to see it get an IP address from VLAN30-pool
I think you should have a vlan tagged (trunk) port on the hAP AC3-2. Or make the ether5 on the hAP AC3-1 an accessport.
Thát last part I was already aware of :lol:
And I was able to do so using the Bridge VLAN approach. But how does it need to be done using the switch approach ?
That's basically where I am lost in the woods ...

As far as I understood, if on AC3-1 it's defined as an access port, nothing else needs to be done on whatever you connect to it downstream. AC3-2 or whatever other ethernet equipment.
And otherwise I don't understand what the use would be of an access port.

Trunkt port, that's something else. But access port ?
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 3:43 pm

Agree!

You have found the "More detailed examples can be found here." link?
https://help.mikrotik.com/docs/display/ ... upExamples
 
holvoetn
Forum Guru
Forum Guru
Topic Author
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 3:55 pm

Agree!

You have found the "More detailed examples can be found here." link?
https://help.mikrotik.com/docs/display/ ... upExamples
I did but those examples all go from access to trunk port.
I don't have (for now) a trunk port so I'm not sure what needs to be used for this part in my case
/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=200
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=300
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=400
Currently I have this on AC3-1 and the moment I remove switch-cpu, I loose ROMON access to that device.
Removing ether1 does not make a difference.
Using a separate ethernet cable on AC3-2 connected to my PC, I could winbox back in, but no IP lease was given to ether1 port on that device.
/interface ethernet switch vlan
add independent-learning=yes ports=ether5,ether1,switch1-cpu switch=switch1 vlan-id=30
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: ROS7 - VLAN Switch chip

Mon May 16, 2022 6:13 pm

switch1-cpu is the internal ethernet connection between the CPU and switch, without that there is no connection from the external ports through the switch to the CPU for management access.

There have been odd interfactions when only some ports are configured for 802.1Q VLANs as the other ports are still operating using port-based VLANs to multiplex the traffic from the external ports over the single internal link to the CPU. You could try setting vlan-mode=fallback on all the other ports, or vlan-mode=secure on all together a switch VLAN for the default-vlan-id
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4 switch=switch1 vlan-id=1
Or it maybe yet another RouterOS 7 bug.

Who is online

Users browsing this forum: Bing [Bot], icemending and 86 guests