Community discussions

MikroTik App
 
innocentdevil
newbie
Topic Author
Posts: 31
Joined: Mon Aug 18, 2014 12:23 pm

Management VLAN Question

Thu May 19, 2022 11:46 pm

So I have a RB2011iL
fairly standard setup

I have a cisco switch sitting behind it
VLANs as below:

VLAN ID = 9 management
VLAD 1D = 10 Business PCs

My trunk port on Cisco switch works fine when I leave it on native vlan as 1 however I want to set this as vlan 9 native
When I change native VLAN 9 on trunk port to 9, i lose connection

I have been trying to get it working using Mikrotik by using VLANs on the bridge by filtering PVID: 9 , no joy
also tried setting up using Bridge VLANs and manually setting tagged and untagged VLAN and so forth but failed.

What am I doing wrong.

thank you
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 886
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Management VLAN Question

Fri May 20, 2022 6:09 am

What am I doing wrong.
Hard to say without seeing config of the RB2011 and Cisco.

What exactly do you mean by "loose lose connection"? Connection to what?

Does the Cisco have an SVI (switch vlan interface) for vlan 9? Is vlan 9 in the cisco vlan database?

Does the Cisco have any access ports in vlan 9? If you connect a PC to the vlan 9 access port, do you have access to the Cisco management? If not, you need to solve that problem first.

Other than a vlan mismatch, changing the native vlan of the trunk port on the Cisco should work regardless of what is connectied to it. In fact, if you connect a standard non-vlan-aware device to the Cisco trunk port, the device should have access to whatever the native vlan is. But if there is not a SVI for that vlan, you won't be able to log into the switch, since the switche's management "cpu" connection will not be on the vlan, so there will be no connection.
Last edited by Buckeye on Fri May 20, 2022 11:09 pm, edited 1 time in total.
 
innocentdevil
newbie
Topic Author
Posts: 31
Joined: Mon Aug 18, 2014 12:23 pm

Re: Management VLAN Question

Fri May 20, 2022 5:45 pm

I meant "lose" or "lost" connection if that helps.

I suppose the easiest way to put this would be, If I were to plug a device straight into bridge port on Mikrotik, I expect it to get an IP from native vlan 9 if that is set correctly. At the moment this isn't working when I set it to PVID 9 and works when set to 1

All VLANs are in Cisco VLAN database.
To answer your trunk port questions:

My cisco switch is set a Native VLAN ID 9
Trunk Port (Port 24) with native vlan set as 1: I get IP for VLAN 9 ( 192.168.9.0/24 ) - as default and if I tag different VLAN IDs I get those IPs too
Trunk Port (Port 24) with native vlan set as 9 : I do not get anything , nothing nada, total lose unless I set Port 24 native vlan id to 1

# may/20/2022 15:42:29 by RouterOS 6.49.6
# software id = M2HJ-YYRV
#
# model = 2011iL
# serial number = 556604073B8E
/interface bridge
add comment=localLAN name=LAN
add comment="used for VLANs" name=VLANs
add comment=INTERNET name=WAN
/interface vlan
add interface=VLANs name=CFB_VLAN vlan-id=15
add interface=VLANs name=Entertainment_VLAN vlan-id=10
add interface=VLANs name=Guest_VLAN vlan-id=11
add interface=VLANs name=Mgmt vlan-id=9
add interface=VLANs name=Workshop_VLAN vlan-id=150
/interface list
add name=list1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=\
krsms
/ip ipsec peer
add address exchange-mode=ike2 local-address=\
name=officewg profile=krsms
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=krsms pfs-group=\
modp2048
/ip pool
add comment="Management Network" name=MgmtVLAN_pool ranges=\
192.168.9.50-192.168.9.100
add comment="Dial In VPN" name="VPN Pool" ranges=10.10.10.10-10.10.10.30
add comment="Cheap Flights Booker" name=CFB_Pool ranges=\
192.168.15.10-192.168.15.30
add comment="Guest Wifi" name=Guest_Pool ranges=192.168.11.10-192.168.11.50
add comment=TVs,Mobiles name=Entertainment_Pool ranges=\
192.168.10.10-192.168.10.20
add comment=localLAN name=localLAN_pool ranges=192.168.5.10-192.168.5.20
add comment=WorkshopVLAN_Pool name=Workshop_VLAN ranges=\
192.168.150.10-192.168.150.20
/ip dhcp-server
add address-pool=MgmtVLAN_pool disabled=no interface=Mgmt name=MgmtLAN_DHCP
add address-pool=CFB_Pool disabled=no interface=CFB_VLAN name=CFB_DHCP_SRV
add address-pool=Guest_Pool disabled=no interface=Guest_VLAN name=\
GUEST_DHCP_SRV
add address-pool=Entertainment_Pool disabled=no interface=Entertainment_VLAN \
name=Ent_DHCP_SRV
add address-pool=localLAN_pool disabled=no interface=LAN name=localLAN_DHCP
add address-pool=Workshop_VLAN disabled=no interface=Workshop_VLAN name=\
Workshop_DHCP_Srv
/ppp profile
set *FFFFFFFE local-address=MgmtVLAN_pool remote-address="VPN Pool"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN comment=defconf hw=no interface=ether1
add bridge=LAN comment=defconf hw=no interface=ether2
add bridge=LAN comment=defconf hw=no interface=ether3
add bridge=LAN comment=localLAN hw=no interface=ether4
add bridge=VLANs comment="part of VLANs bridge" hw=no interface=ether6
add bridge=LAN comment=defconf hw=no interface=ether7
add bridge=LAN comment=defconf hw=no interface=ether8
add bridge=WAN comment="Ether9 - VM" hw=no interface=ether9
add bridge=WAN comment="Ether10 - Talktalk FTTC" interface=ether10
add bridge=VLANs comment="part of VLANs bridge" interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=VLANs disabled=yes tagged=\
CFB_VLAN,Guest_VLAN,Entertainment_VLAN,Workshop_VLAN untagged=Mgmt
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.9.1/24 comment="Mgmt VLAN" interface=Mgmt network=\
192.168.9.0
add address=192.168.15.1/24 interface=CFB_VLAN network=192.168.15.0
add address=192.168.10.1/24 interface=Entertainment_VLAN network=192.168.10.0
add address=192.168.11.1/24 interface=Guest_VLAN network=192.168.11.0
add address=192.168.5.1/24 comment="localLAN - not used" interface=LAN \
network=192.168.5.0
add address=192.168.150.1/24 interface=Workshop_VLAN network=192.168.150.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=WAN
# DHCP client can not run on slave interface!
add disabled=no interface=ether5
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.9.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.9.1 \
netmask=24
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.11.1
add address=192.168.15.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.15.1
add address=192.168.150.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.150.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add list=vpn_blacklist
add address=115.186.115.79 list=blockedIPs
add address=192.168.150.0/24 list=VLAN150-Workshop
add address=192.168.9.0/24 list=VLAN9-Mgmt
add address=192.168.15.0/24 list=VLAN15-CFB
add address=192.168.10.0/24 list=VLAN10-Ent
/ip firewall filter
add action=accept chain=input comment="allow VMware" disabled=yes protocol=\
tcp src-port=8443
add action=accept chain=forward disabled=yes dst-address=192.168.10.0/24 \
src-address=192.168.9.0/24
add action=accept chain=input disabled=yes dst-address=192.168.10.0/24 \
src-address=192.168.9.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.9.0/24 \
src-address=192.168.10.0/24
add action=accept chain=input disabled=yes dst-address=192.168.9.0/24 \
src-address=192.168.10.0/24
add action=accept chain=forward disabled=yes dst-address-list=VLAN9-Mgmt \
in-interface=VLANs src-address-list=VLAN10-Ent
add action=accept chain=forward connection-state=established,related \
disabled=yes dst-address-list=VLAN9-Mgmt in-interface=VLANs \
src-address-list=VLAN10-Ent
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input comment="Allow ICMP Ping" protocol=icmp
add action=accept chain=input dst-address=192.168.9.0/24 src-address=\
192.168.10.0/24
add action=accept chain=input comment="Allow Winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=input comment="Allow SSH" disabled=yes dst-port=2222 \
protocol=tcp
add action=accept chain=input comment="Accept Established Connections" \
connection-state=established
add action=accept chain=input comment="Accept Related Connections" \
connection-state=related
add action=accept chain=input comment="Allow DNS for Trusted Network" \
dst-port=53 protocol=udp src-address=192.168.9.0/24
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=WAN protocol=udp
add action=drop chain=input comment="drop PPTP brute force attacks" dst-port=\
1723 protocol=tcp src-address-list=vpn_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=vpn_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop connection for blockedIPs" \
src-address-list=blockedIPs
add action=drop chain=input comment="Drop Everything Else"
add action=drop chain=forward comment="Drop Invalid Connections" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether5 \
src-address=192.168.9.89
add action=accept chain=srcnat disabled=yes dst-address=172.16.1.0/24 \
out-interface=LAN src-address=192.168.5.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.10.0/24 \
out-interface=LAN src-address=192.168.9.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.9.0/24 \
src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=unifi dst-port=8443 protocol=tcp \
to-addresses=192.168.9.31 to-ports=8443
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
192.168.9.31 to-ports=8080
add action=dst-nat chain=dstnat dst-port=3478 protocol=tcp to-addresses=\
192.168.9.31 to-ports=3478
add action=dst-nat chain=dstnat dst-port=8880 protocol=tcp to-addresses=\
192.168.9.31 to-ports=8880
add action=dst-nat chain=dstnat dst-port=8843 protocol=tcp to-addresses=\
192.168.9.31 to-ports=8843
add action=dst-nat chain=dstnat comment=cctv dst-port=34567 protocol=tcp \
to-addresses=192.168.9.50 to-ports=34567
add action=dst-nat chain=dstnat disabled=yes dst-port=34599 protocol=tcp \
to-addresses=192.168.9.50 to-ports=34599
add action=dst-nat chain=dstnat disabled=yes dst-port=554 protocol=tcp \
to-addresses=192.168.9.50 to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp \
to-addresses=192.168.9.50 to-ports=80
add action=dst-nat chain=dstnat comment=3CX disabled=yes dst-port=5001 \
protocol=tcp to-addresses=192.168.150.20 to-ports=5001
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 protocol=udp \
to-addresses=192.168.150.20 to-ports=5060
add action=dst-nat chain=dst-nat disabled=yes dst-port=5090 protocol=udp \
to-addresses=192.168.150.20 to-ports=5090
add action=dst-nat chain=dst-nat disabled=yes dst-port=9000-9398 protocol=tcp \
to-addresses=192.168.150.20 to-ports=9000-9398
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=officewg
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Management VLAN Question

Fri May 20, 2022 5:59 pm

Why are you using VLAN1 for anything........... On MT its the default working in the background and typically is not used to carry data.
Suggest that if you want management vlans and data vlans coming into the MT, none of them use vlan1.

VLAN1 is the native/default vlan set on most managed devices.
Typically they are members of but untagged on all trunk ports (those carrying vlans tagged)
Typically they are not members and are replaced by the pVID of Vlans heading to dumb devices { same with hybrid ports }

Check out these references.
viewtopic.php?t=143620
https://help.mikrotik.com/docs/display/ ... VLAN+Table
 
innocentdevil
newbie
Topic Author
Posts: 31
Joined: Mon Aug 18, 2014 12:23 pm

Re: Management VLAN Question

Fri May 20, 2022 6:31 pm

I am not using VLAN1 and I know its a default vlan on most devices.

As an example in WG, its pretty simple to configure an interface to pass traffic for tagged vlans and the also tell it to allow Untagged traffic for one particular vlan which is what I am trying to achieve here.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Management VLAN Question

Fri May 20, 2022 10:59 pm

Well if you havent figured it out from the references, try again! :-)

By the way I did see reference to vlan1 here:
My cisco switch is set a Native VLAN ID 9
Trunk Port (Port 24) with native vlan set as 1: I get IP for VLAN 9 ( 192.168.9.0/24 ) - as default and if I tag different VLAN IDs I get those IPs too
Trunk Port (Port 24) with native vlan set as 9 : I do not get anything , nothing nada, total lose unless I set Port 24 native vlan id to 1
and of course here.
VLAD 1D


In other words suggesting set native vlan to one on the cisco so that its the same as other vendors.............

(1) First mistake, three bridges, the point about vlans is you only need one bridge in 99% of cases.
and by the way, the local unused subnet I turned into vlan5, apples and apples, why stick an orange in there???
and by the way, I removed the wan bridge......
(2) Second mistake, horrible nomenclature making a bridge name VLANS, or LAN for that matter.
(3) Annoying, sloppy organization, even the vlans are not ordered 15, then 9 etc.........
(4) Lack of use of interface lists so added real ones (which often can work efficiently with firewall rules)
/interface list
add name=WAN
add name=LAN
add name=Management
(5) Your IP DHCP client config is screwed, tells one you have some sort of error in that part of the config --- slave error.
Its probably due to your use of bridges for wans - in bridge ports you identify etherports 9, and 10 as being WAN affiliated
I want to know how a single dhcp client setting can be used for two interfaces?? and then you add etherport 5 as well (3 wans?? )
add bridge=WAN comment="Ether9 - VM" hw=no interface=ether9
add bridge=WAN comment="Ether10 - Talktalk FTTC" interface=ether10
/ip dhcp-client
add comment=defconf disabled=no interface=WAN
# DHCP client can not run on slave interface!
add disabled=no interface=ether5
(6) BOTH /interface bridge ports and /interface bridge vlan settings are nowhere near where they should be............ AND Its not clear where the cisco switch is involved in all of this.............
You seem to indicate in text that its providing all the Vlans and if so, then one wouldnt provide DHCP on teh router.
if not which etherport is GOING to the cisco switch??

IN other words, you need to detail what is going out on each etherports 1-8, what are they each connected to dumb device and on which vlan,
or managed device and which vlans are tagged over it, assuming 9,10 are used for wans.

(7) I note that there is an extra POOL config for VPN but no other related IP address, dhcp server etc settings but will assume thats NORMAL for vpn ipsec configs.........

(8) Why identify subnets or vlans in FIREWALL ADDRESS LIST? One can identify them as their interface directly, or by source-address?
Firewall address lists are common for a group of IPs within a subnet or IPs across subnets or any of the former with a subnet or two. In other words anytime you have any grouping with individual IPs involved, its time for a firewall address list.

(9) As noted your firewall rules are disorganized and bloated..........

(10) First sourcenat rule would probably not work how its setup best to use interface-list=WAN where both WANS are identified properly as list members (no bridge required).

(11) What is the purpose of the five disabled sourcenat rules.............. just remove them, all noise.

(12) All your destination nat rules are missing where the port forwarding is coming from or going to...........
Static WANIPs use dst-addresses=actual WANIP
Dynamic WANIPs use in-interface-list=WAN unless you have some users locally that must use wanip to access servers vice the more direct lanip to lanip traffic??
IF so you will likely need to learn about hairpin nat - viewtopic.php?t=179343
Last edited by anav on Fri May 20, 2022 11:44 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 886
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Management VLAN Question

Fri May 20, 2022 11:43 pm

I meant "lose" or "lost" connection if that helps.

I suppose the easiest way to put this would be, If I were to plug a device straight into bridge port on Mikrotik, I expect it to get an IP from native vlan 9 if that is set correctly. At the moment this isn't working when I set it to PVID 9 and works when set to 1

All VLANs are in Cisco VLAN database.
To answer your trunk port questions:

My cisco switch is set a Native VLAN ID 9
Trunk Port (Port 24) with native vlan set as 1: I get IP for VLAN 9 ( 192.168.9.0/24 ) - as default and if I tag different VLAN IDs I get those IPs too
Trunk Port (Port 24) with native vlan set as 9 : I do not get anything , nothing nada, total lose unless I set Port 24 native vlan id to 1
Sorry for my misspelling of "lose".

On the Cisco switch, can you save your config (copy run start), then post output of "show startup" and "show vlan" from the Cisco switch (you and remove any username lines or any global addresses)

If I am understanding correctly, you are making the change only on the Cisco side. If that's the case, changing the native vlan of a trunk port should only have local significance on the Cisco switch, since it is only affecting the vlan on the Cisco switch that untagged frames will be associated with. I can't understand how that would affect tagged vlans on the trunk port (24 of the Cisco?).

What it will affect is whether other ports on the Cisco switch will have access to the untagged frames on the trunk port. Only switch-ports with vlan membership in vlan 9 will have access to any untagged devices connected to the trunk port once that change is made, at least directly.

Since you haven't provided details about the cisco switch, it is hard to say, since some cicso switches (e.g. 3750) have L3 capabilities. I am assuming the cisco switch is pure layer 2, with no routing capabilities.

But if you put a PC without vlan capabilities on port 24, and the native vlan is 1 (default), then a PC connected to (say port 5) that is an access port for vlan 1 will have access to the PC on port 24. (you will need to manually set ip addresses on the two PC to be in the same subnet, what subnet it is makes no difference). But if you now change the port 24 trunk to have native vlan 9, the PC in the vlan 1 access port will no longer have access to the PC.

See this to check your understanding of vlans (if on Cisco, with CDP disabled so you don't get vlan mismatch warning messages).
 
innocentdevil
newbie
Topic Author
Posts: 31
Joined: Mon Aug 18, 2014 12:23 pm

Re: Management VLAN Question

Tue May 24, 2022 11:49 am

Hi,

I would like to think that I have solid understanding of VLANs. I have managed to get this working in a different way using Mikrotik.

Settings on my Cisco switch are fine and everything flows as it should tagged or tagless. Its purely from the management side I was having issue.

Who is online

Users browsing this forum: bertus, Bing [Bot], hatred and 90 guests