Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VLAN under Bridge

Post Reply
 
User avatar
k6ccc
Forum Guru
Forum Guru
Topic Author
Posts: 1497
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

VLAN under Bridge

Sun Jun 05, 2022 2:20 am

I will start out by saying that I do NOT use bridges in RouterOS - and therefore do not understand how to make them work. I use a RouterOS ONLY for router functions, and use switches where I need a switch. Just for good measure, the Mikrotik documentation pages were down for maintenance when I was doing most of this (back up now, but did not help)...
What I am trying to accomplish is to take one of my old RB750r2 routers and make it function as a simple VLAN switch, with 1 trunk port containing 4 VLANs, and the other four ports each having one of the VLANs (untagged) - sometimes referred to as a "Router on a Stick". If I was doing this in a SwitchOS devices, I would be done in 30 seconds (or less). This is being done only to avoid having to run four Cat-5 cables to a rack shelf with four Raspberry Pis on it.

I followed pcunite's nice tutorial in: viewtopic.php?t=143620
using the switch example and could not make it work. I poked at it for a while and still does not work. So clearly I don't know what I'm doing.
Image
If the image does not work, here is a direct link to it: http://extraphotos.info/mikrotik/Router-3.png

I have eliminated most of the firewall simply to make sure that was not causing me any problems. Once I get the bridge working the way it should, I can put the security back. This is all on my home LANs behind my RB4011 main router.

BTW, if I should be doing this completely different, let me know...
Code: Select all
# jan/02/1970 01:36:13 by RouterOS 6.49.6
# software id = <redacted>
#
# model = RouterBOARD 750 r2
# serial number = <redacted>
/interface bridge
add admin-mac=4C:5E:0C:04:3E:2D auto-mac=no comment=defconf name=BR-1 \
    protocol-mode=none
/interface vlan
add interface=BR-1 name=VALN_006 vlan-id=6
add interface=BR-1 name=VLAN_005 vlan-id=5
add interface=BR-1 name=VLAN_101 vlan-id=101
add interface=BR-1 name=VLAN_201 vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=6
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=5
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=201
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=101
add bridge=BR-1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR-1 tagged=ether1 untagged=ether3 vlan-ids=5
add bridge=BR-1 tagged=ether1 untagged=ether2 vlan-ids=6
add bridge=BR-1 tagged=ether1 untagged=ether5 vlan-ids=101
add bridge=BR-1 tagged=ether1 untagged=ether4 vlan-ids=201
/interface list member
add comment=defconf interface=BR-1 list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/ip address
add address=192.168.201.253/24 interface=ether4 network=192.168.201.0
add address=192.168.101.253/24 interface=ether5 network=192.168.101.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Temp connection-state=""
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/system identity
set name=RasPi-switch
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: VLAN under Bridge

Sun Jun 05, 2022 4:50 am

viewtopic.php?t=182276

Its not a router, so the only thing you need to do is identify the management vlan............
Also you forget to turn vlan filtering on (last step of pcunites setup :-0 )

As for the config, simplify, since you dont state it explicity I have to guess and will use VLAN5 as your trusted subnet ( base or management subnet ). To be clear,
the MT device should get its IP address from this trusted subnet. THis vlan is the only that needs to be identified. ENJOY
Code: Select all
# jan/02/1970 01:36:13 by RouterOS 6.49.6
# model = RouterBOARD 750 r2
/interface bridge
add admin-mac=4C:5E:0C:04:3E:2D auto-mac=no comment=defconf name=BR-1 \
    protocol-mode=none  vlan-filtering=yes
/interface vlan
add interface=BR-1 name=VLAN_005 vlan-id=5
/interface list
add name=management
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=6
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=5
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=201
add bridge=BR-1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=101
add bridge=BR-1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=BR-1 tagged=BR-1,ether1 untagged=ether3 vlan-ids=5
add bridge=BR-1 tagged=ether1 untagged=ether2 vlan-ids=6
add bridge=BR-1 tagged=ether1 untagged=ether5 vlan-ids=101
add bridge=BR-1 tagged=ether1 untagged=ether4 vlan-ids=201
/interface list member
add interface=vlan_005 list=management
/ip address
add address=192.168.xx.yy/24 interface=vlan_005 network=192.168.xx.0   { address statically set from trusted subnet }
/ip dns
set allow-remote-requests=yes servers=192.168.xx.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.xx.1 comment="ensures route avail through trusted subnet gateway"
/system identity
set name=RasPi-switch
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=management
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Topic Author
Posts: 1497
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: VLAN under Bridge

Sun Jun 05, 2022 8:17 am

Thanks anav!
You made a couple of incorrect assumptions on management, but that got me close enough to make it work. Just a little tweeking to do now.
Management will actually (at least for now) be on VLAN 201 via the trunked port - and I have that working.
I'm going to have to stare at it for a while to completely make sense of it, but I think I should eventually be able to figure it out.
As I said in my original post, if I were doing this in SwitchOS, it would have taken just a few seconds...
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: VLAN under Bridge

Sun Jun 05, 2022 1:18 pm

Thanks anav!
You made a couple of incorrect assumptions on management, but that got me close enough to make it work. Just a little tweeking to do now.
Management will actually (at least for now) be on VLAN 201 via the trunked port - and I have that working.
I'm going to have to stare at it for a while to completely make sense of it, but I think I should eventually be able to figure it out.
As I said in my original post, if I were doing this in SwitchOS, it would have taken just a few seconds...
Yeah, LOL, it took me a few seconds to put that out........ I find it easier than switchOS LOL.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 75 guests
  4. RouterOS
  5. Beginner Basics