Community discussions

MikroTik App
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Embarrassed New User VLAN Issues

Wed Jul 06, 2022 2:52 am

Hi Folks,

First time Mikrotik owner. I have 2 x CRS328-24P-4S+ switches running RouterOS 6.49.6. I have watched countless YouTube videos, read manuals, and endless posts on here.... but... I just cannot get VLAN's to work? It's embarrassing as I work in the IT industry and can normally work things out myself. Had this all configured on my Dlink switches, but since moving over to Mikrotik I just cannot work it out.

I am using the WebFig... so apology to those of you that use the command line. If there's an easier way to configure VLAN's without the WebFig then I am happy to give it a go. My requirements are very simple, see below...

VLAN10 = WiFi vlan, with 3 access points connected across the the 2 x CRS328-24P-4S+ switches.
VLAN20 = CCTV vlan with 4 CCTV cameras across the 2 x CRS328-24P-4S+ switches.

I've managed to create the vlans, but cannot figure out how to bind the vlnas to particular Ethernet ports. I also figure I'd need to have a VLAN trunk between the 2 x CRS328-24P-4S+ switches. Not sure what data you would require to help me, but tell me what you need and I will provide it. Right now I've removed all of my configuration attempts, but can add again if that will help.

Apology for this random new guy question... no doubt I am doing something really basic that is causing the issue.

Thanks, Mark
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Embarrassed New User VLAN Issues

Wed Jul 06, 2022 5:29 am

First time Mikrotik owner. I have 2 x CRS328-24P-4S+ switches running RouterOS 6.49.6. I have watched countless YouTube videos, read manuals, and endless posts on here.... but... I just cannot get VLAN's to work? It's embarrassing as I work in the IT industry and can normally work things out myself. Had this all configured on my Dlink switches, but since moving over to Mikrotik I just cannot work it out.
No offense meant, but the information you provided isn't useful for troubleshooting. We need to see your configs and how the switches are connected. I suggest taking a look at this thread New User Pathway To Config Success and NEW USER POSTING FOR ASSISTANCE

First advice is to download winbox, it is better than winfig (unless you are using some device that can't emulate a windows environment).

I realize you "have watched countless YouTube videos, read manuals, and endless posts on here...." but unfortunately that doesn't tell us what you have read/watched.

Look at this example in the documentation VLAN Example - Trunk and Access Ports
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Re: Embarrassed New User VLAN Issues

Wed Jul 06, 2022 9:34 am

First time Mikrotik owner. I have 2 x CRS328-24P-4S+ switches running RouterOS 6.49.6. I have watched countless YouTube videos, read manuals, and endless posts on here.... but... I just cannot get VLAN's to work? It's embarrassing as I work in the IT industry and can normally work things out myself. Had this all configured on my Dlink switches, but since moving over to Mikrotik I just cannot work it out.
No offense meant, but the information you provided isn't useful for troubleshooting. We need to see your configs and how the switches are connected. I suggest taking a look at this thread New User Pathway To Config Success and NEW USER POSTING FOR ASSISTANCE

First advice is to download winbox, it is better than winfig (unless you are using some device that can't emulate a windows environment).

I realize you "have watched countless YouTube videos, read manuals, and endless posts on here...." but unfortunately that doesn't tell us what you have read/watched.

Look at this example in the documentation VLAN Example - Trunk and Access Ports
Hi Buckeye,

Thanks for the info, appreciate you taking time to reply. I will take a look at the info and continue exploring the config. I use Linux workstations, so not sure winfig will be an option, but I could always spin up a Windows VM. The info you've given me is fantastic, thanks again. Once I have some more solid data I will come back.

Here's one of the videos I watched... https://youtu.be/4BOYqtV4MCY

Just out of curiosity, what might be the best way for me to take a config dump so I can share it here? I wanted to do that, but wasn't sure sharing screen grabs was of any value.

Thanks, Mark
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Embarrassed New User VLAN Issues

Wed Jul 06, 2022 12:23 pm

Winbox will run under Wine on Linux and macOS.

Open a terminal session/window (you can either SSH to the Mikrotik or use New Terminal in Winbox, I can't remember if the web interface has an equivalent). The command /export hide-sensitive (for RouterOS 6, or just /export in RouterOS 7) generates a textual representation of the configuration, you can cut/paste this from the terminal or specifiy a local file for the output and copy that from the Mikrotik.

The sensitive information omitted only covers items such as passwords, WPA keys, IPsec secrets, etc. You should redact anything else such as the serial number, public IP addresses, credentials in scripts, etc. before posting in a code block (the [] icon in the menu above the text box when posting to the forum).
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Embarrassed New User VLAN Issues

Thu Jul 07, 2022 10:06 am

Thanks for the info, appreciate you taking time to reply. I will take a look at the info and continue exploring the config. I use Linux workstations, so not sure winfig will be an option, but I could always spin up a Windows VM. The info you've given me is fantastic, thanks again. Once I have some more solid data I will come back.

Here's one of the videos I watched... https://youtu.be/4BOYqtV4MCY

Just out of curiosity, what might be the best way for me to take a config dump so I can share it here? I wanted to do that, but wasn't sure sharing screen grabs was of any value.
Several things,

First, I didn't notice you were using RouterOS 6.49.6 and pointed you at the wrong documentation in help.mikrotik.com (which is v7 documentation). The correct docs for v6 are in wiki.mikrotik.com, and are referenced in the pinned comments for Network Berg's video you linked. (Copied from youtube comment immediately below this)
VLAN Documentation / References:

VLAN Interfaces:
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

Bridge VLAN Table:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Switch Chip:
https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

Hardware Offloading:
https://wiki.mikrotik.com/wiki/Manual:I ... Offloading
https://help.mikrotik.com/docs/display/ ... Offloading

Also watch closely at the 10:45 offset in the video you linked, where he uses wine to open winbox (he is also using Linux).

And @tdk provided the info we are looking for. You can ssh into the router and get to a CLI prompt directly, or use the New Terminal in the left menu of WinBox
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Re: Embarrassed New User VLAN Issues

Fri Jul 08, 2022 1:22 am

Winbox will run under Wine on Linux and macOS.

Open a terminal session/window (you can either SSH to the Mikrotik or use New Terminal in Winbox, I can't remember if the web interface has an equivalent). The command /export hide-sensitive (for RouterOS 6, or just /export in RouterOS 7) generates a textual representation of the configuration, you can cut/paste this from the terminal or specifiy a local file for the output and copy that from the Mikrotik.

The sensitive information omitted only covers items such as passwords, WPA keys, IPsec secrets, etc. You should redact anything else such as the serial number, public IP addresses, credentials in scripts, etc. before posting in a code block (the [] icon in the menu above the text box when posting to the forum).
Thank you, will attempt the setup again and then dump the output here.

Here's the topology I have, and the VLAN setup I am seeking to achieve. Diagram updated 08/07/22.
Network-Diagram-VLAN-v1.jpg
Thanks, Mark
You do not have the required permissions to view the files attached to this post.
Last edited by gregoinc on Fri Jul 08, 2022 1:01 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Embarrassed New User VLAN Issues

Fri Jul 08, 2022 4:27 am

Here's the topology I have, and the VLAN setup I am seeking to achieve.
Is the connection to the pfsense box using untagged (standard ethernet) frames? In other words, if you connect a non-vlan aware device (a standard ethernet connection from a PC for example) to the cable that was plugged into the top CRS328-24P-4S+ switch, can the PC obtain an ip address from the pfsense firewall, and access the internet?

Also, what are the vlan 20 cameras connecting to? Is the NVR also on vlan 20? Does anything on vlan 10 need to access devices on vlan 20? If so, what was providing the inter-vlan routing when you were using the Dlink switches?
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Re: Embarrassed New User VLAN Issues

Fri Jul 08, 2022 11:27 am

Thanks for the info, appreciate you taking time to reply. I will take a look at the info and continue exploring the config. I use Linux workstations, so not sure winfig will be an option, but I could always spin up a Windows VM. The info you've given me is fantastic, thanks again. Once I have some more solid data I will come back.

Here's one of the videos I watched... https://youtu.be/4BOYqtV4MCY

Just out of curiosity, what might be the best way for me to take a config dump so I can share it here? I wanted to do that, but wasn't sure sharing screen grabs was of any value.
Several things,

First, I didn't notice you were using RouterOS 6.49.6 and pointed you at the wrong documentation in help.mikrotik.com (which is v7 documentation). The correct docs for v6 are in wiki.mikrotik.com, and are referenced in the pinned comments for Network Berg's video you linked. (Copied from youtube comment immediately below this)
VLAN Documentation / References:

VLAN Interfaces:
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

Bridge VLAN Table:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Switch Chip:
https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

Hardware Offloading:
https://wiki.mikrotik.com/wiki/Manual:I ... Offloading
https://help.mikrotik.com/docs/display/ ... Offloading

Also watch closely at the 10:45 offset in the video you linked, where he uses wine to open winbox (he is also using Linux).

And @tdk provided the info we are looking for. You can ssh into the router and get to a CLI prompt directly, or use the New Terminal in the left menu of WinBox
I have upgraded to firmware version 7.3.1 and all seems fine with using winbox. Thanks for the tip on that, as winbox seems to be really good.

Random question... I am using Router OS instead of Switch OS, and am using a bridge which has all the ports under it. Upon initial config I looked at setting up a routed config, but it didn't look like the way to go. So why am I asking... want to make sure to implement VLAN's having a bridge is the way to go, rather than attempting the config, only to find a bridge is an issue.

I have configured VLAN trunks between the 2 CRS328-24P-4S+ switches without any issue. I am thinking to add individual ports to VLAN's I just create a VLAN bridge and then add ports to the bridge, will try that and see.

Thanks again for all the help, much appreciated.
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Re: Embarrassed New User VLAN Issues

Fri Jul 08, 2022 11:37 am

Here's the topology I have, and the VLAN setup I am seeking to achieve.
Is the connection to the pfsense box using untagged (standard ethernet) frames? In other words, if you connect a non-vlan aware device (a standard ethernet connection from a PC for example) to the cable that was plugged into the top CRS328-24P-4S+ switch, can the PC obtain an ip address from the pfsense firewall, and access the internet?

Also, what are the vlan 20 cameras connecting to? Is the NVR also on vlan 20? Does anything on vlan 10 need to access devices on vlan 20? If so, what was providing the inter-vlan routing when you were using the Dlink switches?
Re pfsense, I figure I am going to need to configure VLAN10 on the pfsense, so the access points can get direct access to the internet. The pfsense box provides DHCP services to the main IP address range, however I am considering using the CRS328-24P-4S+ as the DHCP server. For the VLAN10 the CRS328-24P-4S+ will need to provide the DHCP anyway.

The cameras connect to an NVR, so I can control the VLAN port for the NVR, however there are certain camera streams that are fed to my Home Assistant server, so I'd need to think about that one. As far as I can tell VLAN10 several devices on VLAN20 will need to talk to VLAN10.

I'm thinking a flat network is easier :-)
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Embarrassed New User VLAN Issues

Fri Jul 08, 2022 12:02 pm

Random question... I am using Router OS instead of Switch OS, and am using a bridge which has all the ports under it. Upon initial config I looked at setting up a routed config, but it didn't look like the way to go. So why am I asking... want to make sure to implement VLAN's having a bridge is the way to go, rather than attempting the config, only to find a bridge is an issue.
I have not use the CRS328-24P-4S+, but it is sold as a switch, not a router, and that's not what is is designed to do. It does switching at wire speed.

I don't know what you are using for pfsense, but that's where I would be looking to do routing. The CPU in the CRS328-24P-4S+ is primarily for maintenance functions and management, not for bulk routing. Even a low end router like a hEX RB750Gr3 has more processing power than the CPU in the CRS328-24P-4S+. compare the routing test results RB750Gr3 vs CRS328-24P-4S+ But look at the switching capacity where the 24 port switch shines (even though the Rb750Gr3 has a switch ASIC and can switch at wire speed, it has many fewer ports and no SFP+. It is also more limited on max ethernet frame size.

But I would use RouterOS if you want secure management protocols. My SwOS only CSS106-5G-1S does not support https or any CLI access, I don't know if the same applies to the larger switches too when they use SwOS.

This is about all I can say about the CRS328-24P-4S+. I will let others with more hands on experience with the CRS328-24P-4S+ take over, and correct any inaccurate statements I may have made.
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Re: Embarrassed New User VLAN Issues

Sat Jul 09, 2022 12:22 pm

Random question... I am using Router OS instead of Switch OS, and am using a bridge which has all the ports under it. Upon initial config I looked at setting up a routed config, but it didn't look like the way to go. So why am I asking... want to make sure to implement VLAN's having a bridge is the way to go, rather than attempting the config, only to find a bridge is an issue.
I have not use the CRS328-24P-4S+, but it is sold as a switch, not a router, and that's not what is is designed to do. It does switching at wire speed.

I don't know what you are using for pfsense, but that's where I would be looking to do routing. The CPU in the CRS328-24P-4S+ is primarily for maintenance functions and management, not for bulk routing. Even a low end router like a hEX RB750Gr3 has more processing power than the CPU in the CRS328-24P-4S+. compare the routing test results RB750Gr3 vs CRS328-24P-4S+ But look at the switching capacity where the 24 port switch shines (even though the Rb750Gr3 has a switch ASIC and can switch at wire speed, it has many fewer ports and no SFP+. It is also more limited on max ethernet frame size.

But I would use RouterOS if you want secure management protocols. My SwOS only CSS106-5G-1S does not support https or any CLI access, I don't know if the same applies to the larger switches too when they use SwOS.

This is about all I can say about the CRS328-24P-4S+. I will let others with more hands on experience with the CRS328-24P-4S+ take over, and correct any inaccurate statements I may have made.
Yes, I am inclined to agree. I wasn't planning on activating routing, but also am a little confused how VLAN's relate to the default bridge that is created when the default config is created? I am assuming I create a bridge for each VLAN, and then add ports I want in a particular VLAN to the bridge for that VLAN.

Be great to get some suggestions, but I am going to experiment and see what happens. Have already learnt removing the default bridge is not a good idea :lol:

Thanks, Mark
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Embarrassed New User VLAN Issues

Sat Jul 09, 2022 1:01 pm

I wasn't planning on activating routing, but also am a little confused how VLAN's relate to the default bridge that is created when the default config is created? I am assuming I create a bridge for each VLAN, and then add ports I want in a particular VLAN to the bridge for that VLAN.
Were you using vlans on your dlink switches?

For the config you show in your diagram, vlans would be useful. So I would not give up on using vlans, as it has advantages over going to a flat network.

You want only one bridge, otherwise you won't get good performance. When vlan-filtering is active, the switch is "vlan-aware". You tell the switch which ports are members of a particular vlan (a port can be a member of more than one vlan, that's what a trunk port is), but only one of those vlans can use "standard" untagged ethernet frames on a particular port, all the other vlans that the port is a member of must use IEEE 802.1Q tags. See Bridge VLAN Filtering which has some example scenarios and the corresponding vlan configurations.
 
gregoinc
just joined
Topic Author
Posts: 9
Joined: Wed May 18, 2022 9:12 am

Re: Embarrassed New User VLAN Issues

Thu Jul 14, 2022 3:14 pm

I wasn't planning on activating routing, but also am a little confused how VLAN's relate to the default bridge that is created when the default config is created? I am assuming I create a bridge for each VLAN, and then add ports I want in a particular VLAN to the bridge for that VLAN.
Were you using vlans on your dlink switches?

For the config you show in your diagram, vlans would be useful. So I would not give up on using vlans, as it has advantages over going to a flat network.

You want only one bridge, otherwise you won't get good performance. When vlan-filtering is active, the switch is "vlan-aware". You tell the switch which ports are members of a particular vlan (a port can be a member of more than one vlan, that's what a trunk port is), but only one of those vlans can use "standard" untagged ethernet frames on a particular port, all the other vlans that the port is a member of must use IEEE 802.1Q tags. See Bridge VLAN Filtering which has some example scenarios and the corresponding vlan configurations.
Hi Buckeye,

Thanks for the reply. Yes, I was using VLAN's on my Dlink switches, but not as extensive as I want to use them on the Mikrotik switches. I have configured bridging VLAN's to trial that setup, so will see how I go. I have a number of virtual machines running on a QNAP host, so may need to reconfigure the virtual switches on the QNAP as I am not sure if I can split VLAN's across VM's. Like I said, the Dlink setup was basic, so this is a new experience. This weekend I am going to attempt to finalise the config for a single access point and see how I go.

Thanks, Mark

Who is online

Users browsing this forum: 0xAA55, gigabyte091, GoogleOther [Bot], lurker888, pazuwu, pmcsill, rarlup, svh79, Wovka and 51 guests