Community discussions

MikroTik App
 
User avatar
rearden
just joined
Topic Author
Posts: 8
Joined: Sun Oct 24, 2010 2:17 pm

VLANs not working

Mon Sep 12, 2022 5:53 am

Hello,

I'm following the guide here:viewtopic.php?t=143620 and trying to follow the router-switch-ap (although without the AP) example. When I apply the configuration to my new CCR2116, I'm not able to get any ip address on my VLAN access ports (ether5-8 in my configuration). My full config is below, any help would be greatly appreciated.

For reference, I've use MT for quite a while in small deployments, but never really attempted anything with VLANs. I'm trying to learn as my networks become large enough to benefit from more segmentation, but I'm struggling just getting it set up. This is a brand new router, all I've done is update it to ROS 7.5.

# jan/02/1970 00:25:14 by RouterOS 7.5
# model = CCR2116-12G-4S+
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=LAN_VLAN vlan-id=10
add interface=BR1 name=Voice_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_POOL ranges=10.0.10.2-10.0.10.254
add name=Voice_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=LAN_POOL interface=LAN_VLAN name=LAN_DHCP
add address-pool=Voice_POOL interface=Voice_VLAN name=Voice_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=20
add bridge=BR1 interface=ether12 pvid=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=LAN_VLAN list=VLAN
add interface=Voice_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether13 network=192.168.88.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=LAN_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=Voice_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/system identity
set name=HomeCCR

 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: VLANs not working

Mon Sep 12, 2022 6:21 am

i think there is misconfiguration, add this:

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7,ether8 vlan-ids=20
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs not working

Mon Sep 12, 2022 1:46 pm

1 - You have three vlans assigned to the bridge,
WHY only two pools? Missing Base Pool?
Why only two dhcp server MIssing Base dhcp server
Why only two dhcp server-networks. missing base dhcp serve-network ..........

2- I see you are using ether13 for configuring the device (off bridge)?

3- You have duplication in your input chain and some missing rules....
What is the difference between these two rules please???
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN


Input chain should look like:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=VLAN
add action=drop chain=input comment="drop all else" *****

If you want to only allow the BASE VLAN to have full access to the router that is a good thing, so what you need to do is still give the rest of the vlan USERS access to needed router services, typically DNS and sometimes also NTP, or UPNP etc........

add action=accept chain=input in-interface-list=BASE
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=VLAN
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=VLAN
add action=drop chain=input comment="drop all else"

4.- For the forward chain looks fine, assumes your not doing any port forwarding but do add the missing elements......

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

5.- <Missing.......
/ip neighbor discovery-settings
set discover-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

6.- As was pointed out by the philosopher nichky ;-)
You have only put in half of the /interface bridge settings and are missing the the /interface bridge vlan settings.

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7,ether8 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=99
 
User avatar
rearden
just joined
Topic Author
Posts: 8
Joined: Sun Oct 24, 2010 2:17 pm

Re: VLANs not working

Tue Sep 13, 2022 6:43 pm

i think there is misconfiguration, add this:

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7,ether8 vlan-ids=20
Nichky,

Thank you for the suggestion. I will try it tonight and see if it works. In following that other tutorial linked in my original post, I thought the following code handled the untagging for the access ports:
# ingress behavior
/interface bridge port

# Blue VLAN
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1  pvid=10

# Green VLAN
add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=wlan2  pvid=20

# BASE_VLAN
add bridge=BR1 interface=wlan3 pvid=99

# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]
Is that not correct? Or at least, potentially not correct anymore in v7.5? Otherwise, I don't see anything else in the RouterSwitchAP.rsc example that seems to set "untag" on the access ports.

Regardless, I'll give it a shot when I get back to the router tonight and see if that solves it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs not working

Tue Sep 13, 2022 6:49 pm

Nope, I explained why I always put in the untagging manually and you get a huge whet smacking kiss on the lips, for being a perfect illustration of why and the confusion that PCUNITE inadvertently creates by using CLI or script lingo which is above the head of many new users................ (meaning they miss the commands that he does have that make the config correct).

Read this post..............#3
viewtopic.php?p=956155#p956155

If still confused come back here and ask!
Last edited by anav on Wed Sep 14, 2022 2:13 pm, edited 2 times in total.
 
User avatar
rearden
just joined
Topic Author
Posts: 8
Joined: Sun Oct 24, 2010 2:17 pm

Re: VLANs not working

Tue Sep 13, 2022 6:52 pm

anav,

Thanks for your detailed response. I will attempt to answer your questions.

I only have two pools and DHCP servers at the moment is because this is just a lab setup that I'm using to learn the concept in RoS. My intent was just to statically assign my laptop an IP address if I needed to use the base VLAN before I rebuild the config for my "production" environment, so I just omitted it.

Yes, I'm using ether13 for a direct MAC connection to configure the device essentially "out of band" to minimize getting locked out.

I appreciate the extra guidance on the firewall rules, that's good to know, and I will implement those when I get the full configuration operating.

I'll directly set the "untagged" property on the bridge tonight and hopefully that will get the VLAN config working.

Again, I appreciate your response.
1 - You have three vlans assigned to the bridge,
WHY only two pools? Missing Base Pool?
Why only two dhcp server MIssing Base dhcp server
Why only two dhcp server-networks. missing base dhcp serve-network ..........

2- I see you are using ether13 for configuring the device (off bridge)?

3- You have duplication in your input chain and some missing rules....
What is the difference between these two rules please???
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN


Input chain should look like:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=VLAN
add action=drop chain=input comment="drop all else" *****

If you want to only allow the BASE VLAN to have full access to the router that is a good thing, so what you need to do is still give the rest of the vlan USERS access to needed router services, typically DNS and sometimes also NTP, or UPNP etc........

add action=accept chain=input in-interface-list=BASE
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=VLAN
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=VLAN
add action=drop chain=input comment="drop all else"

4.- For the forward chain looks fine, assumes your not doing any port forwarding but do add the missing elements......

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

5.- <Missing.......
/ip neighbor discovery-settings
set discover-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

6.- As was pointed out by the philosopher nichky ;-)
You have only put in half of the /interface bridge settings and are missing the the /interface bridge vlan settings.

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7,ether8 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=99
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs not working

Tue Sep 13, 2022 7:04 pm

If I was to boil it down to one sentence, any vlan running through a bridge port has to be tagged at least once in /interface bridge vlans.
Thus if its not tagged any ports it must be tagged on the bridge an that is what pcunite is showing here that many people miss.
I prefer manually untagging as well as tagging the bridge so its clear to me and to the reader.

PCUNITES OBTUSE WAY
# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]

MY WAY or the HWYWAY ;-)
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7,ether8 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether9 vlan-ids=99

ACCEPTABLE but LESS clear
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: VLANs not working

Wed Sep 14, 2022 5:28 am

I blame MikroTik syntax as being weakly designed in this area. However, I can be the whipping boy. I can't feel the pain anymore.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs not working

Wed Sep 14, 2022 2:12 pm

I blame MikroTik syntax as being weakly designed in this area. However, I can be the whipping boy. I can't feel the pain anymore.
Haha, I should more clearly state that you have it covered but many new users miss what your communicating, and I edited the above to be less disparaging and more accurate.
Suggesting your use of FIND nomenclature is too academic or CLI focussed for many.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: VLANs not working

Wed Sep 14, 2022 6:51 pm

Suggesting your use of FIND nomenclature is too academic or CLI focused for many.

Yeah, I do understand and wish it was better. The mix of add, set coupled with find is confusing.
 
User avatar
rearden
just joined
Topic Author
Posts: 8
Joined: Sun Oct 24, 2010 2:17 pm

Re: VLANs not working

Thu Sep 15, 2022 4:47 am

Thanks again both of you for the help. I added the explicit tagging at the command line and it works now. However, I have a follow on question. Below I'll attach the modified script I took from pcunite's tutorial, and it includes his tagging syntax, but for some reason didn't seem to work? It's in the same location in the script where he had it in the original file, so I'm confused why it didn't work. I may have to reset this router's config back to normal and reapply the script to see if there were any errors I didn't notice, but I thought it all went through correctly.
/system identity set name="HomeCCR"

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

# ingress behavior
/interface bridge port

# LAN VLAN
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 interface=ether6 pvid=10


# Voice VLAN
add bridge=BR1 interface=ether7 pvid=20
add bridge=BR1 interface=ether8 pvid=20

add bridge=BR1 interface=ether12 pvid=99

# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=LAN_VLAN vlan-id=10
/ip address add interface=LAN_VLAN address=10.0.10.1/24
/ip pool add name=LAN_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=LAN_POOL interface=LAN_VLAN name=LAN_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=Voice_VLAN vlan-id=20
/ip address add interface=Voice_VLAN address=10.0.20.1/24
/ip pool add name=Voice_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=Voice_POOL interface=Voice_VLAN name=Voice_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=LAN_VLAN  list=VLAN
add interface=Voice_VLAN list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]
 
User avatar
rearden
just joined
Topic Author
Posts: 8
Joined: Sun Oct 24, 2010 2:17 pm

Re: VLANs not working

Thu Sep 15, 2022 6:00 am

So, after a little more testing, it seem the
set ... [find vlan-ids=10]
syntax doesn't work correctly when pasted into a terminal window, however the explicit setting tagged and untagged by direct interface name does work. I'm by no means an expert on the MT terminal, so I'm not sure if I'm misusing that syntax somehow.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs not working

Thu Sep 15, 2022 8:31 am

The set [ find ... ] command only works if configuration item with searched property already exists.

E.g. if one runs the following commands on device with empty configuration
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
/interface bridge vlan
set [ find vlan-ids=20 ] tagged=bridge untagged=ether1
the set command will fail (or rather: won't change anything) because /interface bridge vlan configuration item with vlan-ids=20 does not exist.

However changing the above code to
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
/interface bridge vlan
add bridge=bridge vlan-ids=20
set [ find vlan-ids=20 ] tagged=bridge untagged=ether1
(i.e. explicitly adding entry with vlan-ids property set to 20) will work. Setting pvid property on /interface bridge port configuration items probably doesn't work either (that's only my guessing and I believe somebody's going to try it :wink:).

In short:
  • add adds a configuration item and fails if item with same key property already exists
  • set changes existing configuration item.

The [ find ... ] construct returns list of items with properties conforming to parameters to find ... if configuration items with corresponding properties don't exist, then find will return empty list and (assiciated) set command will not change anything.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs not working

Thu Sep 15, 2022 10:07 pm

Slow learner, didnt I tell you to ignore that awful syntax............... ;-)
Oh my bad, I thought you were a wise owl, but I see your only a penguin....... (or worse a lemming)
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: VLANs not working

Fri Sep 16, 2022 9:57 pm

mkx has correctly explained the pitfalls of the confusing ROS syntax and exonerated my guilt. MikroTik is to blame, not I. You would think find would at least print an error to the screen. Nope, just keeps on confusing people. However, I don't find the lack of a status or error message as the real problem. I would prefer an add that performed like a set, so that you could just keep adding to your heart's content.

ROS is programmer friendly, not end-user helpful.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: VLANs not working

Fri Sep 16, 2022 10:17 pm

:do { put there command you want to run; } on-error={ put command to be run on error}
viewtopic.php?t=91437#p555095
 
anthonypants
just joined
Posts: 1
Joined: Sat Oct 29, 2022 11:41 pm

Re: VLANs not working

Sun Oct 30, 2022 1:55 am

i think there is misconfiguration, add this:

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether7,ether8 vlan-ids=20
I've been having issues setting up VLANs on a new CRS326, and I've been following all the guides to the letter (including the config file from the post linked in the OP!), and literally all of the guides I can find mention tagging the ethernet (or sfp/sfpplus) interface only, and until this post I hadn't considered the bridge interface needed to be tagged, too! Thank you so much!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs not working

Sun Oct 30, 2022 6:47 pm

Who is online

Users browsing this forum: A9691, Ahrefs [Bot], Kanzler, sybadi and 94 guests