Community discussions

MikroTik App
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Newbie CRS312 trouble with VLAN & DHCP

Mon Dec 05, 2022 11:21 pm

Hi experts,

Proud new owner of CRS312-4C+8XG-RM. Relatively newbie in networking, first managed switch which I got for more segragation of devices and opportunity to learn.

Trying to configure a relatively simple topology, here's a simple schematic of what I've got:

Image


Goals
  • Main trusted, wired devices in blue = vlan10
  • Wireless devices in green = vlan20
  • DHCP server for vlan10 with IPs from pool
  • DHCP server for vlan20 with IPs from pool
  • Only some wireless devices within vlan20 should be able to reach devices in vlan10 (e.g. laptop or tablet reading NAS)


What I Tried
I've tried several configurations, mainly inspired/educated from pcunit's great article viewtopic.php?f=23&t=143620, although I admit it was a little unclear which scenario best fitted me (as some setups gave seperate config for both switch and router). In essence, I did the following:
  • Created a new bridge
  • Created vlan10
  • Created vlan20
  • Assigned both vlans to new bridge
  • Assigned interfaces (e.g. ether2) to new bridge and set PVID
  • Created 2 address pools for each of 2 new DHCP servers to consume from
  • Finally set VLAN filtering


Main problems I faced
  • Could not get DHCP serving to work on VLAN (so I could lease an IP from pool specific for the VLAN on which the interface (device) was associated
  • When DHCP was set to vlan10 (rather than bridge), could not reach DHCP server when doing ipconfig /renew
  • When enabling VLAN filtering lost all connection to switch and had to hard reset - there's probably a smart way to manage this like management interface?


What I didn't try/would like to achieve/unclear:
  • Having the switch do the NAT rather than ISP-provided router
  • Whitelisting wireless devices like iPad consuming from wired devices like NAS
  • ISP-router address space curreently 192.168..1.1/24. Can I have Mikrotik address pools as 10.10.0.0/24 (say vlan10) and 10.20.0.0/24 (vlan20) and it would work/transate with the router address space?


Appreciate the above is lacking in detail, and no export of config file, given I've had to go back to default config at end of weekend to use internet connectivity for day job. WIll happily try again, and share config, but would REALLY REALLY appreciate some further inspiration and support. I also appreicate that taking this leap into such a managed switch is one of faith for the learning and flexibility/power it offers.

Thanks so much for any help / tips
EDIT: Corrected icons used for router & switch
Last edited by LstGoatOnHill on Sat Dec 10, 2022 8:03 pm, edited 3 times in total.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Newbie CRS312 trouble with VLAN & DHCP

Tue Dec 06, 2022 5:07 pm

VLAN + DHCP again? The nth time in a week or two.
Have you checked this? search.php?keywords=DHCP+VLAN
and especially this viewtopic.php?t=143620
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie CRS312 trouble with VLAN & DHCP

Tue Dec 06, 2022 5:59 pm

Why use a switch as a router? Its throughput at Layer 3 is lousy.
The only way it makes sense if it is the ISP router that is providing DCHP etc....
Heck its likely even the ASUS would be far better in place of the MT device.

Something like would have been more appropriate for Routing & Switching.........
https://mikrotik.com/product/ccr2116_12g_4splus

More in the same price range as a switch..... CCR2004-1G-12S+2XS
https://mikrotik.com/product/ccr2004_1g ... estresults

But I would have recommended the much cheaper RB5009, since your not running 10G networks in Server Rack but have basic home devices.......
https://mikrotik.com/product/rb5009ug_s_in
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Fri Dec 09, 2022 9:40 pm

@anuv Sorry I don't understamd (again, network newbie here trying to learn). I'm not using the switch as a router (as far as I understand from the topology I've sketched). Is it perhaps I have the icons for switch and router mixed up? (the text against the icons is correct, so Internet > ISP Router > Mikrotik Switch). I have a 10GB nic on the desktop pc, and will soon upgrade some homelab servers to 10GB, hence choice of CRS312. I'm stuck with the ISP provided router (they dont allow bring your own device).

All I want to do is segregate the switch connected devices between ethernet connected and wireless, so 2 vlans. And then only allow some of the wireless devices from the second vlan to talk with the NAS on the first vlan. This is something appropriate for the switch (segregation by vlan, firewall rules)?
Last edited by LstGoatOnHill on Fri Dec 09, 2022 10:06 pm, edited 2 times in total.
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Fri Dec 09, 2022 9:46 pm

Have you checked this? search.php?keywords=DHCP+VLAN
and especially this viewtopic.php?t=143620
Yes & yes, as per my OP
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Newbie CRS312 trouble with VLAN & DHCP

Sat Dec 10, 2022 1:46 pm

Please show your onfig: /export hide-sensitive file=anynameyoulike
And just make sure you removed any personal information
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sat Dec 10, 2022 2:33 pm

@erlinden - I reset many times, going to give it another go today.

Question. My ISP router is on 192.168.1.1 with a subnet mask of 255.255.255.0.

Can I still create vlans on the switch with address spaxces of 10.10.0.0/24 and 10.20..0.0/24, and have internet traffic go to the router. Do I have to have NAT in place to do this? Thanks!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sat Dec 10, 2022 3:34 pm

You can have LAN addresses any way you like as long as they don't overlap with other addresses ... in your case you have to avoid "WAN" address space, which is 192.168.1.0/24.

Yes, you need NAT unless ISP router is configured to be aware of your LAN subnets.
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sat Dec 10, 2022 3:37 pm

Hi experts,

Just tried setting up custom CRS312 switch config again, first to establish a single VLAN10 with associated DHCP server. DHCP is working, getting lease in expected range (10.0.10.2-10.0.10.254). However, no access via my ISP router (192.168.1.1). A NAT/forwarding issue? Internet comes in on interface ether1, testing with desktop PC on interface combo1. Most grateful for any help, thank-you
# jan/02/1970 00:27:07 by RouterOS 6.48.6
# software id = 11IW-BE7S
#
# model = CRS312-4C+8XG
# serial number = xxx
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=BLUE_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=combo1 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add interface=BLUE_VLAN list=VLAN
/ip address
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/system identity
set name=RouterOS
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12 identity=MikroTik
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sat Dec 10, 2022 9:30 pm

Thinking the internet access issue because the dns server address 192.168.0.1 might be wrong, fgiven the address space of the router (192.168.1.1, sunet mask 255.255.255.0).

Would be very much grateful for an expert eye over the rest of my config, thank-you
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sun Dec 11, 2022 11:42 am

I don't see how CRS gets WAN IP address. There isn't a DHCP client (bound to ether1) nor static IP address assignment (together with dedault route, DNS server, etc.) shown in config export. Without that CRS can not route between LAN and ISP router.
Setting 192.168.0.1 as DNS server is not wrong, client requests can be routed within ISP's network as needed (and it's not very common for ISP to run DNS servers on each CPE, they tend to use a central DNS server for all clients). You should verify though that it's a valid DNS server address ... e.g. what is the source of this information? If you intend to use DHCP client to configure WAN interface, then you can remove this setting from DHCP network settings and enable "use DNS server" (or whatever the exact wording) in DHCP client ... which will make DHCP server to pass acquired values on to LAN clients.

SRC NAT rule looks fine. The rest of firewall filter setup is pretty basic but safe and should suffice for basic needs.
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sun Dec 11, 2022 12:16 pm

Thanks for teh review and feedback @mkx

With regard to "There isn't a DHCP client (bound to ether1) nor static IP address assignment (together with dedault route, DNS server, etc.) shown in config export", do you mean something like adding the below, or more?:
/ip route
add distance=1 gateway=192.168.0.1
I'll try and work out what you hint at with the rest through Sunday as a learning challenge! Thank-you again
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Newbie CRS312 trouble with VLAN & DHCP

Sun Dec 11, 2022 1:13 pm

@LstGoatOnHill

No offense meant, but you really need to understand the difference between a switch and a router. After you get that under your belt, you can move to vlans. We aren't born with understanding about how networking works, and the complexity of networking is well hidden from users by a lot of engineering over the last 60 years. We have all been at a stage where we didn't understand this stuff, so it isn't something to be ashamed of, it is just that you will need to put in some effort to learn. For example, I think you have a misunderstanding of what vlans are. They are virtual LANs. And LANs are containers for ip subnets. Unless your ISP router supports multiple networks, or you put another router behind it that does, then vlans won't help. That's why @anav said the the CRS312 was a poor router, it can be configured to be a router, but that isn't what it was designed for, and its performance as a router will be very poor.

It you want to know how DHCP works, start with the easy to understand video by PieterExpainsTech here DHCP: How Your PC Gets Its IP Address. If that isn't technical enough, Chris Greer has a youtube video with Wireshark captures showing it in action here How DHCP Works // DHCP EXPLAINED. If this doesn't made sense, continue reading. I think the following is the best explained intro I am aware of.

I suggest reviewing Ed Harmoush's Practical Networking site https://www.practicalnetworking.net Ed has recently started a Networking Fundamentals course and he put the first module (with multiple videos) on Youtube. It's a good intro with very little assumptions about previous knowledge, and even if you think you already know this stuff, if you watch it, and give it your utmost attention, you will probably get a deeper understanding than you currently have. Ed has some of the best explained info about vlans Virtual Local Area Networks (VLANs) See the challenge quiz if you think you understand vlans. Ed also has a video covering the same info VLANs – the simplest explanation Here's an index to the vlan pages on PracticalNetworking

Since your diagran has "HomeLab" and I assume that is a home Networking Lab, Ed also covers mort than just the fundamentals. Here's a good starting point for Networking topics in general (don't be put off by the CCNA, this is pretty generic info that you need to know, and explained in an easy to understand way. CCNA Index You can ignore the ACL stuff which is Cisco specific.
Last edited by Buckeye on Mon Dec 12, 2022 12:28 am, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11442
Joined: Thu Mar 03, 2016 10:23 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sun Dec 11, 2022 1:33 pm

As @Buckeye wrote: when configuring network device, it's necessary to have some knowledge about networking. When configuring Mikrotik device even more so.

To the question: if ISP's router has IP address of 192.168.1.1/24, then your CRS should have IP address on ether1 belonging to same subnet, i.e. 192.168.1.x/24. And corresponding default route would use gateway=192.168.1.1. One can not simply invent settings on one side because the other side expects things in certain way.
The other (more fail-safe) way is to configure DHCP client on ether1 interface ... it'll pull IP address and the rest of settings from ISP's router.
 
LstGoatOnHill
just joined
Topic Author
Posts: 8
Joined: Fri Dec 02, 2022 11:00 pm

Re: Newbie CRS312 trouble with VLAN & DHCP

Sun Dec 11, 2022 1:43 pm

@Buckeye - No offence taken, absolutely spot on aboput needing to put the effort in to gain the knowledge. Thanks so much for references to the learning material, that's super useful, and will get started on that right away, as I do want to be more self-suffiicient and independant in this stuff.

@mkx - Spot on too, and thanks for the hints, will look into that.

Who is online

Users browsing this forum: LeoNaXe and 37 guests