Hi! After many years of using Mikrotik devices finally I need to implement VLANs, and with no luck. I read a lot of materials but because my network is not as simple as in the examples, and because my different devices need different VLANs implementations (some through bridges, some through switches), I'm stuck.
Here is a diagram of what I want to achieve.
So, I need two VLANs. VLAN1 - is a main home network (also a management network) and VLAN2 - is a guest network with less access.
DHCP, DNS, NAT, VPNs, common firewall rules, and all other main network services are on the R1 router, it's my central router. R2 - it's dumb AP. R3 - it's a dumb switch.
Because I need DHCP on R1, I can't configure it like a dumb switch with VLANs through a switch chip as in most of the examples. I tried to make two bridges (CRS112 can do hw-offload on many bridges) with VLANs in them but with no luck. I tried to make one bridge with two VLANs on it, but also with no luck. I tried to make VLANs on a switch chip, again with no luck.
Taking into account the weak CPU on R1, I need to use hw-offload whenever I can.
So I'll be very pleased if anybody helps me. I do not need help with DNS, DHCP, and other services, all I need is to figure out how to make VLANs on R1 and R2 taking into account device models. Cause as I understand CRS112 - is a special guy in the case of VLANs.
Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
You do not have the required permissions to view the files attached to this post.
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
What you are proposing is pretty straight forward. Unfortunately I don't use bridges in RouterOS so I can't help you with that part. You should only need one bridge.
One thing I will strongly suggest. Do not use VLAN 1. Too many devices out there that treat VLAN 1 as "special". It will potentially cause unexpected results. Not a problem with either RouterOS or SwitchOS, but depending on what other devices get connected to the network, it could be an issue. Use any other valid number, but avoid VLAN 1.
One thing I will strongly suggest. Do not use VLAN 1. Too many devices out there that treat VLAN 1 as "special". It will potentially cause unexpected results. Not a problem with either RouterOS or SwitchOS, but depending on what other devices get connected to the network, it could be an issue. Use any other valid number, but avoid VLAN 1.
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
Oh, yeah, I know. I didn't use vlanID = 1. By labels VLAN1 and VLAN2 on the network diagram, I mean that there is one VLAN, and there is another. Actual values for VLAN ID were 10 and 20.Do not use VLAN 1.
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
ONE bridge on each device.
All vlans with interface bridge (bridge does no dhcp).
Each device has a MANAGE interface list, with the trusted subnet as the only member
AP is simply an AP/Switch, only vlan identified is the trusted vlan and IP address is a static IP on the trusted vlan
Do not use vlan id=1. Stick to anything but, thus something like vlan10-trusted, vlan20-guest
hapac example........... assuming vlan10 is 192.168.10.0/24 and vlan20 is 192.168.20.0/24 and IP of hap is 192168.10.84/24
The CCR would not be significantly different other than you need firewall rules.
You need two define all the vlans, including IP pool, ip address, dhcp server, dhcp-server-network.
Also define interface LAN, WAN, management.
All vlans with interface bridge (bridge does no dhcp).
Each device has a MANAGE interface list, with the trusted subnet as the only member
AP is simply an AP/Switch, only vlan identified is the trusted vlan and IP address is a static IP on the trusted vlan
Do not use vlan id=1. Stick to anything but, thus something like vlan10-trusted, vlan20-guest
hapac example........... assuming vlan10 is 192.168.10.0/24 and vlan20 is 192.168.20.0/24 and IP of hap is 192168.10.84/24
Code: Select all
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=emergaccess5
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=10 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
/interface bridge port
add bridge=bridgegym frame-types=admit-only-tagged vlans ingress-filtering=yes interface=ether1 comment="trunk to router"
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=homeWLan pvid=10
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=guestWLAN pvid=20
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=ether2,homeWLan vlan-ids=10
add bridge=bridgegym tagged=ether1 untagged=ether3,guestWlan vlan-ids=20
/interface list members
add interface=homeVlan list=management
add interface=emergaccess5 list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0 comment="IP of capac on trusted subnet"
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment="ether5 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=managementYou need two define all the vlans, including IP pool, ip address, dhcp server, dhcp-server-network.
Also define interface LAN, WAN, management.
Last edited by anav on Fri Feb 24, 2023 9:07 pm, edited 2 times in total.
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
I tried something like that compiled with this viewtopic.php?t=143620 and this viewtopic.php?t=189294#p957624
Here what I have for now.
AP [R2] configuration. Here I have vlan10 and vlan20. vlan10 is a main/management vlan, so it has DHCP client and made by /interface vlan, not only /interface bridge vlan, vlan20 - is a guest vlan, ether3 - is a trunk port to main router [R1].
Firewalls are completely disabled on both devices.
Router [R1] configuration. Here I have vlan10, and vlan20 configured via /interface vlan, /interface bridge vlan, and via switch chip, ether3 - is a trunk port to AP [R1].
With this config wlan clients can't get IP from DHCP server [R1], but AP [R2] succsesfully got IP on vlan10 interface.
Here what I have for now.
AP [R2] configuration. Here I have vlan10 and vlan20. vlan10 is a main/management vlan, so it has DHCP client and made by /interface vlan, not only /interface bridge vlan, vlan20 - is a guest vlan, ether3 - is a trunk port to main router [R1].
Firewalls are completely disabled on both devices.
Code: Select all
# feb/24/2023 20:37:38 by RouterOS 7.7
# model = RBD53iG-5HacD2HnD
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-trunk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-2ghz pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-5ghz pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-2ghz pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-5ghz pvid=20
/interface bridge vlan
add bridge=bridge tagged=ether1-trunk,bridge untagged=wifi1-2ghz,wifi1-5ghz vlan-ids=10
add bridge=bridge tagged=ether1-trunk untagged=wifi2-2ghz,wifi2-5ghz vlan-ids=20
/ip dhcp-client
add interface=vlan10
Router [R1] configuration. Here I have vlan10, and vlan20 configured via /interface vlan, /interface bridge vlan, and via switch chip, ether3 - is a trunk port to AP [R1].
Code: Select all
# feb/24/2023 20:47:48 by RouterOS 7.7
# model = CRS112-8P-4S
/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/ip pool
add name=pool10 ranges=192.168.110.10-192.168.110.254
add name=pool20 ranges=192.168.120.10-192.168.120.254
/ip dhcp-server
add address-pool=pool10 interface=vlan10 name=dhcp10
add address-pool=pool20 interface=vlan20 name=dhcp20
/interface bridge port
add bridge=bridge interface=ether3-trunk
add bridge=bridge interface=sfp9 pvid=10
add bridge=bridge interface=sfp10 pvid=20
/interface bridge vlan
add bridge=bridge tagged=ether3-trunk untagged=sfp9 vlan-ids=10
add bridge=bridge tagged=ether3-trunk untagged=sfp10 vlan-ids=20
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether3-trunk vlan-id=10
add tagged-ports=switch1-cpu,ether3-trunk vlan-id=20
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=sfp9
add customer-vid=0 new-customer-vid=20 ports=sfp10
/interface ethernet switch vlan
add ports=switch1-cpu,ether3-trunk,sfp9 vlan-id=10
add ports=switch1-cpu,ether3-trunk,sfp10 vlan-id=20
/ip dhcp-server network
add address=192.168.110.0/24 dns-server=192.168.110.1 gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.120.1 gateway=192.168.120.1 netmask=24
/ip address
add address=192.168.120.1/24 interface=vlan20 network=192.168.120.0
add address=192.168.110.1/24 interface=vlan10 network=192.168.110.0
With this config wlan clients can't get IP from DHCP server [R1], but AP [R2] succsesfully got IP on vlan10 interface.
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
Your hapac3 doesnt look like mine in setup................. lead a horse to water................. 
Will look at main router when have time.
Okay easy peasy
You forgot something.
/interface bridge vlan
add bridge=bridge tagged=ether3-trunk untagged=sfp9 vlan-ids=10
add bridge=bridge tagged=ether3-trunk untagged=sfp10 vlan-ids=20
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3-trunk untagged=sfp9 vlan-ids=10
add bridge=bridge tagged=bridge,ether3-trunk untagged=sfp10 vlan-ids=20
Maybe not you are doing it the funky chip way which I have no clue about............
Will look at main router when have time.
Okay easy peasy
You forgot something.
/interface bridge vlan
add bridge=bridge tagged=ether3-trunk untagged=sfp9 vlan-ids=10
add bridge=bridge tagged=ether3-trunk untagged=sfp10 vlan-ids=20
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3-trunk untagged=sfp9 vlan-ids=10
add bridge=bridge tagged=bridge,ether3-trunk untagged=sfp10 vlan-ids=20
Maybe not you are doing it the funky chip way which I have no clue about............
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
Made this on R1. But unfortunately, it didn't help. Wlan clients still can't get IP from DHCP.
I think issue somewhere in the switch chip configuration. Manuals say that CRS series need to be configured in a special way in cases of VLAN. But all examples I found end with port switching, and neither of them shows how to pass VLAN traffic to the CPU.
Code: Select all
/interface bridge vlan
add bridge=bridge tagged=ether3-trunk,bridge untagged=sfp9 vlan-ids=10
add bridge=bridge tagged=ether3-trunk,bridge untagged=sfp10 vlan-ids=20
I think issue somewhere in the switch chip configuration. Manuals say that CRS series need to be configured in a special way in cases of VLAN. But all examples I found end with port switching, and neither of them shows how to pass VLAN traffic to the CPU.
Re: Can't figure out how to make VLANs in config: AP<->Router(DHCP)<->Switch.
Check out paraP. on the article - viewtopic.php?t=182373
The correct method is there somewhere......
The correct method is there somewhere......
Who is online
Users browsing this forum: Bing [Bot] and 64 guests