Community discussions

MikroTik App
 
JexSrs
just joined
Topic Author
Posts: 4
Joined: Wed May 10, 2023 6:18 pm

VLANs and trunk/access ports

Wed May 10, 2023 7:37 pm

Hello everyone,

I am new to the MikroTik world and generally in networking and I want to create some VLANs along side a trunk port and access port.
We will only touch the main MikroTik (hEX S) and not the switch or other devices.

The result I want to achieve is to create four VLANs in my MikroTik router and trunk all of them to one port so my Unifi switch can use them.
I also want an access port for only one of the VLANs to be able to access that network directly from the router.

My setup is as follows:

Bridges
1. bridge_main: A bridge with minimal configuration
  • It has no VLANs
  • It has a DHCP server attached
  • The addresses are 10.0.0.1/23
  • It is assigned to ether5 (to connect to the mikrotik without caring for the rest of the setup, like a fail-safe) ports.
2. bridge_shared: A bridge where all configuration will be done
  • All VLANs are assigned to it
  • VLAN Filtering is enabled
  • It is assigned to ether2 as a trunk port and for testing each VLAN to ether4 as an access port for (this case) vlan10_iot
VLANs
1. vlan10_iot
  • ID is 10
  • It has a DHCP server attached
  • The addresses are 10.0.10.1/24
  • It is attached to bridge_shared
2. vlan20_security: With similar configuration as above
3. vlan30_home: With similar configuration as above
4. vlan40_guest: With similar configuration as above

The address of the router is 10.0.0.1 (which falls inside the bridge_main dhcp server range).

This was the abstract part, the actual configuration is:
/interface bridge # Create the bridges
add admin-mac=08:55:31:DA:F6:E0 auto-mac=no name=bridge_main
add name=bridge_shared vlan-filtering=yes

/interface vlan # Create the VLANs and and assign them to the bridge_shared
add interface=bridge_shared name=vlan10_iot vlan-id=10
add interface=bridge_shared name=vlan20_security vlan-id=20
add interface=bridge_shared name=vlan30_home vlan-id=30
add interface=bridge_shared name=vlan40_guest vlan-id=40

/interface list # Not sure where these two are used, they come with the default config
add name=WAN
add name=LAN

/ip pool # The ip pools for main bridge and VLANs
add name=pool_main ranges=10.0.0.2-10.0.0.254 # Range is cut sort on purpose here, I want DHCP to only assign in this range all the 10.0.1.2 - 10.0.1.254 will be static
add name=pool_vlan10 ranges=10.0.10.2-10.0.10.254
add name=pool_vlan20 ranges=10.0.20.2-10.0.20.254
add name=pool_vlan30 ranges=10.0.30.2-10.0.30.254
add name=pool_vlan40 ranges=10.0.40.2-10.0.40.254

/ip dhcp-server # The DHCP servers, they are assigned to bridge_main and to each VLAN
add address-pool=pool_main disabled=no interface=bridge_main name=dhcp_main
add address-pool=pool_vlan10 disabled=no interface=vlan10_iot name=dhcp_vlan10
add address-pool=pool_vlan20 disabled=no interface=vlan20_security name=dhcp_vlan20
add address-pool=pool_vlan30 disabled=no interface=vlan30_home name=dhcp_vlan30
add address-pool=pool_vlan40 disabled=no interface=vlan40_guest name=dhcp_vlan40

/interface bridge port # Assigned bridges to ports
add bridge=bridge_shared interface=ether2 # The trunk port
add bridge=bridge_shared interface=ether4 # An access port used for testing each VLAN on its own.
add bridge=bridge_main interface=ether5

/interface bridge vlan # Tag VLANs to the bridge_shared and ether2 (the trunk port) and untag only one to the ether4
add bridge=bridge_shared tagged=bridge_shared,ether2 untagged=ether4 vlan-ids=10
add bridge=bridge_shared tagged=bridge_shared,ether2 vlan-ids=20
add bridge=bridge_shared tagged=bridge_shared,ether2 vlan-ids=30
add bridge=bridge_shared tagged=bridge_shared,ether2 vlan-ids=40

/interface list member # Again no sure what this does, it come with the default config
add interface=bridge_main list=LAN
add interface=ether1 list=WAN

/ip address # The ip addresses assigned to each VLAN and bridge_main
add address=10.0.0.1/23 interface=bridge_main network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10_iot network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20_security network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30_home network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40_guest network=10.0.40.0

/ip dhcp-server lease # Some static leases for the devices I want to assign only in vlan10_iot (they are not currently assigned there)
add address=10.0.0.2 comment="Switch - Unifi Flex Mini" mac-address=F4:92:BF:A3:BB:F2 server=dhcp_main # A unifi switch
add address=10.0.0.3 client-id=ff:1:1e:53:e4:0:1:0:1:28:80:89:f9:e4:5f:1:1e:53:e4 comment="Raspberry Pi 4 Model B" mac-address=E4:5F:01:1E:53:E4 server=dhcp_main # A raspberry pi (runs docker servers)
add address=10.0.0.4 client-id=1:60:22:32:f0:97:89 comment=U6-Pro mac-address=60:22:32:F0:97:89 server=dhcp_main # A unifi access point

/ip dhcp-server network # The networks for each DHCP server
add address=10.0.0.0/23 gateway=10.0.0.1 netmask=23
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1 dns-server=1.1.1.1,1.0.0.1

/ip dns # Some DNS records
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/******/Mikrotik verify-doh-cert=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
I have deactivated all firewall rules configured (temporary, until vlan setup is finished), so I excluded them from the configuration.

The problem I have is that the trunk/access ports do not work. When I connect a device to the access port it will not be assigned an ip address and do not have access to the internet.
I searched a lot on this forum and other sites but the problem remains. I even tried to follow some YouTube videos.

Some of the requirements I have and would like to keep (if possible and they are not the source of the problem) are:
1. The DHCP for each VLAN is assigned to the VLAN. What I mean is that I don't want to assign the dhcp and vlan to a new bridge only for this vlan.
2. All VLANs are assigned to only one bridge which is then assigned to different trunk/access ports.
3. Keep the bridge_main as a separate bridge used for accessing the router (ether5)
4. Keep it simple, so If I want to change or assign more trunk/access ports to the router it will be easy to do (like only assigning the bridge and adding one more tag).
5. Keep the naming conventions: for a bridge the name will start with "bridge_", for a vlan it will start with "vlanXX_", a dhcp will start with "dhcp_" etc.
I am familiar with the terminology, so no need to explain that part (except If I did something stupid above). If possible I want very verbose responses that explain what they I have to do, because I am new to this area.

Thank you everyone.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs and trunk/access ports

Fri May 12, 2023 4:16 am

One bridge, all vlans to that bridge.
If you want to config safely take one port off the bridge give it an IP address and access via iPV4 settings on laptop.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLANs and trunk/access ports  [SOLVED]

Fri May 12, 2023 10:08 am

on the access port, you need to define the vlan you want access to as pvid. (this is in the /interface bridge port stanza)

for ether4 as an access port for vlan 10

/interface bridge port # Assigned bridges to ports
add bridge=bridge_shared frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10

/interface bridge vlan # Tag VLANs to the bridge_shared and ether2 (the trunk port) and untag only one to the ether4
add bridge=bridge_shared tagged=bridge_shared,ether2 untagged=ether4 vlan-ids=10

A relavant part of the documentation:

VLAN Example - InterVLAN Routing by Bridge The trunk port could go to another switch or to the UniFi access point, but unless you have told UniFi to use vlans for management, it will expect that management will be untagged (it does not have to be vlan 1, it just has to be untagged). To make it a trunk with an untagged vlan, specify the vlan you want untagged as the pvid on /interface bridge port and it will also be untagged on /interface bridge vlan for the port with pvid set.

And you really should read all of Bridge VLAN Filtering and at least skim Bridging and Switching

And I agree with @anav, forget about 3. Keep the bridge_main as a separate bridge used for accessing the router (ether5)

There is no reason you need a separate bridge, and it goes against 4. Keep it simple, so If I want to change or assign more trunk/access ports to the router it will be easy to do (like only assigning the bridge and adding one more tag).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs and trunk/access ports

Fri May 12, 2023 11:05 am

And you really should read all of Bridge VLAN Filtering and at least skim Bridging and Switching
I think that reading RouterOS bridge mysteries explained should be recommended together with the other two links ... many inexperienced users have problems properly configuring bridge due to mist around bridge.
 
JexSrs
just joined
Topic Author
Posts: 4
Joined: Wed May 10, 2023 6:18 pm

Re: VLANs and trunk/access ports

Fri May 12, 2023 3:10 pm

Thank you everyone. Especially @Buckeye for the verbose answer, it really helped.

As for what @anav said and @Buckeye also highlighted, I will consider it.
I am still new to this and I want to keep it as a fail-safe, but at a later time it will surely be removed.

Also thank you @Buckeye and @mkx for the links, I will read all the documentation you posted here.

Again, thank you.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLANs and trunk/access ports

Fri May 12, 2023 8:28 pm

The @sindy post: RouterOS bridge mysteries explained that @mkx linked is excellent.

When I was learning the MikroTik vlan-filtering bridge, it was one of the most helpful resources for me to wrap my head around how to logically map what the bridge "entity" was, coming from EdgeRouter X vlan-aware switch0 and Cisco.

I have added a bit to what @sindy's post has, with respect to the internal trunk link between the switch and the CPU. My additions are in these posts, post #16, post #18, and post #19 from this thread Slow Hex file transfer speed. You may want to skim the thread, there are other posts there too with some hypotheses about hidden (archane?) interactions in the bridge virtual connections between the CPU and the switch ASIC.
Last edited by Buckeye on Sun May 14, 2023 1:29 am, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLANs and trunk/access ports

Fri May 12, 2023 8:44 pm

Since you only want a single fail-safe port to work from, there is no need for a second bridge. Just remove the port from the bridge-shared bridge. You can name interfaces, if you want to remove the need to refer to it as ether5.

Here's the easy way to do that.

You can do a google search for remove port from bridge site:mikrotik.com for more info.

Who is online

Users browsing this forum: Bing [Bot], ccrsxx, GoogleOther [Bot], onnyloh, outtahere and 62 guests