RB5009 VLAN initial setup

timov · Tue Feb 20, 2024 6:11 pm

Hello world!

I'm struggling to setup an RB5009 with VLAN. I tried to follow the examples from the manual. Unfortunately, I cannot make it work.

My attempt so far is:

use the latest firmware

start from factory settings

create a management port (ether8)

create a first VLAN (194) on bridge port ether5, access port

make the RB5009 reachable on ether5, IPv4 (address 10.126.194.1/24)

setup DHCP in VLAN

The result on a client machine attached to ether5 is:

no dhcp address assignment

when trying with a manually set IP address, I cannot reach (ping) the RB5009

wireshark on the client sees:
- STP, CDP traffic from RB5009
- ICMPv6, DHCP, MDNS traffic from the client machine

RB5009 sees the MAC of the client machine in Bridge > Hosts

I would appreciate any help.

Kind regards,
Timo

# 1970-01-06 20:04:05 by RouterOS 7.13.5
# software id = TFGT-4B36
#
# model = RB5009UG+S+
# serial number = x
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-og-main vlan-id=194
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=mgmt ranges=192.168.89.220-192.168.89.239
add name=og-main ranges=10.126.194.193-10.126.194.254
/ip dhcp-server
add address-pool=mgmt interface=ether8 name=mgmt server-address=192.168.88.2
add address-pool=og-main interface=vlan-og-main name=og-main server-address=10.126.194.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=194
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether8 list=LAN
add interface=vlan-og-main list=LAN
/ip address
add address=192.168.89.1/24 interface=ether8 network=192.168.89.0
add address=10.126.194.1/24 interface=vlan-og-main network=10.126.194.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.126.194.0/24 dns-server=10.126.194.1 gateway=10.126.194.1 netmask=24
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Tue Feb 20, 2024 6:22 pm

The de facto guideline for setting up VLANs on ROS:
viewtopic.php?t=143620

Read, digest, think it over.
Reread, apply, think it over.
Rinse and repeat until it all sinks in

timov · Tue Feb 20, 2024 6:38 pm

Thank you!

The missing piece in my setup was to add the bridge itself explicitly to VLAN 194, tagged, with

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=194

Mesquite · Tue Feb 20, 2024 6:38 pm

Also if not using IPV6, disable it and remove all the firewall address lists and firewall rules......
https://www.youtube.com/watch?v=4Z32oOPqCqc&t=787s

timov · Tue Feb 20, 2024 6:41 pm

Also if not using IPV6, disable it and remove all the firewall address lists and firewall rules......
https://www.youtube.com/watch?v=4Z32oOPqCqc&t=787s

thank you -- I plan to add IPv6 as the next step now

Mesquite · Tue Feb 20, 2024 6:44 pm

You are braver than I.
I actually looked at your config and I am surprized anything is working........

First of, if you are going to use vlans across more than one port as well as other subnets, its best too create vlans for each subnet.
Then we are dealing with apples and apples and everything is clear and plays nice together.
Unfortunately you have a mixed bag of fruit and some of that fruit is rotten.

For example.
you clearly want a general subnet, and one would assume associated with the bridge (which I would change to a vlan asap).
Lets look at the evidence.......

First you have a single vlan, and that is attached to the bridge..... all good so far
/interface vlan
add interface=bridge name=vlan-og-main vlan-id=194

Then you have two POOLS for dhcp, one for the vlan and one for the management ( assuming this is the bridge subnet you want to have )
/ip pool
add name=mgmt ranges=192.168.89.220-192.168.89.239
add name=og-main ranges=10.126.194.193-10.126.194.254

Then you have two dhcp-servers, and this is where things go off the rails......... You assign the management pool to ether8, and not the bridge.
So I am thinking. EITHER the interface is wrong (not ether8),, OR you forgot to have a SUBNET pool for the bridge ?? Im assuming you forgot about a bridge pool and bridge dhcp server then.
/ip dhcp-server
add address-pool=mgmt interface=ether8 name=mgmt server-address=192.168.88.2
add address-pool=og-main interface=vlan-og-main name=og-main server-address=10.126.194.1

In bridge ports, things get more confusing........... I can understand the vlan going out untagged on ether5 and possibly
going out as tagged over ports 2-4,7,sfpplus1 ( need to see bridge vlans to confirm) BUT......
ETHER6 makes no sense..... you have frames setup as if its an access port but no PVID???
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=194
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp-sfpplus1

Next you only have two IP addresses articulated...... the vlan address, and the ether8 management address.
But where is the bridge associated address???
/ip address
add address=192.168.89.1/24 interface=ether8 network=192.168.89.0
add address=10.126.194.1/24 interface=vlan-og-main network=10.126.194.0

I note that bridge dhcp server network also only contains entries for the management network and the vlan subnet. Besides potentially missing subnet, my concern is the addition of netmask to the rule.
If you entered that remove, it is not required........
/ip dhcp-server network
add address=10.126.194.0/24 dns-server=10.126.194.1 gateway=10.126.194.1 netmask=24
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1 netmask=24

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Easily fixed.
add vlan11 to the bridge
create a pool for it, dhcp-server, dhcp-server network, ip address.
then on bridge port assign access ports pvid11 if required to 2-4,7 spffplus1 or the applicable ports etc.........

AKA the bridge does no dhcp etc....... easy peasy.

Tue Feb 20, 2024 6:46 pm

You are braver than I.

Put it on a "someday/maybe" list. Then at least you can decide not to look at it

(same here BTW)

RB5009 VLAN initial setup [SOLVED]

RB5009 VLAN initial setup

Re: RB5009 VLAN initial setup [SOLVED]

Re: RB5009 VLAN initial setup

Re: RB5009 VLAN initial setup

Re: RB5009 VLAN initial setup

Re: RB5009 VLAN initial setup

Re: RB5009 VLAN initial setup

Who is online