VLAN routes on RB5009

barte91 · Thu Dec 26, 2024 7:06 pm

Hi All,

I've configured an RB5009 with some VLAN, now I've 2 host; 1 in vlan 5 with IP Address 192.168.5.11 and one in Vlan 7 with IP 192.168.7.112, but from Vlan 7 I can't ping host in vlan 5, anyone can help me, please?

mio.rsc

Thu Dec 26, 2024 7:54 pm

Please start with viewtopic.php?t=143620

anav · Thu Dec 26, 2024 8:59 pm

The reference is excellent.
ONE BRIDGE
Once you go vlans, dont have the bridge handle anything (no dhcp) so whatever subnet you had on the bridge assign it a vlan......

Advice; Take one port off the bridge (at least temporarily) give it an IP address and do all the configuration from there for vlans from a safe spot!!
/interface ethernet
set [ find default-name=ether8] name=OffBridge8
/ip address
add address=192.168.65.1/29 interface=OffBridge8 network=192.168.65.0
/interface list member
add interface=Offbridge8 list=LAN { or trusted or base/management whatever is the interface list that is trusted )

Now plug in your laptop into ether8, change ipv4 settings to 192.168.65.2 and you should be in!!!

barte91 · Thu Dec 26, 2024 10:03 pm

Hi

@anav: Thank a lot but is not a problem, I've a LOCAL bridge on ether2 with spcific DHCP and IP Address and I can reach the RB5009

@BartoszP: I already read it, now I've a varous VLAN on my RB5009 like the screen, the port ether4 is connected on Cisco Switch with port in Trunk, allowed vlan 2,3,5,7,12,13,22,23
Now with PC connected on Cisco Sw on access port vlan 7 with IP 192.168.7.100 I can't ping ping RB5009 on 192.168.7.2, I can't understand why....

Thu Dec 26, 2024 10:08 pm

Most likely firewall rules.
Check that referenced thread again.

anav · Thu Dec 26, 2024 11:02 pm

if you want help post the config not snippets or jpegs
/export file=anynamwyouwish ( minus router serial number, any public WANIP information, keys etc. )

un9edsda · Fri Dec 27, 2024 1:43 am

...
@anav: Thank a lot but is not a problem, I've a LOCAL bridge on ether2 with spcific DHCP and IP Address and I can reach the RB5009

@BartoszP: I already read it, now I've a varous VLAN on my RB5009 like the screen, the port ether4 is connected on Cisco Switch with port in Trunk, allowed vlan 2,3,5,7,12,13,22,23
Now with PC connected on Cisco Sw on access port vlan 7 with IP 192.168.7.100 I can't ping ping RB5009 on 192.168.7.2, I can't understand why....

If you did indeed read the linked article than you would not have four (4)! bridges on your RB5009UG+S+, instead only one (maximum two if you followed Kentzo's guide on how to dynamically update NPTv6 firewall rules). For more details see the Switch Chip Features part of the documentation. The features and limitations of 88E6393X are relevant for you, and in the VLAN Table section you'll see the note that "Devices with MT7621, MT7531, RTL8367, 88E6393X, 88E6191X, 88E6190 switch chips support HW offloaded vlan-filtering in RouterOS v7. VLAN-related configuration on the "/interface ethernet switch" menu is not available." Therefore except of the two ports which are used for Internet access (WAN ports) should be included in the single bridge (which supports hardware offloading features). @Anav given you the advice in order to avoid locking out yourselves from the router. Unless you have a 10 GbE Internet connection dedicate ether1 and ether2 for Internet uplink and use sfp-sfpplus1 as a link to your core switch (if it has SFP+ slot).
Therefore an example starting bridge configuration:

/interface bridge
add add-dhcp-option82=yes ageing-time=5m arp=\
    enabled arp-timeout=auto comment="Eth3 to Eth8 and SFP+" \
    dhcp-snooping=yes disabled=no ether-type=0x8100 fast-forward=yes \
    forward-delay=15s frame-types=admit-all igmp-snooping=yes igmp-version=3 \
    ingress-filtering=yes last-member-interval=1s last-member-query-count=2 \
    max-hops=20 max-learned-entries=auto max-message-age=20s \
    membership-interval=4m20s mld-version=2 mtu=auto multicast-querier=no \
    multicast-router=temporary-query mvrp=no name=\
    bridge_3-sfpp port-cost-mode=long priority=0x7000 \
    protocol-mode=mstp pvid=1 querier-interval=4m15s query-interval=2m5s \
    query-response-interval=10s region-name=my_home_-_mstp region-revision=0 \
    startup-query-count=2 startup-query-interval=31s250ms \
    transmit-hold-count=6 vlan-filtering=yes
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge_3-sfpp \
    broadcast-flood=yes comment="" disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether3 internal-path-cost=20000 learn=\
    auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=20000 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge_3-sfpp \
    broadcast-flood=yes comment="Cisco switch connection" disabled=no edge=\
    auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether4 internal-path-cost=20000 learn=\
    auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=20000 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=yes unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge_3-sfpp \
    broadcast-flood=yes comment="" disabled=no edge=\
    auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether5 internal-path-cost=20000 learn=\
    auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=20000 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge_3-sfpp \
    broadcast-flood=yes comment="" disabled=no edge=auto \
    fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether6 internal-path-cost=20000 learn=\
    auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=20000 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge_3-sfpp \
    broadcast-flood=yes comment="" disabled=no edge=auto \
    fast-leave=no frame-types=admit-only-untagged-and-priority-tagged \
    horizon=none hw=yes ingress-filtering=yes interface=ether7 \
    internal-path-cost=20000 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=20000 point-to-point=auto priority=0x80 pvid=1 \
    restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge_3-sfpp \
    broadcast-flood=yes comment="" \
    disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    hw=yes ingress-filtering=yes interface=sfp-sfpplus1 internal-path-cost=\
    2000 learn=auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=2000 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=yes unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/interface bridge vlan
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=2 comment="vlan2-IOT-Giorgio"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=3 comment="vlan3-Giorgio-LAN"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=5 comment="vlan5-General-LAN"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=7 comment="vlan7-General-WiFi"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=12 comment="vlan12-IOT-Stefano"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=13 comment="vlan13-Stefano-LAN"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=22 comment="vlan22-IOT-Daniele"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=23 comment="vlan23-Daniele-LAN"
add bridge=bridge_3-sfpp disabled=no mvrp-forbidden="" \
    tagged=bridge_3-sfpp,ether4 untagged=""\
    vlan-ids=835 comment="vlan835-Aruba"

Example for ethernet, vlan and list sections:

set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,2.5G-baseT" arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=\
    unlimited/unlimited comment="FASTWEB faster connection physical interface" disabled=no \
    l2mtu=9796 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 \
    name=ether1 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="Aruba-Fiber physical interface" disabled=no l2mtu=9796 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s \
    mtu=1500 name=ether2 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether3 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="" disabled=no l2mtu=9796 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=9000 \
    name=ether3 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether4 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="Cisco switch physical connection" disabled=no l2mtu=9796 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=9000 \
    name=ether4 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether5 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="" disabled=no l2mtu=9796 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=9000 \
    name=ether5 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether6 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="" disabled=no l2mtu=9796 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 \
    name=ether6 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether7 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="" disabled=no l2mtu=9796 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 \
    name=ether7 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether8 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="Temporarily the safe configuration port to avoid locking out oneself" \
    disabled=no l2mtu=9796 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s \
    mtu=9000 name=ether8 rx-flow-control=off tx-flow-control=off
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-half,10M-baseT-ful\
    l,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,1G-baseX,2.5\
    G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=\
    unlimited/unlimited comment="" \
    disabled=no l2mtu=9796 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=9000 \
    name=sfp-sfpplus1 rx-flow-control=off \
    sfp-ignore-rx-los=no sfp-rate-select=high sfp-shutdown-temperature=70C \
    tx-flow-control=off
/interface vlan
add arp=enabled arp-timeout=auto disabled=yes interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan1_default use-service-tag=no vlan-id=1
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan2-IOT-Giorgio use-service-tag=no vlan-id=\
    2
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan5-General-LAN \
    use-service-tag=no vlan-id=5
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan7-General-WiFi \
    use-service-tag=no vlan-id=7
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan12-IOT-Stefano \
    use-service-tag=no vlan-id=12
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan13-Stefano-LAN \
    use-service-tag=no vlan-id=13
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan22-IOT-Daniele \
    use-service-tag=no vlan-id=22
add arp=enabled arp-timeout=auto disabled=no interface=\
    bridge_3-sfpp loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=9000 mvrp=\
    no name=vlan23-Daniele-LAN \
    use-service-tag=no vlan-id=23
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add comment=defconf exclude="" include="" name=WAN
add comment=defconf exclude=WAN include=dynamic name=LAN
/interface list member
add comment="LAN interfaces" disabled=no interface=\
    bridge_3-sfpp list=LAN
add comment="WAN interfaces" disabled=no interface=ether1 list=WAN
add disabled=no interface=ether2 list=WAN
add disabled=no interface=ppp_interface_pppoe_fastweb_faster list=WAN
add disabled=no interface=ppp_interface_pppoe_aruba list=WAN

Example for PPP sections:

/ppp profile
add address-list="" !bridge !bridge-horizon bridge-learning=yes \
    !bridge-path-cost !bridge-port-priority !bridge-port-trusted \
    !bridge-port-vid change-tcp-mss=yes comment=\
    "PPPoE upstream profile FASTWEB faster connection" !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=ppp_profile_pppoe_fastweb_faster on-down="" on-up="" only-one=\
    default !outgoing-filter !parent-queue !queue-type !rate-limit \
    !remote-address !session-timeout use-compression=no use-encryption=\
    default use-ipv6=yes use-mpls=default use-upnp=no !wins-server
add address-list="" !bridge !bridge-horizon bridge-learning=yes \
    !bridge-path-cost !bridge-port-priority !bridge-port-trusted \
    !bridge-port-vid change-tcp-mss=yes comment=\
    "PPPoE upstream profile Aruba" !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=ppp_profile_pppoe_aruba \
    only-one=default !outgoing-filter !parent-queue !queue-type \
    !rate-limit !remote-address !session-timeout use-compression=no \
    use-encryption=default use-ipv6=required use-mpls=default use-upnp=no \
    !wins-server
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
    comment="FASTWEB faster connection 2.5 Gbit PPPoE" default-route-distance=1 dial-on-demand=\
    no disabled=no interface=ether1 keepalive-timeout=10 max-mru=9000 \
    max-mtu=9796 mrru=disabled name=ppp_interface_pppoe_fastweb_faster \
    password=MyTopSecretPasswordComesHere profile=ppp_profile_pppoe_fastweb_faster \
    service-name="" use-peer-dns=yes user=MyUserName
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
    "Aruba 1 Gbit PPPoE" default-route-distance=1 dial-on-demand=no \
    disabled=noe interface=ether2 keepalive-timeout=10 max-mru=9000 max-mtu=9796 \
    mrru=disabled name=ppp_interface_pppoe_aruba \
    password=MyOtherTopSecretPasswordComesHere profile=ppp_profile_pppoe_aruba \
    service-name="" use-peer-dns=yes user=MyOtherUserName

barte91 · Sun Dec 29, 2024 8:22 pm

Hi at all,

I changed the config and I remove some bridge that isn't in production
I set the correct routes like 0.0.0.0/0 to 192.168.1.254 (my provider router) and other one 192.168.0.0/16 to my RB router, and now all works fine

Thanks for all your support!!!

Stefano

VLAN routes on RB5009

VLAN routes on RB5009

Re: VLAN routes on RB5009

Re: VLAN routes on RB5009

Re: VLAN routes on RB5009

Re: VLAN routes on RB5009

Re: VLAN routes on RB5009

Re: VLAN routes on RB5009

Re: VLAN routes on RB5009