RB751u-2HnD VLAN trunk and switch1_cpu traffic problem

slv · Thu Jul 18, 2013 1:32 pm

Hello

RB751u-2HnD, ROS 6.1, switch with chip Atheros 7240

I digged a lot last time for similar for my problems on this forum and using Google but without sucessful answer.
I read http://forum.mikrotik.com/viewtopic.php?f=2&t=69912 and http://forum.mikrotik.com/viewtopic.php?f=2&t=50066

I need to connect RB751u-2HnD to HP 2510G switch to build AP with two separate WiFi networks. In my network every device has management interface in VLAN id=50, I have one WiFi for guests (vlan id 80) and one for office stuff (vlan id 30). I think that most of you has dedicated vlan for management traffic - so I didn't requested too much...

I stucked on VLAN level. HP switch has a port with vlan 30,50,80 configured as tagged vlans on this port.

According to
http://wiki.mikrotik.com/wiki/Vlans_on_ ... nvironment
http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features

I made a script:

/system identity set name=ap4

/ip dns set servers=192.168.1.254

/interface set ether5 disabled=no
/interface set ether4 disabled=no
/interface set ether5 disabled=no
/interface set wlan disabled=yes

/interface set ether5  name=trunk
/interface set ether4  name=vlan-50
/interface set ether3  name=vlan-80
/interface set wlan  name=wifi


/interface ethernet
set vlan-50 master-port=trunk
set vlan-80 master-port=trunk


/interface ethernet switch port
set vlan-50 vlan-mode=secure vlan-header=always-strip default-vlan-id=50
set vlan-80 vlan-mode=secure vlan-header=always-strip default-vlan-id=80
set trunk vlan-mode=secure vlan-header=add-if-missing

/interface ethernet switch vlan
add ports=vlan-50,switch1_cpu,trunk switch=switch1 vlan-id=50
add ports=vlan-80,trunk switch=switch1 vlan-id=80

/ip address add address=192.168.50.33/24 interface=vlan-50 network=192.168.50.0

and now on port 4 (vlan-50) when I connect laptop I get proper IP from router I can ping AP4 and router, on port 3 (lan-80) I got the same - so trunk is working properly, and this two ports of RB751 working as a port based vlans as expected.

When I tryed to ping from RB751 from terminal window to 192.168.50.50 (it's my laptop connected to port 4 IP) I get responses, but when I try to ping 192.168.50.1 I got timeout.
When I tryed to ping from laptop RB751 I get responses.

that's strange so let's try to change something connected to switch1_cpu. I try to change VLAN mode (from fallback to secure), Default VLAN ID (from 0 to 50) - without positive resoults. According to url before traffic from switch1_cpu is tagged so VLAN Header is setet as leave as is.

What is going on? why it's working partially?

Some data from CLI:

[admin@ap4] > ping 192.168.50.1
HOST                                     SIZE TTL TIME  STATUS        
192.168.50.1                                            timeout       
192.168.50.1                                            timeout       
192.168.50.33                              84  64 983ms host unreachab
192.168.50.1                                            timeout       
192.168.50.1                                            timeout       
    sent=5 received=0 packet-loss=100% 

[admin@ap4] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  192.168.50.0/24    192.168.50.33   trunk                     0


[admin@ap4] > interface ethernet switch print 
Flags: I - invalid 
 #   NAME                    TYPE          MIRROR-SOURCE                   MIRROR-TARGET                   SWITCH-ALL-PORTS
 0   switch1                 Atheros-7240  none                            none                           
[admin@ap4] > interface ethernet switch vlan print 
Flags: X - disabled, I - invalid 
 #   SWITCH                                               VLAN-ID PORTS                                                    
 0   switch1                                                   50 vlan-50                                                  
                                                                  switch1_cpu                                              
                                                                  trunk                                                    
 1   switch1                                                   80 vlan-80                                                  
                                                                  trunk                                                    
[admin@ap4] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                          
 0   192.168.50.33/24   192.168.50.0    vlan-50                                                                            
[admin@ap4] > interface ethernet switch port print 
Flags: I - invalid 
 #   NAME                                      SWITCH                              VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether2                                    switch1                             fallback  leave-as-is                  0
 1   vlan-80                                   switch1                             secure    always-strip                80
 2   vlan-50                                   switch1                             secure    always-strip                50
 3   trunk                                     switch1                             secure    add-if-missing               0
 4   switch1_cpu                               switch1                             secure    leave-as-is                 50
[admin@ap4] > interface ethernet switch rule print 
Flags: X - disabled, I - invalid 
[admin@ap4] >

What I forgot or configure improperly? Help me please

With regards
SLawek

Rudios · Thu Jul 18, 2013 2:41 pm

I don't fully get your config but if I read your desired setup correct I have another idea of implementing

I would 3 VLAN interfaces assigned to the trunk port (ether5 if I remember your story).
Than create 3 bridges, one for each VLAN.
Than add the desired ether port into the correct bridge, together with the VLAN interface.
Assign you IP to the VLAN50 bridge for management.

ros code

/interface vlan 
add name=vlan30-et5-off interface=ether5 vlan-id=30
add name=vlan50-et5-man interface=ether5 vlan-id=50
add name=vlan80-et5-gst interface=ether5 vlan-id=80

/interface bridge
add name=br-vlan30-off
add name=br-vlan50-man
add name=br-vlan80-gst

/interface bridge port
add bridge=br-vlan30-off interface=vlan30-et5-off 
add bridge=br-vlan30-off interface=ether2

add bridge=br-vlan50-man interface=vlan50-et5-man
add bridge=br-vlan50-man interface=ether4

add bridge=br-vlan80-gst interface=vlan80-et5-gst
add bridge=br-vlan80-gst interface=ether3

/ip address
add interface=br-vlan50-man address=192.168.55.33/24

slv · Fri Jul 19, 2013 10:53 am

I know that can do this using bridges but my goal was to use VLANS because it will separate traffic without using firewall.

Using your setup when I plugin my laptop to port ether3 and I try to connect using WinBox and MAC address of my Mikrotik - I can connect - is it correct?
I expected that I shouldn't connect because it's a different VLAN, Vlan where isn't switch1_cpu port.

In your config there isn't port "switch1_cpu" so how its working? how the traffic passes swith/router - could someone explain that?

I need config where access to management interface of Mikrotik (I beleave it's a switch1_cpu) is limited to VLAN id 50 only.

With regards
SLawek

Rudios · Sat Jul 20, 2013 2:32 pm

I know that can do this using bridges but my goal was to use VLANS because it will separate traffic without using firewall.

Using your setup when I plugin my laptop to port ether3 and I try to connect using WinBox and MAC address of my Mikrotik - I can connect - is it correct?
I expected that I shouldn't connect because it's a different VLAN, Vlan where isn't switch1_cpu port.

In your config there isn't port "switch1_cpu" so how its working? how the traffic passes swith/router - could someone explain that?

I need config where access to management interface of Mikrotik (I beleave it's a switch1_cpu) is limited to VLAN id 50 only.

With regards
SLawek

It is correct that you can connect to the RB by MAC if you plugin a cable. But that also implies for WiFi. You should disable the winbox mac-server for the interfaces where needed.
My config doesn't make use of the switch chip. All VLAN logic is inside the routerboard itself.
If you only give the management vlan an IP address, than it should be available only on that VLAN. But this also depends on possibly available routers (others than the routerboard itself)
If the HP you are connected to, or the device upstream that HP is a router it can happen that this router is transferring the traffic from your guest network.
Maybe you can give a topology overview of your devices to make that clear

slv · Wed Jul 24, 2013 2:22 pm

>winbox mac-server

whoow - thank you - I will disable it, I'm new in Mikrotik and I have to learn a loot...

Now I'm fighting with Mikrotik Suport to get working "my configuration". I will let you know when I get it working (or not working...)

Regards
Slawek