We are new to VLAN on a MikroTik and could use some help. We have a unique routing situation for a CCR1036-12G-4S. we have searched all sorts of forums and are not really finding any useful information for our scenario.

We have some Ruckus wireless access points installed that are brodcasting 2 different SSIDs. The first internal SSID in on the main corporate network. The second is for Guests and the Ruckus APs are assigning users connecting to this SSID a VLAN tag of 101. These APs plug into the CCR Router that are in a LAN bridge on ports Ether3 and Ether 4.

First we need to know how to make the MikroTik CCR router recognize the VLAN tag 101 assigned by the Ruckus APs and assign DHCP to these users from a specific DHCP Pool just for this VLAN.

This router currently is using Ether1 as the WAN connection and gateway to all internet traffic. Ether1 public IP is XXX.XXX.XXX.138. Ether 1 is also assigned the public IP of XXX.XXX.XXX.139. XXX.XXX.XXX.138 is the default gateway for all internal corporate traffic. We need to route the guest VLAN traffic of 101 out the second public IP of XXX.XXX.XXX.139 so we can apply different DNS rules to this public IP from our content filtering provider.

Additionally, the VLAN tagging is configured on the Access Points and switches and appears to be working correctly when analyzed with Wireshark but when we monitored the network traffic on the CCR1036 with Torch it did not display the VLAN tags on packets that should be tagged with 101.

How do we make the CCR Router recognize the VLAN tags of 101, assign the DHCP based upon that and route the traffic out the second public IP above? Examples with terminal commands or GUI interface would be a huge help. Thanks for the help!

Add Interface VLAN

Add Address range to VLAN interface

Add DHCP Server to Vlan Interface

Add Firewall Mangle Routing mark

Add Route for that mark going out the public you want it to


This should be fairly straight forward.

Thank you for the suggestions. This is exactly what we have configured but the guests connected on VLAN 101 dont receive an IP address from the DHCP server on the CCR Router at all. Any ideas why that might be?

Please copy paste from your terminal...
Interfaces
Addresses
DHCP SERVER

Feel free to redact your public IP's

Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1590 10226
1 RS ether2 ether 1500 1590 10226
2 S ether3 ether 1500 1590 10226
3 R ether4 ether 1500 1590 10226
4 R ether5 ether 1500 1590 10226
5 ether6 ether 1500 1590 10226
6 ether7 ether 1500 1590 10226
7 ether8 ether 1500 1590 10226
8 ether9 ether 1500 1590 10226
9 ether10 ether 1500 1590 10226
10 ether11 ether 1500 1590 10226
11 R ether12 ether 1500 1590 10226
12 sfp1 ether 1500 1590 10226
13 sfp2 ether 1500 1590 10226
14 sfp3 ether 1500 1590 10226
15 sfp4 ether 1500 1590 10226
16 R bridge1 bridge 1500 1590
17 R vlan1 vlan 1500 1586



Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 X ;;; default configuration
192.168.88.1/24 192.168.88.0 ether1
1 ;;; added by setup
XX.XX.XX.138/29 XX.XX.XX.136 ether1
2 10.0.0.1/24 10.0.0.0 bridge1
3 10.0.3.1/24 10.0.3.0 ether5
4 10.0.2.1/22 10.0.0.0 ether4
5 10.0.1.1/24 10.0.1.0 ether3
6 ;;; added by setup
XX.XX.XX.139/29 XX.XX.XX.136 ether1
7 10.0.5.1/24 10.0.5.0 vlan1

Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp3 ether4 dhcp_pool3 3d
1 dhcp4 ether5 dhcp_pool4 3d
2 dhcp2 vlan1 dhcp_pool2 1d
3 dhcp1 bridge1 dhcp_pool1 3d

# NAME RANGES
0 dhcp_pool3 10.0.2.2-10.0.3.254
1 dhcp_pool4 10.0.3.10-10.0.3.254
2 dhcp_pool2 10.0.5.2-10.0.5.254
3 dhcp_pool1 10.0.0.150-10.0.0.254

Put the vlan on the bridge, then it should work

Gesendet von meinem HTC Flyer P510e mit Tapatalk 2

Thanks again for the help. It still would not work. I ended up setting up the routing in the VLANs on the Cisco switch and routed VLAN101 out to a different MikroTik router from there to achieve our goal.

Did you use an identical config to tag the VLAN in the other MikroTik?

No we did the tagging and routing in the Cisco switch and passed the traffic to the MikroTik untagged and left the MikroTik with no VLAN config at all.

Tagging is usually pretty straightforward on an interface in RouterOS. Can you post an export of the config that didn't work?

It has all been deleted at this point and moved on to another project. Sorry. We sent it to MikroTik also and they said the config was right and should have worked but for some reason it did not.