Community discussions

MikroTik App
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

CRS125 vlan config

Sun Feb 12, 2017 11:58 pm

This is the first time I run into the need of vlan on a CRS125. The switch menu on CRS125 tells that there are some new possibilities with the CRS compared to the routerboards I've configured for vlan earlier (mostly 1100AHx2, 433g and 951g).

The config I'm looking for is:
Ether1 as wan link (routing with nat)
Ether2 - 12 should provide untagged connection to bridge-local
Ether13-19 should provide untagged connection to bridge-guest
Ether20-24 should provide tagged connection to both the above bridge networks

5 wAP ac will be connected to the ether20-24 ports. They'll have 4 ssid's each, providing wlan to both bridge-networks with both 2.4ghz and 5ghz.

I need to do routing with firewall between the bridge networks (allow guests to print) and ether1 (allow internet access to both bridges).

What would be the best practice way to configure this on a CRS125?
(With the older routerboards I'd configure vlan at each ethernet port, and link them all in each bridge. I assume this way will also work with CRS125, but there is a better way to do it.)
 
kamillo
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Jul 15, 2014 5:44 pm

Re: CRS125 vlan config

Mon Feb 13, 2017 10:53 am

CRS125 supports vlans on switch-cpu level. Bridges operate on CPUlevel. CPU is rather weak on CRS125 therefore using bridges could harm performance.

Check:
http://wiki.mikrotik.com/wiki/Manual:CRS_features
http://wiki.mikrotik.com/wiki/Manual:CRS_examples

Best,
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

Re: CRS125 vlan config

Tue Feb 14, 2017 2:14 am

Thanks. I think I found the answer to my question in a note in your first link
Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits a part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.
However, following this guide http://www.breekeenbeen.nl/2014/12/11/m ... -bridging/
I ran into an issue: Ether2 is not working. Ether2 is the masterport for ether3..24. All the other ports seems to be working.

This command makes the problem:
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=5 ports="ether2-master-local,ether3-slave-local,[...],ether16-slave-local" sa-learning=yes
Once I disable that rule, and add ether2 to the bridge, it's working. When the rule is enabled, ether2 is not working for tagged nor untagged.
Vlan5 is a sub interface of ether2, and is added to bridge-local.

How did I manage to have ether2 behave different from its slave ports? Any suggestion to what I missed?
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

Re: CRS125 vlan config

Tue Feb 14, 2017 2:41 am

Here is the config (excluded wireless, dhcp and ipsec config) where ether2 is not working. Does anyone see why that is?
Ether1 is wan, Ether2-16 are untagged members of bridge-lan, Ether17-20 are untagged members of bridge-gjest, Ether21-24 are tagged members of both bridges.
# feb/14/2017 01:23:28 by RouterOS 6.38.1
# software id = XMES-REAT
#
/interface bridge
add name=bridge-gjest
add admin-mac=D4:CA:6D:F9:6C:B1 auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether2-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether2-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether2-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether2-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether2-master-local name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether2-master-local name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether2-master-local name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether2-master-local name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether2-master-local name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether2-master-local name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether2-master-local name=ether16-slave-local
set [ find default-name=ether17 ] master-port=ether2-master-local name=ether17-slave-local
set [ find default-name=ether18 ] master-port=ether2-master-local name=ether18-slave-local
set [ find default-name=ether19 ] master-port=ether2-master-local name=ether19-slave-local
set [ find default-name=ether20 ] master-port=ether2-master-local name=ether20-slave-local
set [ find default-name=ether21 ] master-port=ether2-master-local name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether2-master-local name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether2-master-local name=ether23-slave-local
set [ find default-name=ether24 ] master-port=ether2-master-local name=ether24-slave-local
set [ find default-name=sfp1 ] master-port=ether2-master-local name=sfp1-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether2-master-local name=vlan-gjest vlan-id=4
add interface=ether2-master-local name=vlan-lan vlan-id=5

#skipping wireless, ipsec and dhcp sections

/interface bridge port
add bridge=bridge-local disabled=yes interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=vlan-lan
add bridge=bridge-gjest interface=vlan-gjest
/interface ethernet switch egress-vlan-tag
add tagged-ports="ether21-slave-local,ether22-slave-local,ether23-slave-local,ether24-slave-local,switch1-cpu" vlan-id=5
add tagged-ports="ether21-slave-local,ether22-slave-local,ether23-slave-local,ether24-slave-local,switch1-cpu" vlan-id=4
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=5 ports="ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-\
    slave-local,ether9-slave-local,ether10-slave-local,ether11-slave-local,ether12-slave-local,ether13-slave-local,ether14-slave-local,ether15-slave-loc\
    al,ether16-slave-local" sa-learning=no
add new-customer-vid=4 ports="ether17-slave-local,ether18-slave-local,ether19-slave-local,ether20-slave-local" sa-learning=no
/interface ethernet switch vlan
add ports="ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,ether9-\
    slave-local,ether10-slave-local,ether11-slave-local,ether12-slave-local,ether13-slave-local,ether14-slave-local,ether15-slave-local,ether16-slave-lo\
    cal,ether21-slave-local,ether22-slave-local,ether23-slave-local,ether24-slave-local,switch1-cpu" vlan-id=5
add ports="ether17-slave-local,ether18-slave-local,ether19-slave-local,ether20-slave-local,ether21-slave-local,ether22-slave-local,ether23-slave-local,e\
    ther24-slave-local,switch1-cpu" vlan-id=4
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge-local network=192.168.88.0
add address=10.0.1.1/24 interface=bridge-local network=10.0.1.0
add address=172.16.44.1/22 interface=bridge-gjest network=172.16.44.0

# skipping dhcp related config

/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=yes protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=yes
add action=accept chain=input comment="default configuration" connection-state=related disabled=yes
add action=accept chain=input comment=gjest-dns-dhcp disabled=yes dst-port=53-68 in-interface=bridge-gjest protocol=udp
add action=accept chain=input comment=gjest-dns-dhcp disabled=yes dst-port=53,67,68 in-interface=bridge-gjest protocol=tcp
add action=drop chain=input comment=gjest-drop disabled=yes in-interface=bridge-gjest
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add action=accept chain=forward comment="accept all outbound" disabled=yes out-interface=ether1-gateway
add action=drop chain=forward disabled=yes in-interface=bridge-gjest
add action=accept chain=forward comment="default configuration" connection-state=established disabled=yes
add action=accept chain=forward comment="default configuration" connection-state=related disabled=yes
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

# skipping ipsec config
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Oslo
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=31.185.27.200 secondary-ntp=139.112.1.20
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-slave-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=ether11-slave-local
add interface=ether12-slave-local
add interface=ether13-slave-local
add interface=ether14-slave-local
add interface=ether15-slave-local
add interface=ether16-slave-local
add interface=ether17-slave-local
add interface=ether18-slave-local
add interface=ether19-slave-local
add interface=ether20-slave-local
add interface=ether21-slave-local
add interface=ether22-slave-local
add interface=ether23-slave-local
add interface=ether24-slave-local
add interface=sfp1-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=ether6-slave-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=ether11-slave-local
add interface=ether12-slave-local
add interface=ether13-slave-local
add interface=ether14-slave-local
add interface=ether15-slave-local
add interface=ether16-slave-local
add interface=ether17-slave-local
add interface=ether18-slave-local
add interface=ether19-slave-local
add interface=ether20-slave-local
add interface=ether21-slave-local
add interface=ether22-slave-local
add interface=ether23-slave-local
add interface=ether24-slave-local
add interface=sfp1-slave-local
add interface=wlan1
add interface=bridge-local
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

Re: CRS125 vlan config

Wed Feb 15, 2017 11:28 pm

Am I alone with the issue of masterport not working when vlan is configured?
 
SeparateReality
just joined
Posts: 7
Joined: Thu Feb 16, 2017 1:01 am

Re: CRS125 vlan config

Thu Feb 16, 2017 1:23 am

Am I alone with the issue of masterport not working when vlan is configured?
No you are not... But I somehow got it solved thanks to you :)

In my config I could not access any untagged port. When I read through this thread I realised that I had multiple master-ports in my former config. I resolved all but my VLAN switching group but it seemed not to help.
Out of frustration I did a reboot. MAGIC. For whatever reason it worked afterwards!

Good luck!
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

Re: CRS125 vlan config

Thu Feb 16, 2017 2:04 pm

So the problem may be that I have one single port and 23 in the port group, not all 24 in the group?
Unfortunately I had to hand this box over to the customer - the last in stock - and have to wait for a new delivery to arrive before I can experiment more with this.
 
SeparateReality
just joined
Posts: 7
Joined: Thu Feb 16, 2017 1:01 am

Re: CRS125 vlan config

Thu Feb 23, 2017 4:32 pm

Not sure you are still working on in. Just in case I post my complete test config. I noted several differences to the config above.
It took me quite a while until everything was working as expected. But I was not familiar with MT, at all. So there might be lots of room for improvement. Just let me know.

My main goal was to use the switch chip of the CRS125 for some VLANS and connect every VLAN to a specific WLAN from the wAP ac via CAPsMAN.
I think it would not make much sense to use the CRS without the switching chip. If everything has to go through the CPU its getting very slow. CPU is weak and Bandwith to the CPU is 1 Gbit/s. (learned here: https://www.youtube.com/watch?v=LoZzt04Ixw0 )

My findings:
- use only one master port on the CRS! But you do NOT need to add all 24 ports!
- Using a switched trunk port for the wAP might work with manual config. I saw no way to get it done with CAPsMAN.
- I had to put the masterport in a bridge to allow IP traffic to/from VLANs (seems that makes the connection to the CPU)

The test config itself:
- 'admin' specifies the network with the right to do everything
- 'multimedia' is for guests, IosT, video server... its not allowed in 'admin'
- 'admin_service_access' might we ignored. I build it because playing around with the VLAN config threw me out one time too often (serial cable arrived today....)
- no further sec measurements taken until yet.
- using CAPsMAN provisioning would be the next logical step.

Would be great to hear some advice how to further improve the setup. Preferably you have a working config. That's because I read a lot of posts/tutorials/wikis and none had a working CRS/switching/VLAN/CAPsMAN/wAP combi.
# feb/22/2017 23:17:28 by RouterOS 6.39rc35
# config with adapted IPs/MACs/PWs
#
/interface bridge
add name=bridge-admin
add name=bridge-multimedia
/interface ethernet
set [ find default-name=ether1 ] name=e1-sw1master-admin
set [ find default-name=ether2 ] master-port=e1-sw1master-admin name=\
    e2-sw1-multimedia
set [ find default-name=ether3 ] master-port=e1-sw1master-admin name=\
    e3-sw1-admin
set [ find default-name=ether4 ] master-port=e1-sw1master-admin name=\
    e4-sw1-multimedia
set [ find default-name=ether5 ] master-port=e1-sw1master-admin name=\
    e5-sw1-trunk
set [ find default-name=ether6 ] master-port=e1-sw1master-admin name=\
    e6-sw1-multimedia
set [ find default-name=ether7 ] master-port=e1-sw1master-admin name=\
    e7-sw1-trunk
set [ find default-name=ether8 ] master-port=e1-sw1master-admin name=\
    e8-sw1-multimedia
set [ find default-name=ether9 ] name=e9-wlan
set [ find default-name=ether10 ] name=e10-wlan
set [ find default-name=ether11 ] name=e11-wlan
set [ find default-name=ether12 ] name=e12-wlan
set [ find default-name=ether13 ] name=e13
set [ find default-name=ether14 ] name=e14
set [ find default-name=ether15 ] name=e15_admin_service_access
set [ find default-name=ether16 ] name=e16
set [ find default-name=ether17 ] name=e17
set [ find default-name=ether18 ] name=e18_internet
set [ find default-name=ether19 ] name=e19
set [ find default-name=ether20 ] name=e20
set [ find default-name=ether21 ] name=e21
set [ find default-name=ether22 ] name=e22
set [ find default-name=ether23 ] name=e23
set [ find default-name=ether24 ] name=e24

/interface vlan
add interface=e1-sw1master-admin name=vlan10-admin vlan-id=10
add interface=e1-sw1master-admin name=vlan20-multimedia vlan-id=20

/caps-man configuration
add channel.band=2ghz-b/g/n channel.extension-channel=Ce channel.frequency=\
    2417 channel.width=20 country=germany datapath.arp=enabled \
    datapath.bridge=bridge-admin datapath.client-to-client-forwarding=no \
    datapath.local-forwarding=no mode=ap multicast-helper=default name=\
    cfg_admin security.authentication-types=wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm security.passphrase=yourpass1 \
    ssid=xt32
add country=germany datapath.bridge=bridge-multimedia \
    datapath.local-forwarding=no mode=ap multicast-helper=full name=\
    cfg_multimedia security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm security.group-encryption=aes-ccm \
    security.passphrase=yourpass2 ssid=xt32guest
add channel.band=5ghz-a/n/ac channel.width=20 country=germany datapath.arp=\
    enabled datapath.bridge=bridge-admin \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=no \
    mode=ap multicast-helper=default name=cfg_admin_5GHz \
    security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.group-encryption=aes-ccm security.passphrase=yourpass1 ssid=xt32

/caps-man interface
add configuration=cfg_admin disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:7E:C5:43 master-interface=none name=cap1-2GH radio-mac=\
    6C:3B:6B:7E:C5:43
add configuration=cfg_multimedia configuration.mode=ap disabled=no l2mtu=1600 \
    mac-address=6E:3B:6B:7E:C5:43 master-interface=cap1-2GH name=\
    cap1-2GH-guest radio-mac=00:00:00:00:00:00
add configuration=cfg_admin_5GHz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:7E:C5:42 master-interface=none name=cap1-5GH radio-mac=\
    6C:3B:6B:7E:C5:42
add configuration=cfg_admin disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:87:8E:36 master-interface=none name=cap2--2GH radio-mac=\
    6C:3B:6B:87:8E:36
add configuration=cfg_multimedia disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:87:8E:36 master-interface=cap2--2GH name=cap2-2GH-guest \
    radio-mac=00:00:00:00:00:00
add configuration=cfg_admin_5GHz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:87:8E:35 master-interface=none name=cap2-5GH radio-mac=\
    6C:3B:6B:87:8E:35
add configuration=cfg_admin disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:7E:C5:07 master-interface=none name=cap3-2GH radio-mac=\
    6C:3B:6B:7E:C5:07
add configuration=cfg_multimedia disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:7E:C5:07 master-interface=cap3-2GH name=cap3-2GH-guest \
    radio-mac=00:00:00:00:00:00
add configuration=cfg_admin_5GHz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:7E:C5:06 master-interface=none name=cap3-5GH radio-mac=\
    6C:3B:6B:7E:C5:06

/ip pool
add name=admin ranges=172.16.10.20-172.16.10.200
add name=multimedia ranges=172.16.20.20-172.16.20.200
add name=dhcp_pool7 ranges=169.254.110.10-169.254.110.200

/ip dhcp-server
add address-pool=multimedia disabled=no interface=bridge-multimedia name=\
    dhcp-multimedia
add address-pool=dhcp_pool7 disabled=no interface=e15_admin_service_access \
    name=dhcp_admin_service
add address-pool=admin disabled=no interface=bridge-admin name=dhcp-admin

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man manager interface
add disabled=no

/interface bridge port
add bridge=bridge-multimedia interface=vlan20-multimedia
add bridge=bridge-admin interface=vlan10-admin

/interface ethernet switch egress-vlan-tag
add tagged-ports=e5-sw1-trunk,e7-sw1-trunk,switch1-cpu vlan-id=10
add tagged-ports=e5-sw1-trunk,e7-sw1-trunk,switch1-cpu vlan-id=20

/interface ethernet switch egress-vlan-translation
add customer-vid=10 customer-vlan-format=untagged-or-tagged new-customer-vid=\
    0 ports=e1-sw1master-admin,e3-sw1-admin service-vlan-format=\
    untagged-or-tagged
add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=\
    0 ports=\
    e2-sw1-multimedia,e4-sw1-multimedia,e6-sw1-multimedia,e8-sw1-multimedia \
    service-vlan-format=untagged-or-tagged

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=e1-sw1master-admin,e3-sw1-admin
add customer-vid=0 new-customer-vid=20 ports=\
    e2-sw1-multimedia,e4-sw1-multimedia,e6-sw1-multimedia,e8-sw1-multimedia

/interface ethernet switch vlan
add comment="multimedia VLAN" ports="e2-sw1-multimedia,e4-sw1-multimedia,e5-sw\
    1-trunk,e6-sw1-multimedia,e7-sw1-trunk,e8-sw1-multimedia,switch1-cpu" \
    vlan-id=20
add comment="admin VLAN" ports=\
    e1-sw1master-admin,e3-sw1-admin,e5-sw1-trunk,e7-sw1-trunk,switch1-cpu \
    vlan-id=10

/ip address
add address=192.168.2.12/24 interface=e18_internet network=192.168.2.0
add address=172.16.10.1/24 interface=bridge-admin network=172.16.10.0
add address=172.16.20.1/24 interface=bridge-multimedia network=172.16.20.0
add address=169.254.110.1/16 interface=e15_admin_service_access network=\
    169.254.0.0

/ip dhcp-server network
add address=169.254.0.0/16 gateway=169.254.110.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1

/ip dns
set allow-remote-requests=yes servers=\
    85.214.20.141,213.73.91.35,8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=bridge-admin
add action=accept chain=input in-interface=bridge-vlan
add action=accept chain=input dst-address=!172.16.10.0/24 in-interface=\
    bridge-multimedia
add action=accept chain=input in-interface=e15_admin_service_access
add action=log chain=input log=yes log-prefix=rejected->
add action=reject chain=input reject-with=icmp-admin-prohibited
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=bridge-admin
add action=accept chain=forward in-interface=bridge-vlan
add action=accept chain=forward in-interface=bridge-multimedia protocol=icmp
add action=accept chain=forward in-interface=bridge-multimedia out-interface=\
    e18_internet protocol=tcp
add action=accept chain=forward in-interface=bridge-multimedia out-interface=\
    e18_internet protocol=udp
add action=accept chain=forward connection-state="" in-interface=\
    e15_admin_service_access
add action=log chain=forward log=yes log-prefix=rejected->
add action=reject chain=forward reject-with=icmp-admin-prohibited

/ip firewall nat
add action=masquerade chain=srcnat comment="internet access" out-interface=\
    e18_internet src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="internet access" out-interface=\
    e18_internet src-address=172.16.20.0/24
add action=masquerade chain=srcnat comment="Service NAT" out-interface=\
    e18_internet src-address=169.254.0.0/16

/ip route
add distance=1 gateway=192.168.2.1

/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=192.53.103.108
Last edited by SeparateReality on Thu Feb 23, 2017 11:14 pm, edited 1 time in total.
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 230
Joined: Wed Sep 16, 2009 2:55 pm

Re: CRS125 vlan config

Thu Feb 23, 2017 8:29 pm

It is somewhat offtopic for this thread, but still..
Unless you plan to add more ports to the bridges later, it's pointless to have bridges with only one interface. Just assign the ip adresses and the firewall rules to the vlan interfaces, and you can delete the bridges.

Also, when you do config changes that involves the port you are connected to, it's a good idea to make use of the safe mode function in winbox. If you loose connection, the config will revert to what it was when you enabled safe mode. Then just turn safe mode off and back on once in a while to save your config.


Regarding my issue, I'll see if it replicates on a new CRS125 when I get the time to play around. (I have got a new one now.)
 
SeparateReality
just joined
Posts: 7
Joined: Thu Feb 16, 2017 1:01 am

Re: CRS125 vlan config

Thu Feb 23, 2017 11:13 pm

Its only on the first sight that the bridges seem to have only one interface. CAPsMAN adds the WLAN interfaces dynamically:
/caps-man configuration
add channel.band=2ghz-b/g/n channel.extension-channel=Ce channel.frequency=\
2417 channel.width=20 country=germany datapath.arp=enabled \
datapath.bridge=bridge-admin datapath.client-to-client-forwarding=no \
datapath.local-forwarding=no mode=ap multicast-helper=default name=\
cfg_admin security.authentication-types=wpa2-psk security.encryption=\
aes-ccm security.group-encryption=aes-ccm security.passphrase=yourpass1 \
ssid=xt32
/interface bridge port print looks like that
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE                                              BRIDGE                                              PRIORITY  PATH-COST    HORIZON
 0    e1-sw1master-admin                                     bridge-vlan                                             0x80         10       none
 1    vlan20-multimedia                                      bridge-multimedia                                       0x80         10       none
 2    vlan10-admin                                           bridge-admin                                            0x80         10       none
 3  D e2-sw1-multimedia                                      bridge-vlan                                             0x80         10       none
 4 ID e3-sw1-admin                                           bridge-vlan                                             0x80         10       none
 5 ID e4-sw1-multimedia                                      bridge-vlan                                             0x80         10       none
 6  D e5-sw1-trunk                                           bridge-vlan                                             0x80         10       none
 7 ID e6-sw1-multimedia                                      bridge-vlan                                             0x80         10       none
 8 ID e7-sw1-trunk                                           bridge-vlan                                             0x80         10       none
 9  D e8-sw1-multimedia                                      bridge-vlan                                             0x80         10       none
10  D cap1-2GH                                               bridge-admin                                            0x80         10       none
11  D cap1-2GH-guest                                         bridge-multimedia                                       0x80         10       none
12 ID cap1-5GH                                               bridge-admin                                            0x80         10       none
[
BUT: After some further tests I recognised that adding the bridge with the master port is not necessary. It seemed strange anyway but I was sure it wasn't working without.... now I dropped 'bridge-vlan' from the config above.

And thanks a lot for the hint with the safe mode. That will definitely help in many cases!

I could not find any obvious glitches in your config. Not sure where 'WLAN1' comes from; but that is certainly not the reason for the hassle with the master port.
You might try the latest ROS release candidate. I read a lot of bug fixing going on in regards to switching and VLANs on the CRS. I have some documented DHCP trouble myself.

Who is online

Users browsing this forum: andy76sz, anv, GoogleOther [Bot], mitzone and 65 guests