CRS-125 is an internet NAT gateway providing internet access to clients segmented via MAC based VLANs. Unfortunately, I can't figure out what's missing. I followed the tutorial in the wiki for MAC based VLANs.
ether1-cfg = configuration port with static IP for setup
ether2-wan = DHCP client for WAN
ether3-lan = master port for all other LAN ports and VLANs
Client 00:11:22:33:44:55 cannot even ping the 10.10.8.1 interface on vlan80 and obviously internet access is not working. Any ideas?
/interface ethernet
set [ find default-name=ether1 ] name=ether1-cfg
set [ find default-name=ether2 ] name=ether2-wan
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether4 ] master-port=ether3-lan
set [ find default-name=ether5 ] master-port=ether3-lan
set [ find default-name=ether6 ] master-port=ether3-lan
set [ find default-name=ether7 ] master-port=ether3-lan
set [ find default-name=ether8 ] master-port=ether3-lan
set [ find default-name=ether9 ] master-port=ether3-lan
set [ find default-name=ether10 ] master-port=ether3-lan
set [ find default-name=ether11 ] master-port=ether3-lan
set [ find default-name=ether12 ] master-port=ether3-lan
set [ find default-name=ether13 ] master-port=ether3-lan
set [ find default-name=ether14 ] master-port=ether3-lan
set [ find default-name=ether15 ] master-port=ether3-lan
set [ find default-name=ether16 ] master-port=ether3-lan
set [ find default-name=ether17 ] master-port=ether3-lan
set [ find default-name=ether18 ] master-port=ether3-lan
set [ find default-name=ether19 ] master-port=ether3-lan
set [ find default-name=ether20 ] master-port=ether3-lan
set [ find default-name=ether21 ] master-port=ether3-lan
set [ find default-name=ether22 ] master-port=ether3-lan
set [ find default-name=ether23 ] master-port=ether3-lan
set [ find default-name=ether24 ] master-port=ether3-lan
/interface vlan
add interface=ether3-lan name=vlan70 vlan-id=70
add interface=ether3-lan name=vlan80 vlan-id=80
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether3-lan vlan-id=80
add tagged-ports=ether3-lan vlan-id=70
/interface ethernet switch mac-based-vlan
add new-customer-vid=80 src-mac-address=00:11:22:33:44:55
/interface ethernet switch port
set 2 allow-fdb-based-vlan-translate=yes allow-mac-based-customer-vlan-assignment-for=untagged-and-priority-tagged-frame-only
/interface ethernet switch vlan
add ports=ether3-lan vlan-id=80
add ports=ether3-lan vlan-id=70
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1-cfg network=192.168.88.0
add address=10.10.8.1/24 interface=vlan80 network=10.10.8.0
add address=10.10.7.1/24 interface=vlan70 network=10.10.7.0
add address=10.10.0.1/24 interface=ether3-lan network=10.10.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2-wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-wan
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set protected-routerboot=disabled
Re: Troubles with MAC based VLAN on CRS-125
Is a MAC based VLAN even possible? There are not many example configs and I followed the tutorial on the wiki exactly.
-
-
lilmansplace
just joined
- Posts: 10
- Joined:
- Location: Utah
- Contact:
Re: Troubles with MAC based VLAN on CRS-125
I have setup my CRS125-25G-1S-2HnD working with with Mac Based VLAN, and bridged VLAN's on the virtual wireless interfaces to get full VLAN coverage.
It wasn't easy and it's JFM (*Just F**king Magic).
I then tried to get a second CRS125-25G-1S-2HnD trunked and could get the ethernet devices to work but not the wifi on it.
I asked for help but perhaps it was in the wrong section or not enough details to warrant a response from anyone on this forum ( viewtopic.php?f=13&t=129103&p=634326&hi ... ed#p634326 )
I don't think it's possible to set a default VLAN if it's an unknown MAC address. I found a different post on this forum that indicated it'd have to be done on a CRS2xx system. (viewtopic.php?f=2&t=96335&p=480063&hili ... an#p480063)
Here is my scrubbed export if it's helpful to you to get yours working.
It wasn't easy and it's JFM (*Just F**king Magic).
I then tried to get a second CRS125-25G-1S-2HnD trunked and could get the ethernet devices to work but not the wifi on it.
I asked for help but perhaps it was in the wrong section or not enough details to warrant a response from anyone on this forum ( viewtopic.php?f=13&t=129103&p=634326&hi ... ed#p634326 )
I don't think it's possible to set a default VLAN if it's an unknown MAC address. I found a different post on this forum that indicated it'd have to be done on a CRS2xx system. (viewtopic.php?f=2&t=96335&p=480063&hili ... an#p480063)
Here is my scrubbed export if it's helpful to you to get yours working.
Code: Select all
# dec/29/2017 22:06:08 by RouterOS 6.41
# model = CRS125-24G-1S-2HnD
/interface bridge
add name=br-guests-40-vlan-wlan
add name=br-users-30-vlan-wlan
add name=br-infra-20-vlan-wlan
add admin-mac=4C:SCRUBBEDMAC:75 auto-mac=no name=br-masterport protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="INTERNET GATEWAY"
set [ find default-name=ether2 ] comment="MASTER SWITCH PORT"
set [ find default-name=ether24 ] comment="TRUNK TO UPSTAIRS SWITCH"
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n comment=MYWIFI \
default-authentication=no default-forwarding=no disabled=no frequency=\
2427 mode=ap-bridge name=wlan-users-30 ssid=MYWIFI wireless-protocol=\
802.11 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan-users-30 comment=MYWIFI
/interface wireless nstreme
set wlan-users-30 comment=MYWIFI
/interface vlan
add interface=br-masterport name=vlan-mgmt-10 vlan-id=10
add interface=br-masterport name=vlan-infra-20 vlan-id=20
add interface=br-masterport name=vlan-users-30 vlan-id=30
add interface=br-masterport loop-protect=on name=vlan-guests-40 vlan-id=40
/interface wireless
add comment=MYWIFI-GUEST disabled=no hide-ssid=yes keepalive-frames=\
disabled mac-address=4E:SCRUBBEDMAC:8F master-interface=wlan-users-30 \
multicast-buffering=disabled name=wlan-guests-40 ssid=MYWIFI-GUEST \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan-guests-40 comment=MYWIFI-GUEST
/interface wireless nstreme
set wlan-guests-40 comment=MYWIFI-GUEST
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WIFIPASSWD \
supplicant-identity="" wpa-pre-shared-key=SCRUBBEDPASSWORD \
wpa2-pre-shared-key=SCRUBBEDPASSWORD
/interface wireless
add comment=MYWIFI-INFRA disabled=no keepalive-frames=disabled mac-address=\
4E:SCRUBBEDMAC:8E master-interface=wlan-users-30 multicast-buffering=\
disabled name=wlan-infra-20 security-profile=WIFIPASSWD ssid=MYWIFI-INFRA \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan-infra-20 comment=MYWIFI-INFRA
/interface wireless nstreme
set wlan-infra-20 comment=MYWIFI-INFRA
/ip pool
add name=pool-vlan-guests-40 ranges=192.168.40.2-192.168.40.254
add name=pool-vlan-users-30 ranges=192.168.30.2-192.168.30.254
add name=pool-vlan-infra-20 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=pool-vlan-guests-40 disabled=no interface=\
br-guests-40-vlan-wlan name=dhcp-vlan-guests-40
add address-pool=pool-vlan-users-30 disabled=no interface=\
br-users-30-vlan-wlan lease-time=1d name=dhcp-vlan-users-30
add address-pool=pool-vlan-infra-20 disabled=no interface=\
br-infra-20-vlan-wlan lease-time=1d name=dhcp-vlan-infra-20
/interface bridge port
add bridge=br-users-30-vlan-wlan hw=no interface=wlan-users-30
add bridge=br-infra-20-vlan-wlan hw=no interface=vlan-infra-20
add bridge=br-guests-40-vlan-wlan hw=no interface=wlan-guests-40
add bridge=br-masterport interface=ether2
add bridge=br-masterport interface=ether3
add bridge=br-masterport interface=ether4
add bridge=br-masterport interface=ether5
add bridge=br-masterport interface=ether6
add bridge=br-masterport interface=ether7
add bridge=br-masterport interface=ether8
add bridge=br-masterport interface=ether9
add bridge=br-masterport interface=ether10
add bridge=br-masterport interface=ether11
add bridge=br-masterport interface=ether12
add bridge=br-masterport interface=ether13
add bridge=br-masterport interface=ether14
add bridge=br-masterport interface=ether15
add bridge=br-masterport interface=ether16
add bridge=br-masterport interface=ether17
add bridge=br-masterport interface=ether18
add bridge=br-masterport interface=ether19
add bridge=br-masterport interface=ether20
add bridge=br-masterport interface=ether21
add bridge=br-masterport interface=ether22
add bridge=br-masterport interface=ether23
add bridge=br-masterport interface=ether24
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,switch1-cpu vlan-id=10
add tagged-ports=ether24,switch1-cpu vlan-id=20
add tagged-ports=ether24,switch1-cpu vlan-id=30
add tagged-ports=ether24,switch1-cpu vlan-id=40
/interface ethernet switch mac-based-vlan
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:87
add new-customer-vid=20 src-mac-address=B8:SCRUBBEDMAC:2A
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:AE
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:14
add new-customer-vid=20 src-mac-address=64:SCRUBBEDMAC:C1
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:4D
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:73
add new-customer-vid=20 src-mac-address=08:SCRUBBEDMAC:87
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:0D
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:91
add new-customer-vid=20 src-mac-address=00:SCRUBBEDMAC:57
add new-customer-vid=30 src-mac-address=64:SCRUBBEDMAC:A2
add new-customer-vid=30 src-mac-address=64:SCRUBBEDMAC:EE
add new-customer-vid=30 src-mac-address=DC:SCRUBBEDMAC:16
add new-customer-vid=30 src-mac-address=98:SCRUBBEDMAC:FB
/interface ethernet switch port
set 1 allow-fdb-based-vlan-translate=yes
set 2 allow-fdb-based-vlan-translate=yes
set 3 allow-fdb-based-vlan-translate=yes
set 4 allow-fdb-based-vlan-translate=yes
set 5 allow-fdb-based-vlan-translate=yes
set 6 allow-fdb-based-vlan-translate=yes
set 7 allow-fdb-based-vlan-translate=yes
set 8 allow-fdb-based-vlan-translate=yes
set 9 allow-fdb-based-vlan-translate=yes
set 10 allow-fdb-based-vlan-translate=yes
set 11 allow-fdb-based-vlan-translate=yes
set 12 allow-fdb-based-vlan-translate=yes
set 13 allow-fdb-based-vlan-translate=yes
set 14 allow-fdb-based-vlan-translate=yes
set 15 allow-fdb-based-vlan-translate=yes
set 16 allow-fdb-based-vlan-translate=yes
set 17 allow-fdb-based-vlan-translate=yes
set 18 allow-fdb-based-vlan-translate=yes
set 19 allow-fdb-based-vlan-translate=yes
set 20 allow-fdb-based-vlan-translate=yes
set 21 allow-fdb-based-vlan-translate=yes
set 22 allow-fdb-based-vlan-translate=yes
set 24 allow-fdb-based-vlan-translate=yes
set 25 allow-fdb-based-vlan-translate=yes
/interface ethernet switch vlan
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth\
er11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether\
20,ether21,ether22,ether23,ether24,switch1-cpu" vlan-id=10
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth\
er11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether\
20,ether21,ether22,ether23,ether24,switch1-cpu" vlan-id=20
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth\
er11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether\
20,ether21,ether22,ether23,ether24,switch1-cpu" vlan-id=30
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth\
er11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether\
20,ether21,ether22,ether23,ether24,switch1-cpu" vlan-id=40
/interface wireless access-list
add interface=wlan-users-30 mac-address=64:SCRUBBEDMAC:E5 \
vlan-mode=no-tag
add interface=wlan-users-30 mac-address=\
C8:SCRUBBEDMAC:D3 vlan-mode=no-tag
add interface=wlan-infra-20 \
mac-address=D8:SCRUBBEDMAC:07 vlan-mode=no-tag
add interface=wlan-infra-20 mac-address=\
44:SCRUBBEDMAC:07 vlan-mode=no-tag
/ip address
add address=192.168.40.1/24 interface=br-guests-40-vlan-wlan network=\
192.168.40.0
add address=192.168.30.1/24 interface=br-users-30-vlan-wlan network=\
192.168.30.0
add address=192.168.20.1/24 interface=br-infra-20-vlan-wlan network=\
192.168.20.0
add address=192.168.10.1/24 interface=vlan-mgmt-10 network=192.168.10.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,8.8.4.4 gateway=\
192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,8.8.8.8,8.8.4.4 gateway=\
192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1,8.8.8.8,8.8.4.4 gateway=\
192.168.40.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="PAT VLAN10 Keep disabled until needing to patch router software" disabled=yes \
out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="PAT VLAN20" out-interface=ether1 \
src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="PAT VLAN30" out-interface=ether1 \
src-address=192.168.30.0/24
add action=masquerade chain=srcnat comment="PAT VLAN40" out-interface=ether1 \
src-address=192.168.40.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh address=192.168.10.0/24
set api disabled=yes
set api-ssl disabled=yes
/lcd interface
add interface=br-masterport
/system clock
set time-zone-name=America/Denver
/system identity
set name=home_router
/system ntp client
set enabled=yes primary-ntp=216.239.32.15 secondary-ntp=216.239.34.15