Community discussions

MikroTik App
  4. RouterOS
  5. General

VLAN not working with Switch Chip  [SOLVED]

Post Reply
 
empy
newbie
Topic Author
Posts: 26
Joined: Sat Nov 19, 2016 6:12 pm

VLAN not working with Switch Chip

Wed Jan 31, 2018 7:54 pm

Dears,

I have some problems ran into with my routeros 6.41 in terms of vlans.
This is where I am asking for help and support. And please let me say sorry for my english, I am a non native speaker.

Situation:
I have the following network architecture in mind and things do not really work as intended.

Code: Select all
Firewall---->VOIP Gateway
	---->WAN  
	---->Switch---->NAS(120)
		   ---->Computer(120)
		   ---->Mikrotik(2,140,145)---->Device1(140)
					   ---->Device2(140)
					   ---->Device3(140)
					   ---->Access Point(2,140,145)
vlan2 should be the managemnt vlan. (192.168.15.0/24)
vlan140 is for some devices connected to the mikrotik via lan. the vlan is vlan for internal wifi devices (they are in the same vlan140 in order to make them able communicating with each other)(192.168.140.0/24)
vlan145 is guest wifi only.(192.168.145.0/24)

vlans should be separated.
The mikrotik has the Ip 192.168.15.3.


Problem:
If I connect devices to the Port (e.g. for Device2) I get a DHCP assigned. The IP is from the wrong range, I get 192.168.15.xx instead of 192.168.140.xx.
It seems that those untagged ports are assigned to the wrong vlan.

Second problem: I cannot Ping the mikrotik from 120 vlan. Firewall allows the route. If I disconnect the mikrotik physically, ping status changes. but ping never has success.
I can ping the access point from vlan 120. access point and mikrotik are in the same vlan and subnet.


What I have done so far:
Access point has 2 wifi ssids (one 145 and one 140). dhcp is coming from firewall through the vlan and this works.
access point itself is connected to management vlan2 with fitting ip and this also seems to work.

switch has vlans enabled and ports are perpared (access, trunked)

firewall has dhcp pools per each vlan.

Question:

What am I doing wrong? Did I adjust the vlans on mikrotik correctly? I find it pretty confusing. I do not want to use any routing functions, just use it as a switch to separate networks. routing is done on the firwall machine.
this is my current setup:
Code: Select all
# nov/30/2017 04:09:57 by RouterOS 6.41
# software id = P42F-71TR
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number =xx
/interface ethernet
set [ find default-name=ether1 ] name=e1uplink
set [ find default-name=ether2 ] name=e2lan-hue
set [ find default-name=ether3 ] name=e3lan-rece
set [ find default-name=ether4 ] name=e4lan-raum
set [ find default-name=ether5 ] name=e5lan-ap poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface bridge
add fast-forward=no name=br-lan
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface ethernet switch port
set 1 vlan-header=always-strip
set 2 vlan-header=always-strip
set 3 vlan-header=always-strip
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br-lan interface=e1uplink
add bridge=br-lan interface=e2lan-hue
add bridge=br-lan interface=e3lan-rec
add bridge=br-lan interface=e4lan-raum
add bridge=br-lan interface=e5lan-ap
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=no ports=e1uplink,e5lan-ap switch=switch1 vlan-id=2
add independent-learning=no ports=\
    e1uplink,e2lan-hue,e3lan-rec,e4lan-raum,e5lan-ap switch=switch1 \
    vlan-id=140
add independent-learning=no ports=e1uplink,e5lan-ap switch=switch1 vlan-id=\
    145
/ip address
add address=192.168.15.3/24 interface=br-lan network=192.168.15.0
/ip dns
set allow-remote-requests=yes servers=192.168.15.1
/ip route
add comment="standardgatew" distance=1 \
    gateway=192.168.15.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik_EG
/system logging
add topics=debug,wireless
/system ntp client
set enabled=yes primary-ntp=137.250.121.254 secondary-ntp=194.25.134.196
[empy@MikroTik_EG] >
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN not working with Switch Chip

Wed Jan 31, 2018 10:21 pm

Hi

There is a bridge configuration AND a switch configuration, and they are conflicting.

the configured bridge doesn't do vlan filtering, and bridges everything to everywhere: so untagged 15, tagged 2,140,145
=> that's why you get ip from 15 network

the configured switch doesn't redefine default-vlan-id nor vlan-mode

the vlan 120 isn't defined (but maybe it shouldn't on MT?)

What is your vlan-mode on the switch? Probably fallback? Consider changing it to secure or at least check.
Top
 
empy
newbie
Topic Author
Posts: 26
Joined: Sat Nov 19, 2016 6:12 pm

Re: VLAN not working with Switch Chip

Thu Feb 01, 2018 10:37 am

There is a bridge configuration AND a switch configuration, and they are conflicting.
Yeah, I am a bit confused to this. I am working since saturday on that, but I do not really know what is the correct approach.
My goal is
-to have the Ports for Device 1-3 as access ports to VLAN 140 (untagged)
-to have Port for Uplink as a trunk port (VLAN 2, 140, 145)
-to have Port for the AP as a trunk port (VLAN2, 140, 145)

Would you suggest to do that with the switch or the bridge?

I have played around with my current configuration. On my switch I have configured for the trunk connected to the mikrotik VLAN 2 as a PVID, i.e. if untagged frames arrive at the port, they get tagged to VLAN 2 (probably the reason why 15.xx is assigned by dhcp). If I change the PVID to 140 I would get the correct 140.xx ip. Having said that I am pretty sure that something in my configuration from Device 1-3 ports is wrong, since they seem not to have any vlan tag.


the vlan 120 isn't defined (but maybe it shouldn't on MT?)
you are right, this is done by the mein switch already. vlan 120 does not exist on the mikrotk. that works well.


What is your vlan-mode on the switch? Probably fallback? Consider changing it to secure or at least check.
vlan mode is the default adjustment. once i changed it to secure the port cannot be connected to at all. I cannot even access it with winbox then. if it define the default vlan id nothing changes.


the configured bridge doesn't do vlan filtering, and bridges everything to everywhere: so untagged 15, tagged 2,140,145
=> that's why you get ip from 15 network
i followed the tutorial on https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
they do not sett vlan filter in the bridge?

would you suggest due switch or the bridge approach or is it both connected somehow? I do not get the clue behind it. my goal is just to use and separate the vlans so that the are not being routet. the routing is done on my hardware firewall.

thanks for asisstance! i have totally lost the orientation of how to do vlans in mikrotik.
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN not working with Switch Chip  [SOLVED]

Fri Feb 02, 2018 12:24 am

Hey, I messed up. Forgot that post 6.41 the switch DOESN'T do switching any longer, as that has been delegated to bridge (with hw-offloading in switch...(so back to switch then? ;) ))

So we need/use bridge for mac based packet forwarding, but still use switch for vlan filtering.

Hence:
# don't touch your bridge, it's config if fine. you need all ports part of bridge

BUT
# you need to fix the vlan filtering in switch, and if you do look at that tutorial, some steps are missing

https://wiki.mikrotik.com/wiki/Manual:S ... VLAN_Table
"Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-id. This means that if "vlan-mode=check or secure" to be able to forward packets without vlan tags you have to add a special entry to vlan table with the same vlan id set according to default-vlan-id."

"In Gigabit switch chips when "vlan-mode=secure", it ignores switch port "vlan-header" options. VLAN table entries handle all the egress tagging/untagging and works as "vlan-header=leave-as-is" on all ports.
It means what comes in tagged, goes out tagged as well, only "default-vlan-id" frames are untagged at the egress of port."

Missing:
Code: Select all
/interface ethernet switch port
set ether1 vlan-mode=secure 
set ether2 vlan-mode=secure default-vlan-id=140
set ether3 vlan-mode=secure default-vlan-id=140
set ether4 vlan-mode=secure default-vlan-id=140
set ether5 vlan-mode=secure
Top
 
empy
newbie
Topic Author
Posts: 26
Joined: Sat Nov 19, 2016 6:12 pm

Re: VLAN not working with Switch Chip

Fri Feb 02, 2018 4:27 pm

sebastia, thanks I got it working.
played around with the configuration and followed the guide once more. it works!

can it be that the hole vlan thing needs some time until the network has "learned" the configuration?
before lunch I had problem with management vlan2 of the ap (its backend was not accessible), 3 hours later it just works, and I did not touch anything else during this few hours...
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN not working with Switch Chip

Fri Feb 02, 2018 4:46 pm

You had / have
Code: Select all
independent-learning=no
So if these mac's were linked to wrong vlan, MT would need to forget them first...
Top
 
empy
newbie
Topic Author
Posts: 26
Joined: Sat Nov 19, 2016 6:12 pm

Re: VLAN not working with Switch Chip

Sat Feb 03, 2018 12:30 am

got it! still a lot to learn in mikrotik / networking ;)
thank you a lot!
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], gsipos, jfh, Pinacolada88, spippan, Wolvyreen and 24 guests
  4. RouterOS
  5. General