Dealing with VLANs on cisco switch.

digitalinee · Tue Jul 24, 2018 5:27 pm

Greeting everyone!

So I have this setup on a cisco switch:
ether1 vlan id=10 ip address 10.10.10.2 255.255.255.0
ether2 vlan id=20 ip address 10.10.20.2 255.255.255.0
ether3 vlan id=30 ip address 10.10.30.2 255.255.255.0
ether4 vlan id=40 ip address 10.10.40.2 255.255.255.0
ether5 vlan id=50 ip address 10.10.50.2 255.255.255.0
ether6 vlan id=60 ip address 10.10.60.2 255.255.255.0
ether7 vlan id=70 ip address 10.10.70.2 255.255.255.0
ether8 vlan id=80 ip address 10.10.80.2 255.255.255.0
ether9 vlan id=90 ip address 10.10.90.2 255.255.255.0
ether24 switchport mode trunk

I have added the corresponding vlans on ether9 on a mikrotik router:

/interface vlan
add name=10.10.10.1 interface=ether9 disabled=no
add name=10.10.20.1 interface=ether9 disabled=no
add name=10.10.30.1 interface=ether9 disabled=no
add name=10.10.40.1 interface=ether9 disabled=no
add name=10.10.50.1 interface=ether9 disabled=no
add name=10.10.60.1 interface=ether9 disabled=no
add name=10.10.70.1 interface=ether9 disabled=no
add name=10.10.80.1 interface=ether9 disabled=no
add name=10.10.90.1 interface=ether9 disabled=no
/ip address
add address=10.10.10.1/24 interface=10.10.10.1
add address=10.10.20.1/24 interface=10.10.20.1
add address=10.10.30.1/24 interface=10.10.30.1
add address=10.10.40.1/24 interface=10.10.40.1
add address=10.10.50.1/24 interface=10.10.50.1
add address=10.10.60.1/24 interface=10.10.60.1
add address=10.10.70.1/24 interface=10.10.70.1
add address=10.10.80.1/24 interface=10.10.80.1
add address=10.10.90.1/24 interface=10.10.90.1
add address=10.102.100.253/24 interface=ether1

Ether1 is the wan port, my question is, how can i possibly make these vlans communicate through wan port? what else to add for this code?
Thank you...

CZFan · Tue Jul 24, 2018 7:42 pm

Below some reading first:

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
https://wiki.mikrotik.com/wiki/Manual:L ... figuration
https://wiki.mikrotik.com/wiki/SwOS/Router-On-A-Stick

If then still not sure, come back and explain the problems and what exactly you want to achieve

digitalinee · Tue Jul 24, 2018 8:52 pm

Thank you for posting! I will read these articles tonight, meanwhile this is the setup i'm looking for, I want these vlans to pass through ether1 of the router to reach the PPPoE internet service provider. Note that the ISP does not deal with my vlans nor providing any vlan to me, so the vlan setup is just to isolate in internal networks only and to give each one of them a separate network.

CZFan · Tue Jul 24, 2018 9:13 pm

Based on diagram, the solution you are looking for is called "Router on a stick", I did provide a link for this in my previous post.

What I don't see, and you might have removed this info before pasting, is the vlan-id's in below:

/interface vlan
add name=10.10.10.1 interface=ether9 disabled=no
add name=10.10.20.1 interface=ether9 disabled=no
...

If there are no firewall rules blocking comms between these vlans and WAN port, it should work by default, i.e. The Mikrotik router will create a "Direct Attached Connected" route for each Vlan, then you will have a default gateway route via the WAN interface, either created dynamically or statically, depending on your setup and the various vlan's will route via this interface to internet

digitalinee · Sat Aug 04, 2018 1:54 pm

Sorry for delay in response!! I was quite busy and had no enough time to reply so i really apologize.

So the setup has some updates now, it appears that my ISP is providing me with service through a VLAN (959), i was no aware of it until i called the support center.

I added the vlan 959 on the wan port and gave it IP address on the MT router but i can not ping to the ISP, they use a cisco switches so i thought it might be incompatibility issue? therfore just in matter of testing i used a cisco 2950 switch and added the vlan (959) and i could ping easily!!

so whats wrong here? can someone explain this to me please?

sindy · Sat Aug 04, 2018 2:54 pm

Have you modified the configuration from your first post based on the reading recommended by @CZfan? Because there was a systematic mistake in it and it is not clear from what you've posted later whether you have corrected that mistake or not.

digitalinee · Sat Aug 04, 2018 7:50 pm

Hello Sindy!!

Can you please tell me what kind of mistake do i made?
I have the same setup right now, the only new thing is that my port on the ISP side is vlan 959.

When i add vlan 959 on the wan port I couldn’t ping to the ISP gateway, but when i added the same vlan on the cisco switch i had ping just fine.

So, I don’t know what kind of issue I’m facing.

Looking forward to see your reply...

Thank you.

sindy · Sat Aug 04, 2018 8:35 pm

@CZFan has already told you that the vlan-id parameter is not visible in your configuration export, but you haven't provided any standpoint to that.

So each /interface vlan configuration must contain the interface parameter specifying the underlying interface (which is ether9 for all of them in your case) but also a vlan-id which is missing in your configuration export. That would suggest that all of them have the default vlan-id=1 but that is not possible.

Other than that the LAN-facing configuration looks fine except if the client devices should use dynamic IP configuration, as you haven't posted any /ip dhcp-server related configuration. If the DHCP servers for the subnets inside those VLANs are running somewhere else, they must provide Mikrotik's IP addresses in these subnets as gateways if the Mikrotik should be their gateway to the internet.

Next, regarding the WAN side, you say that you have attached an IP address to an /interface vlan with vlan-id=959 attached to the WAN interface (ether1). However, the picture suggests that the ISP runs a PPPoE service. If so, you have to attach an /interface pppoe-client to that /interface vlan instead of attaching an IP address configuration to it.

Last but not least, before ever connecting the Mikrotik to the internet, you should set up firewall rules (or use the default ones and modify the /interface list member of list=WAN accordingly.

As always I recommend to follow the hint in my automatic signature. Maybe you should also post the part of Cisco configuration related to vlan 959.

digitalinee · Sat Aug 04, 2018 9:54 pm

Thank you Sindy & CZFan for your insights.
Regarding the IP addresses i'm using, non of them is public, even the one of my ISP.
So, this is the /export:

/interface bridge
add fast-forward=no name=bridge1
/interface vlan
add interface=ether9 name=10.10.10.1 vlan-id=10
add interface=ether9 name=10.10.20.1 vlan-id=20
add interface=ether9 name=10.10.30.1 vlan-id=30
add interface=ether9 name=10.10.40.1 vlan-id=40
add interface=ether9 name=10.10.50.1 vlan-id=50
add interface=ether9 name=10.10.60.1 vlan-id=60
add interface=ether9 name=10.10.70.1 vlan-id=70
add interface=ether9 name=10.10.80.1 vlan-id=80
add interface=ether9 name=10.10.90.1 vlan-id=90
add interface=ether1 name=wan vlan-id=959
/interface pppoe-client
add interface=wan name=pppoe-out1
/interface bridge port
add bridge=bridge1 horizon=1 interface=wan
add bridge=bridge1 horizon=3 interface=10.10.10.1
add bridge=bridge1 horizon=3 interface=10.10.20.1
add bridge=bridge1 horizon=3 interface=10.10.30.1
add bridge=bridge1 horizon=3 interface=10.10.40.1
add bridge=bridge1 horizon=3 interface=10.10.50.1
add bridge=bridge1 horizon=3 interface=10.10.60.1
add bridge=bridge1 horizon=3 interface=10.10.70.1
add bridge=bridge1 horizon=3 interface=10.10.80.1
add bridge=bridge1 horizon=3 interface=10.10.90.1
/ip address
add address=10.10.10.1/24 interface=10.10.10.1 network=10.10.10.0
add address=10.10.20.1/24 interface=10.10.20.1 network=10.10.20.0
add address=10.10.30.1/24 interface=10.10.30.1 network=10.10.30.0
add address=10.10.40.1/24 interface=10.10.40.1 network=10.10.40.0
add address=10.10.50.1/24 interface=10.10.50.1 network=10.10.50.0
add address=10.10.60.1/24 interface=10.10.60.1 network=10.10.60.0
add address=10.10.70.1/24 interface=10.10.70.1 network=10.10.70.0
add address=10.10.80.1/24 interface=10.10.80.1 network=10.10.80.0
add address=10.10.90.1/24 interface=10.10.90.1 network=10.10.90.0

I used the bridge in order to let the PPPoE connections work as you have described to me earlier in my last post (Connecting multiple networks) that they work on layer 2 connections.
So, is this how it should be done?

digitalinee · Sat Aug 04, 2018 10:06 pm

This is the cisco switch setup:

Switch#show running-config
Building configuration...

Current configuration : 1395 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
spanning-tree portfast default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport access vlan 20
!
interface FastEthernet0/3
 switchport access vlan 30
!
interface FastEthernet0/4
 switchport access vlan 40
!
interface FastEthernet0/5
 switchport access vlan 50
!
interface FastEthernet0/6
 switchport access vlan 60
!
interface FastEthernet0/7
 switchport access vlan 70
!
interface FastEthernet0/8
 switchport access vlan 80
!
interface FastEthernet0/9
 switchport access vlan 90
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 switchport mode trunk
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end

sindy · Sat Aug 04, 2018 10:48 pm

In the Mikrotik configuration, by bridging together the tagless ends of all /interface vlan you haven't helped anything, so remove the records from /interface bridge port. The tagged ends of all /interface vlan (except 959) are at ether9 and that's enough, it matches the trunk configuration at Cisco side.

Unless you have some very restrictive firewall rules (you again haven't posted the complete configuration, just a part of it), routing between the subnets in the VLANs and the internet should work. You need an action=masquerade or action=src-nat rule in /ip firewall nat so that devices in the VLAN subnets could talk to the internet bi-direcionally, as the ISP doesn't have routes to those private subnets back to you.

In the configuration of the Cisco there is nothing at all regarding vlan 959 so I don't get how it is possible that connecting this Cisco to the ISP's uplink can make the devices access internet.

digitalinee · Sun Aug 05, 2018 4:04 pm

I have posted the full export text, i have nothing to hide.

sindy · Sun Aug 05, 2018 4:35 pm

I have posted the full export text, i have nothing to hide.

If so, there is no firewall at all, which

is dangerous
means that there is no src-nat or masquerade rule allowing the devices in the local subnets to receive responses from devices in the internet

Imagine how the packets flow. Your device sends a request from, say, 10.10.10.5 to, say, Google DNS at 8.8.8.8. Unless something on the way replaces the 10.10.10.5 by some public IP address, the Google DNS sends the response to 10.10.10.5, but in its local context 10.10.10.5 identifies some device in Google's enterprise network. To avoid this, your router must replace the 10.10.10.5 by its own WAN address (assuming for simplicity sake that it is a public one) and remember that substitution in a context called "connection", so that when the response arrives, it could make a symmetric change and forward the received packet from 8.8.8.8 to 10.10.10.5. The fact that your router's WAN address is also a private one doesn't change anything on this principle, except that your WAN address is unique in the network of your ISP, and the ISP's edge router connecting the ISP to the internet does exactly the same NAT operation itself, translating your (private) WAN address to its own (public) WAN address. So you end up with multiple NATs between the client in your private network and the server in the internet.

So I would recommend you to set up the firewall rules copied from the default configuration and slightly modified to reflect your situation:

/interface list member add list=LAN interface=10.10.10.1
...make all the LAN interfaces members of interface list LAN here...
/interface list member add list=LAN interface=10.10.90.1
/interface list member add list=WAN interface=pppoe-out1
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf:  drop all from WAN not DSTNATed"
}

digitalinee · Sun Aug 05, 2018 5:24 pm

Waw!! that's a lot of new things to learn!!
You are so helpful man!! i will read about each one of those, i like understand things first before implementing them.

CZFan · Sun Aug 05, 2018 7:00 pm

I have posted the full export text, i have nothing to hide.

No ways that is the full config, i.e. there are no Interface info, etc.

digitalinee · Mon Aug 06, 2018 5:21 pm

 /interface list member add list=LAN interface=10.10.10.1 
input does not match any value of list

Why am i facing this issue? this is apply to physical ports as well!!

digitalinee · Mon Aug 06, 2018 6:16 pm

I have posted the full export text, i have nothing to hide.

No ways that is the full config, i.e. there are no Interface info, etc.

/interface bridge
add fast-forward=no name=bridge1
/interface vlan
add interface=ether9 name=10.10.10.1 vlan-id=10
add interface=ether9 name=10.10.20.1 vlan-id=20
add interface=ether9 name=10.10.30.1 vlan-id=30
add interface=ether9 name=10.10.40.1 vlan-id=40
add interface=ether9 name=10.10.50.1 vlan-id=50
add interface=ether9 name=10.10.60.1 vlan-id=60
add interface=ether9 name=10.10.70.1 vlan-id=70
add interface=ether9 name=10.10.80.1 vlan-id=80
add interface=ether9 name=10.10.90.1 vlan-id=90
add interface=ether1 name=wan vlan-id=959
/interface pppoe-client
add interface=wan name=pppoe-out1
/interface bridge port
add bridge=bridge1 horizon=1 interface=wan
add bridge=bridge1 horizon=3 interface=10.10.10.1
add bridge=bridge1 horizon=3 interface=10.10.20.1
add bridge=bridge1 horizon=3 interface=10.10.30.1
add bridge=bridge1 horizon=3 interface=10.10.40.1
add bridge=bridge1 horizon=3 interface=10.10.50.1
add bridge=bridge1 horizon=3 interface=10.10.60.1
add bridge=bridge1 horizon=3 interface=10.10.70.1
add bridge=bridge1 horizon=3 interface=10.10.80.1
add bridge=bridge1 horizon=3 interface=10.10.90.1
/ip address
add address=10.10.10.1/24 interface=10.10.10.1 network=10.10.10.0
add address=10.10.20.1/24 interface=10.10.20.1 network=10.10.20.0
add address=10.10.30.1/24 interface=10.10.30.1 network=10.10.30.0
add address=10.10.40.1/24 interface=10.10.40.1 network=10.10.40.0
add address=10.10.50.1/24 interface=10.10.50.1 network=10.10.50.0
add address=10.10.60.1/24 interface=10.10.60.1 network=10.10.60.0
add address=10.10.70.1/24 interface=10.10.70.1 network=10.10.70.0
add address=10.10.80.1/24 interface=10.10.80.1 network=10.10.80.0
add address=10.10.90.1/24 interface=10.10.90.1 network=10.10.90.0

sindy · Mon Aug 06, 2018 6:24 pm

Code: Select all
 /interface list member add list=LAN interface=10.10.10.1 
input does not match any value of list
Why am i facing this issue? this is apply to physical ports as well!!

You must first add the list itself:

/interface list add name=LAN
/interface list add name=WAN

digitalinee · Mon Aug 06, 2018 6:28 pm

Code: Select all
 /interface list member add list=LAN interface=10.10.10.1 
input does not match any value of list
Why am i facing this issue? this is apply to physical ports as well!!

I have created the list lan successfully, and proceeding....

digitalinee · Mon Aug 06, 2018 6:29 pm

Code: Select all
 /interface list member add list=LAN interface=10.10.10.1 
input does not match any value of list
Why am i facing this issue? this is apply to physical ports as well!!
You must first add the list itself:

/interface list add name=LAN
/interface list add name=WAN Okay

digitalinee · Tue Aug 07, 2018 9:01 pm

I had no success to make a PPPoE connection, when the wan interface is bridged to bridge1 the pppoe-client turns red saying it should not be on a slave interface..

/interface bridge
add fast-forward=no name=bridge1
/interface vlan
add interface=ether9 name=10.10.10.1 vlan-id=10
add interface=ether9 name=10.10.20.1 vlan-id=20
add interface=ether9 name=10.10.30.1 vlan-id=30
add interface=ether9 name=10.10.40.1 vlan-id=40
add interface=ether9 name=10.10.50.1 vlan-id=50
add interface=ether9 name=10.10.60.1 vlan-id=60
add interface=ether9 name=10.10.70.1 vlan-id=70
add interface=ether9 name=10.10.80.1 vlan-id=80
add interface=ether9 name=10.10.90.1 vlan-id=90
add interface=ether1 name=wan vlan-id=959
/interface pppoe-client
# Client is on slave interface
add disabled=no interface=wan name=pppoe-out1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 horizon=3 interface=10.10.10.1
add bridge=bridge1 horizon=3 interface=10.10.20.1
add bridge=bridge1 horizon=3 interface=10.10.30.1
add bridge=bridge1 horizon=3 interface=10.10.40.1
add bridge=bridge1 horizon=3 interface=10.10.50.1
add bridge=bridge1 horizon=3 interface=10.10.60.1
add bridge=bridge1 horizon=3 interface=10.10.70.1
add bridge=bridge1 horizon=3 interface=10.10.80.1
add bridge=bridge1 horizon=3 interface=10.10.90.1
add bridge=bridge1 interface=wan
/interface list member
add interface=10.10.10.1 list=LAN
add interface=10.10.20.1 list=LAN
add interface=10.10.30.1 list=LAN
add interface=10.10.40.1 list=LAN
add interface=10.10.50.1 list=LAN
add interface=10.10.60.1 list=LAN
add interface=10.10.70.1 list=LAN
add interface=10.10.80.1 list=LAN
add interface=10.10.90.1 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.10.10.1/24 interface=10.10.10.1 network=10.10.10.0
add address=10.10.20.1/24 interface=10.10.20.1 network=10.10.20.0
add address=10.10.30.1/24 interface=10.10.30.1 network=10.10.30.0
add address=10.10.40.1/24 interface=10.10.40.1 network=10.10.40.0
add address=10.10.50.1/24 interface=10.10.50.1 network=10.10.50.0
add address=10.10.60.1/24 interface=10.10.60.1 network=10.10.60.0
add address=10.10.70.1/24 interface=10.10.70.1 network=10.10.70.0
add address=10.10.80.1/24 interface=10.10.80.1 network=10.10.80.0
add address=10.10.90.1/24 interface=10.10.90.1 network=10.10.90.0
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

sindy · Tue Aug 07, 2018 10:09 pm

But there is no reason to put the interface named wan to a bridge. The hierarchy is ether1 (physical interface) to which the tagged side of /interface vlan name=wan is connected, and to the tagless side of that /interface vlan the /interface pppoe-client name=pppoe-out1 is connected. The /interface pppoe-client gets an IP address from the ISP (check that using /ip address print) and the routing together with NAT will provide connection of devices in the VLANs to internet.

digitalinee · Wed Aug 08, 2018 11:16 pm

I'm currently testing the setup on a small environment, the network was shut down when i first plugged the router!!

/interface bridge
add fast-forward=no name=bridge1
/interface vlan
add interface=ether9 name=10.10.10.1 vlan-id=10
add interface=ether9 name=10.10.20.1 vlan-id=20
add interface=ether9 name=10.10.30.1 vlan-id=30
add interface=ether9 name=10.10.40.1 vlan-id=40
add interface=ether9 name=10.10.50.1 vlan-id=50
add interface=ether9 name=10.10.60.1 vlan-id=60
add interface=ether9 name=10.10.70.1 vlan-id=70
add interface=ether9 name=10.10.80.1 vlan-id=80
add interface=ether9 name=10.10.90.1 vlan-id=90
add interface=ether1 name=wan vlan-id=959
/interface pppoe-client
add interface=wan name=pppoe-out1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 horizon=1 interface=ether1
add bridge=bridge1 horizon=3 interface=10.10.10.1
add bridge=bridge1 horizon=3 interface=10.10.20.1
add bridge=bridge1 horizon=3 interface=10.10.30.1
add bridge=bridge1 horizon=3 interface=10.10.40.1
add bridge=bridge1 horizon=3 interface=10.10.50.1
add bridge=bridge1 horizon=3 interface=10.10.60.1
add bridge=bridge1 horizon=3 interface=10.10.70.1
add bridge=bridge1 horizon=3 interface=10.10.80.1
add bridge=bridge1 horizon=3 interface=10.10.90.1
/interface list member
add interface=10.10.10.1 list=LAN
add interface=10.10.20.1 list=LAN
add interface=10.10.30.1 list=LAN
add interface=10.10.40.1 list=LAN
add interface=10.10.50.1 list=LAN
add interface=10.10.60.1 list=LAN
add interface=10.10.70.1 list=LAN
add interface=10.10.80.1 list=LAN
add interface=10.10.90.1 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.10.10.1/24 interface=10.10.10.1 network=10.10.10.0
add address=10.10.20.1/24 interface=10.10.20.1 network=10.10.20.0
add address=10.10.30.1/24 interface=10.10.30.1 network=10.10.30.0
add address=10.10.40.1/24 interface=10.10.40.1 network=10.10.40.0
add address=10.10.50.1/24 interface=10.10.50.1 network=10.10.50.0
add address=10.10.60.1/24 interface=10.10.60.1 network=10.10.60.0
add address=10.10.70.1/24 interface=10.10.70.1 network=10.10.70.0
add address=10.10.80.1/24 interface=10.10.80.1 network=10.10.80.0
add address=10.10.90.1/24 interface=10.10.90.1 network=10.10.90.0
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

sindy · Wed Aug 08, 2018 11:39 pm

What means "was shut down"? What exactly you did? I can still see that ether1 is added as a member port of bridge1 which makes no sense in the setup.

digitalinee · Wed Aug 08, 2018 11:47 pm

The internet connections was terminated when i plugged the router, i had to reboot it to make it run again.
I have removed the ether1 from the bridge and still can not establish a PPPoE connection.

/interface bridge
add fast-forward=no name=bridge1
/interface vlan
add interface=ether9 name=10.10.10.1 vlan-id=10
add interface=ether9 name=10.10.20.1 vlan-id=20
add interface=ether9 name=10.10.30.1 vlan-id=30
add interface=ether9 name=10.10.40.1 vlan-id=40
add interface=ether9 name=10.10.50.1 vlan-id=50
add interface=ether9 name=10.10.60.1 vlan-id=60
add interface=ether9 name=10.10.70.1 vlan-id=70
add interface=ether9 name=10.10.80.1 vlan-id=80
add interface=ether9 name=10.10.90.1 vlan-id=90
add interface=ether1 name=wan vlan-id=959
/interface pppoe-client
add interface=wan name=pppoe-out1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 horizon=3 interface=10.10.10.1
add bridge=bridge1 horizon=3 interface=10.10.20.1
add bridge=bridge1 horizon=3 interface=10.10.30.1
add bridge=bridge1 horizon=3 interface=10.10.40.1
add bridge=bridge1 horizon=3 interface=10.10.50.1
add bridge=bridge1 horizon=3 interface=10.10.60.1
add bridge=bridge1 horizon=3 interface=10.10.70.1
add bridge=bridge1 horizon=3 interface=10.10.80.1
add bridge=bridge1 horizon=3 interface=10.10.90.1
/interface list member
add interface=10.10.10.1 list=LAN
add interface=10.10.20.1 list=LAN
add interface=10.10.30.1 list=LAN
add interface=10.10.40.1 list=LAN
add interface=10.10.50.1 list=LAN
add interface=10.10.60.1 list=LAN
add interface=10.10.70.1 list=LAN
add interface=10.10.80.1 list=LAN
add interface=10.10.90.1 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.10.10.1/24 interface=10.10.10.1 network=10.10.10.0
add address=10.10.20.1/24 interface=10.10.20.1 network=10.10.20.0
add address=10.10.30.1/24 interface=10.10.30.1 network=10.10.30.0
add address=10.10.40.1/24 interface=10.10.40.1 network=10.10.40.0
add address=10.10.50.1/24 interface=10.10.50.1 network=10.10.50.0
add address=10.10.60.1/24 interface=10.10.60.1 network=10.10.60.0
add address=10.10.70.1/24 interface=10.10.70.1 network=10.10.70.0
add address=10.10.80.1/24 interface=10.10.80.1 network=10.10.80.0
add address=10.10.90.1/24 interface=10.10.90.1 network=10.10.90.0
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

sindy · Wed Aug 08, 2018 11:59 pm

You've plugged the router in parallel to existing one? Show a diagram of the existing setup, the new setup and how you interconnect them. My whole understanding so far was that you connect ether1 to the wire coming from the ISP on which the PPPoE is in vlan 959 instead of the original router. You usually cannot have several PPPoE clients using the same account simultaneously.

digitalinee · Thu Aug 09, 2018 12:12 am

The diagram that i posted earlier is what the setup should look like, i tested the setup via a switch (not router) connected to the ISP as you said in parallel, the reason for this is i didn't want any unnecessary down time for the network. So, i understand from you that i should test it directly to ISP.

digitalinee · Thu Aug 09, 2018 5:39 pm

I have tested the setup directly, but there is no avail so far

sindy · Thu Aug 09, 2018 5:44 pm

I don't know how to explain that if I don't understand the current setup, I cannot suggest one for the Mikrotik replacing/extending the current setup.

If you connect the Cisco to the cable from the ISP box directly, instead of putting Mikrotik in between, does it work? Where is the PPPoE client in the current setup? On the Cisco, in the ISP box, in one of the PCs connected to Cisco?

digitalinee · Thu Aug 09, 2018 7:14 pm

This is the detailed diagram of the setup that i'm looking for.

digitalinee · Thu Aug 09, 2018 8:02 pm

If you connect the Cisco to the cable from the ISP box directly, instead of putting Mikrotik in between, does it work?

If i connect a PC directly to the cable from the ISP the PPPoE will work, if i plug the cable into a switch and connect a PC to that switch the PPPoE works, if i separate internal networks via physical ports like how i did here>> viewtopic.php?f=2&t=136684&p=674724#p674724 the PPPoE will work again. The problems starts when VLANS involve in the equation.

StubArea51 · Fri Aug 10, 2018 1:02 am

So is VLAN 959 tagged towards the MikroTik router from the ISP Cisco Distribution Switch or not?

Can you validate tagged or untagged by using the MikroTik to perform a packet capture using /tool sniffer?

digitalinee · Fri Aug 10, 2018 1:38 am

The cisco switch if plugged directly to the isp distribution switch will work okay and provide service as well but it will keep showing notifications every minute in the CLI of native vlan mismatch 959, it will gone if i switchport all the ports to vlan 959.
So does it mean tagged or untagged?

sindy · Fri Aug 10, 2018 11:11 am

As all the PPPoE clients run on the PCs directly, all the PCs must be connected directly into VLAN959. This was not clear from the initial information, so I was expecting that the PCs have normal static or DHCP IP configuration and there is a router between the private IP subnets each living on one of the VLANs and the uplink subnet.

More than that, I'm not sure how it could actually work in the original state (without the Mikrotik) and what do you want to achieve by inserting the Mikrotik into the scheme. Please post the output of show running-config from the central Cisco in the picture and any single one of those to which the PC client is connected, and separately give the names/numbers of the ports used (to which port of the satellite Cisco the PC is connected, which ports of the sattellite Cisco and the central one are used for their interconnection, which port of the central Cisco is connected to the ISP Cisco).

It seems to me that the VLANs on the Ciscos are actually unused and everything actually lives because the default VLAN is the same on all the Ciscos, so the PPPoE communication runs tagless on all cables.

digitalinee · Fri Aug 10, 2018 11:59 am

It is my bad that i didn't told you that what i'm asking here is for upgrading the current network, it is not what the actual current network setup is.
The current setup is a simple layer 2 switch environment for all clients on default VLANs i didn't even switch them to VLAN 959, and they work just fine to connect to PPPoE server.
All what i was posting here was happening in a test environment with totally different physical devices for testing purposes only away from the actual network devices, so as soon as it works i will transfer the setup to the actual network.

This is the current actual setup:
Note that the clients are over 100 but for demonstration and simplicity i use 9 only.

sindy · Fri Aug 10, 2018 3:25 pm

OK, so we're getting somewhere. The purpose of ID-based VLANs is to isolate several L2 address spaces using the same physical infrastructure from each other, but all the PPPoE clients and their PPPoE server must all share the same L2 address space. So in the current configuration, all the PPPoE clients must be connected to VLAN 959 directly, or some of the elements would have to translate between VLAN ID 959 on one side and some other VLAN ID on the other side. But you can not use any kind of VLAN translation to make all the PCs see the PPPoE server but not see each other.

As most Windows network card drivers do not understand the idea of VLAN tagging, you also cannot let the PPPoE clients on the Windows to use one VLAN ID and attach some other IP address to another VLAN ID on the same Ethernet interface of the PC, allowing the internal communication between the PCs to use that other VLAN ID (or more VLAN IDs if you would like to set some restrictions on which PCs can talk to which other ones).

So one possibility would be to set the Mikrotik to run one PPPoE server in each of the 10 VLANs, let the PCs from that VLAN to connect to that Mikrotik using PPPoE, and let the Mikrotik use its local PPPoE clients to connect to the ISP's server in the name of each of the PCs. Another possibility could be to let only the PPPoE frames leak between the VLANs using some kind of bridge filters, but it is only a theoretical idea I haven't thought through thoroughly.

So please provide the description regarding the application layer purpose of partitioning your network for which you wanted to use the VLANs so that we could find an optimal method of achieving that goal.

digitalinee · Fri Aug 10, 2018 11:00 pm

Hi Sindy!!
Please consider this setup that works perfectly, it uses physical interfaces so it is limited to the number of ports on the router .
My requirement is a duplicate setup that uses VLANs instead of physical interfaces.

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 horizon=1 interface=ether1
add bridge=bridge1 horizon=2 interface=ether2
add bridge=bridge1 horizon=3 interface=ether3
add bridge=bridge1 horizon=3 interface=ether4
add bridge=bridge1 horizon=3 interface=ether5
add bridge=bridge1 horizon=3 interface=ether6
add bridge=bridge1 horizon=3 interface=ether7
add bridge=bridge1 horizon=3 interface=ether8
add bridge=bridge1 horizon=3 interface=ether9
/ip address
add address=172.19.59.250/24 interface=ether1 network=172.19.59.0
add address=10.10.20.1/24 interface=ether2 network=10.10.20.0
add address=10.10.30.1/24 interface=ether3 network=10.10.30.0
add address=10.10.40.1/24 interface=ether4 network=10.10.40.0
add address=10.10.50.1/24 interface=ether5 network=10.10.50.0
add address=10.10.60.1/24 interface=ether6 network=10.10.60.0
add address=10.10.70.1/24 interface=ether7 network=10.10.70.0
add address=10.10.80.1/24 interface=ether8 network=10.10.80.0
add address=10.10.90.1/24 interface=ether9 network=10.10.90.0
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=172.19.59.254

sindy · Fri Aug 10, 2018 11:15 pm

That's nice, as it confirms what I've expected - the PPPoE clients are all in the same VLAN like the PPPoE server. But this setup would work even without the IP addresses. So the question is what is the role of the IP addresses you've assigned to interfaces given that the PCs get their IP addresses from the PPPoE server. Leaving aside that IP addresses assigned to interfaces which are member ports of bridges do not work, or rather half-work.

digitalinee · Fri Aug 10, 2018 11:48 pm

The IP addresses are needed in order to communicate via layer 3 between these networks, ether1 (WAN) horizon is 1, ether2 horizon is 2, others are 3, ether2 is for admin for now so he could access all networks.
The PPPoE IPs are received from the ISP PPPoE server and they are not concerning me, all i want is to clear the way between the client and the ISP PPPoE server.

sindy · Sat Aug 11, 2018 12:51 pm

The IP addresses are needed in order to communicate via layer 3 between these networks, ether1 (WAN) horizon is 1, ether2 horizon is 2, others are 3, ether2 is for admin for now so he could access all networks.
The PPPoE IPs are received from the ISP PPPoE server and they are not concerning me, all i want is to clear the way between the client and the ISP PPPoE server.

So the goal is to maintain communication between the PCs at L3 on the subnet addresses and additionaly isolate these subnets at L2 using VLANs, but at the same time preserve the visibility between all the PPPoE clients and the PPPoE server, which would mean to use another VLAN ID for the PPPoE traffic than for the L3 one, while the PCs send both the frames carrying L3 packets the frames carrying PPPoE untagged.

I could imagine how to do this at the switch ports to which the PCs are connected, where the ingress frames could be tagged to the correct VLAN depending on their ethertype, i.e. frames with one of the PPPoE ethertypes would be tagged with VLAN 959 and frames with IP ethertype would be tagged with e.g. VLAN 10. On egress, frames with either VID would be untagged. This would of course require that such L2 translation capability would be supported by the switch.

The same could still be achieved at the ports of the central Cisco if each satellite Cisco would serve only one VLAN, as the translation rules could be individual for each port.

But I have no idea how to achieve this at the central element where already several VLANs come in through the same port. In the PC->ISP direction, you could still remove or rewrite the VLAN tag for PPPoE packets using /interface ethernet switch rules if your Mikrotik model has a switch chip which supports them; but in the ISP->PC direction, no information is available which would allow to choose the correct VID so that the central Cisco switch could forward the frame to the correct satellite Cisco. At L2, there is no equivalent of L3 connection tracking which would allow to dynamically create a mapping context between the MAC address and the VID.

So the only solution I can imagine is the one described earlier, to cut each PPPoE session into two, one between the PC and the Mikrotik and another one between the Mikrotik and the ISP's PPPoE server, but in this case the Mikrotik would have to "know" all the PPPoE usernames and passwords.

digitalinee · Mon Aug 13, 2018 12:20 am

It is so bad for this setup to be possible with physical interfaces only. This way i must deal with multiple routers down the way, while with vlans i only need single central one.
Thank you sindy for keeping up with me, i really appreciate all your efforts, i really do and i mean it, thank you again.