Urgh I absolutely HATE the 'switch' menu its the worst piece of crap configuration i've ever seen. The most basic things like VLAN's go from being simple to overwhelmingly complicated. I'm glad this garbage was scrapped in favor of bridges, however CRS1xx/2xx still don't work properly with bridges! no hardware offloading!
With that rant over. Can someone help me setup a very simple tagged and untagged setup on a CRS125?
I need ports 1-18 to be 'customer' ports, all untagged on VLAN31
ports 19-22 are untagged on VLAN32
and ports 23,24 should be trunk ports
Surely this isn't that hard. But i've been reading over the examples and not getting anywhere, I just lose client connectivity entirely on that port
Can someone post some config specifically to set this up so I know its correct, rather than reading various examples on the wiki not knowing for sure if it's done right or not
-
-
millenium7
Long time Member
- Posts: 589
- Joined:
Re: CRS1xx/2xx suuuuuuuuuuuuucks. Help with configuring VLANs?
This is what I ended up with when I knew a lot less about the 125 and RouterOS in general:
You should of course leave yourself a management port free somewhere as well until you've established exactly how you are going to manage the device. Otherwise you risk cutting yourself off while setting things up.
Code: Select all
/interface bridge add name=bridge
/interface bridge port add bridge=bridge interface=ether1
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=ether9
/interface bridge port add bridge=bridge interface=ether10
/interface bridge port add bridge=bridge interface=ether11
/interface bridge port add bridge=bridge interface=ether12
/interface bridge port add bridge=bridge interface=ether13
/interface bridge port add bridge=bridge interface=ether14
/interface bridge port add bridge=bridge interface=ether15
/interface bridge port add bridge=bridge interface=ether16
/interface bridge port add bridge=bridge interface=ether17
/interface bridge port add bridge=bridge interface=ether18
/interface bridge port add bridge=bridge interface=ether19
/interface bridge port add bridge=bridge interface=ether20
/interface bridge port add bridge=bridge interface=ether21
/interface bridge port add bridge=bridge interface=ether22
/interface bridge port add bridge=bridge interface=ether23
/interface bridge port add bridge=bridge interface=ether24
/interface ethernet switch egress-vlan-tag add tagged-ports=ether23,ether24,switch1-cpu vlan-id=31
/interface ethernet switch egress-vlan-tag add tagged-ports=ether23,ether24,switch1-cpu vlan-id=32
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=31 \
ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=32 \
ports=ether19,ether20,ether21,ether22
/interface ethernet switch vlan add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether23,ether24,switch1-cpu vlan-id=31
/interface ethernet switch vlan add ports=ether19,ether20,ether21,ether22,ether23,ether24,switch1-cpu vlan-id=32
/interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether23,ether24 forward-unknown-vlan=no unknown-vlan-lookup-mode=ivl
Re: CRS1xx/2xx suuuuuuuuuuuuucks. Help with configuring VLANs?
Until the CRS3xx style of switches has a valid offering across the full MikroTik product range, we still have to work with these older systems. I don't have time to create an exact configuration for you right now, however, here is how to do it. I probably setup my management network different from yours.
Code: Select all
###############################################################################
# Firmware 6.44.6 (Long-term)
#
# Notes: Start with a reset (/system reset-configuration)
#
# Based on: https://forum.mikrotik.com/viewtopic.php?t=143620
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="CRS1xx_Switch"
#######################################
# VLAN Overview
#######################################
# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN
#######################################
# Bridge
#######################################
# create one bridge
/interface bridge add name=BR1 protocol-mode=none
# add "all" ports to this one bridge
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
# and so on until you get to 24 ...
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior, egress dynamically handled
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4
#######################################
#
# -- Trunk Ports --
#
#######################################
# Trunk Ports. L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99
#######################################
# VLAN Security
#######################################
# Set which VLANs apply to which ports
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=10
add ports=ether1,ether3 vlan-id=20
add ports=ether1,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99
# drop traffic that does not follow the above port layout
/interface ethernet switch set forward-unknown-vlan=no
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0
# The Router's IP this switch will use
/ip route add distance=1 gateway=192.168.0.1
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
-
-
millenium7
Long time Member
- Posts: 589
- Joined:
Re: CRS1xx/2xx suuuuuuuuuuuuucks. Help with configuring VLANs?
I had it configured similarly in the first place and it wasn't working. Turns out you need to disable 'vlan filtering' on the bridge otherwise no traffic passes through when you set the switch VLAN rules, it just stops entirely. I figured it would still work just not have hardware offload until it was turned off
Re: CRS1xx/2xx suuuuuuuuuuuuucks. Help with configuring VLANs?
Hi,
sadly my post wasn't approved so far, hopefully someone can help me here since I'm facing a similar problem.
After creating several VLANs, only one is reachable via IP. Is this an issue because I didn't configure "ingress-vlan-translation" for VLANs 2 and 255? My router should only forward tagged traffic for these VLANs.
I configured following 3 VLANs on my CRS210 router:
VLAN 1: 192.168.1.1 /24 (Mgmt VLAN)
VLAN 2: 192.168.2.1 /24 (User VLAN only)
VLAN 255: 192.168.255.0 /31 (Internet Breakout to my Firewall)
So far, only VLAN 1 is reachable via IP. My PC is connected like this:
-- ISP Modem on WAN Interface of pfSense FW
---- pfSense FW LAN interface on ether8 of CRS210
------ CRS210 Router ether 8 on FW, sfp2 on SwOS Switch
-------- SwOS Switch sfp3 = Uplink to CRS210 on sfp2, sfp1 = My PC
---------- My PC (Untagged in VLAN 1 able to reach VLAN 1 IP of Router, Untagged VLAN 2 not able to reach VLAN 2 IP of Router)
My RouterOS Config:
My SwitchOS Config:
Also set my PC (PC-P) to untagged VLAN 2, was not able to reach VLAN 2 IP of my CRS210.
sadly my post wasn't approved so far, hopefully someone can help me here since I'm facing a similar problem.
After creating several VLANs, only one is reachable via IP. Is this an issue because I didn't configure "ingress-vlan-translation" for VLANs 2 and 255? My router should only forward tagged traffic for these VLANs.
I configured following 3 VLANs on my CRS210 router:
VLAN 1: 192.168.1.1 /24 (Mgmt VLAN)
VLAN 2: 192.168.2.1 /24 (User VLAN only)
VLAN 255: 192.168.255.0 /31 (Internet Breakout to my Firewall)
So far, only VLAN 1 is reachable via IP. My PC is connected like this:
-- ISP Modem on WAN Interface of pfSense FW
---- pfSense FW LAN interface on ether8 of CRS210
------ CRS210 Router ether 8 on FW, sfp2 on SwOS Switch
-------- SwOS Switch sfp3 = Uplink to CRS210 on sfp2, sfp1 = My PC
---------- My PC (Untagged in VLAN 1 able to reach VLAN 1 IP of Router, Untagged VLAN 2 not able to reach VLAN 2 IP of Router)
My RouterOS Config:
Code: Select all
# Create Bridge
/interface bridge
add name=bridge
# Add all interfaces to Bridge
/interface bridge port
add bridge=bridge interface=ether1 hw=yes
add bridge=bridge interface=ether2 hw=yes
add bridge=bridge interface=ether3 hw=yes
add bridge=bridge interface=ether4 hw=yes
add bridge=bridge interface=ether5 hw=yes
add bridge=bridge interface=ether6 hw=yes
add bridge=bridge interface=ether7 hw=yes
add bridge=bridge interface=ether8 hw=yes
add bridge=bridge interface=sfp-sfpplus1 hw=yes
add bridge=bridge interface=sfpplus2 hw=yes
# Configure Access Ports on same switch
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=1 ports=ether1,ether2,ether3,ether4,ether5
# Configure Trunk Ports on same Switch
# Add switch1-cpu to Mgmt VLAN
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfpplus2,switch1-cpu vlan-id=1
add tagged-ports=sfpplus2 vlan-id=2
add tagged-ports=ether8 vlan-id=255
# Assign Ports to VLANs
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,sfpplus2,switch1-cpu vlan-id=1
add ports=sfpplus2 vlan-id=2
add ports=ether8 vlan-id=255
# Create Interface VLAN
/interface vlan
add interface=bridge vlan-id=1 name=Management
add interface=bridge vlan-id=2 name=User
add interface=bridge vlan-id=255 name=Internet
# Add IP to Interface VLAN
/ip address
add address=192.168.1.1/24 interface=Management
add address=192.168.2.1/24 interface=User
add address=192.168.255.1/31 interface=Internet
# Block traffic outside of these VLANs
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfpplus2 forward-unknown-vlan=no unknown-vlan-lookup-mode=ivl
Also set my PC (PC-P) to untagged VLAN 2, was not able to reach VLAN 2 IP of my CRS210.