Community discussions

MikroTik App
  4. RouterOS
  5. General

CRS125 and VLAN on 1Gbps internet.. many questions

Post Reply
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

CRS125 and VLAN on 1Gbps internet.. many questions

Sun Jul 12, 2020 10:05 pm

I have a CRS125 and hapac and am having trouble wrapping my head around VLANing on the CRS125. Several years ago I was able to get a config working that had 10 VLANs and using the CRS125 as a router and a switch, with a hapac connected to a trunk port on the CRS125 with a separate wireless config for each VLAN. On the CRS I used /ip firewall filter to permit some cross VLAN traffic. It worked really well with getting close to 1000Mbs on wired connections internally and the internet connection was 100mbit down, it was possible to max that out. There were around 60 or 70 total devices on the network and all was good.

Here are the VLAN parts of the config that worked very well up until 6.42.1:
Code: Select all
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether24-trunk

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2,ether3,ether24-trunk" 

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24-trunk,switch1-cpu vlan-id=10
add tagged-ports=ether24-trunk,switch1-cpu vlan-id=20

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2,switch1-cpu
add customer-vid=0 new-customer-vid=20 ports=ether3,switch1-cpu

/interface ethernet switch vlan
add ports=ether2,ether24-trunk,switch1-cpu vlan-id=10
add ports=ether3,ether24-trunk,switch1-cpu vlan-id=20
Except all hell broke loose when I upgraded to 6.42.1:

6.43.2 - bad (horribly slow LAN, barely works to ssh to CRS)
6.42.9 - bad (horribly slow LAN, barely works to ssh to CRS)
6.42.1 - bad (horribly slow LAN, barely works to ssh to CRS)
6.41.4 - good
6.41.3 - good

I stopped trying after 6.43.2 because it was the latest version at the time and shelved the upgrade. Everything kept working just fine but now it is being repurposed somewhere else and are now reusing the CRS with a 1Gbps connection. Since it has been so long, I decided to upgrade to 6.47.1 and start fresh. Some things have changed since then, and the usual tutorials do not seem to work on the new version. Consensus also seems to be "switch is not a router" and that the CRS125 is not suited for what I'm trying to do... except it worked great previously with the 100Mbit connection.

* Is the CRS125 suitable for 1000Mbit internet acting as a switch and a router?

* Should I use the hapac as the router with the CRS125 as switch? Does the CRS handle ALL of the internal traffic, and then when it comes time to reach the internet, it goes through the hapac? What would that config even look like? There is a post showing an example config router config, and then corresponding switch config. Why does the router config even have VLANs configured if the switch is handling the internal traffic? In that scenario, does the switch or router do the VLAN to VLAN firewalling? If adding extra hapacs for wifi, would they hang off a trunk port on the hapac router, or the CRS?

* Should I get a CRS3xx to do many port based VLANs with 1000mbit internet just like before, and then hang a hapac off a trunk port for wifi?

* What is the "correct" way to do VLANs now on 6.47.1 on the CRS125?
Top
 
mada3k
Forum Veteran
Forum Veteran
Posts: 751
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Mon Jul 13, 2020 10:18 am

Verify that the traffic really is hardware switched (and not software bridged)... Look under /bridge ports and verify that all ports is "H".

But generally: No, CRS125 is not designed to handle 1Gbps of Firewall/NAT.
Top
 
faxxe
newbie
Posts: 40
Joined: Wed Dec 12, 2018 1:46 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Mon Jul 13, 2020 11:02 am

I had a CRS125 on a 250/50 internet line and the CRS125 was not able to fully utilize this line in the download.
Max capacity was about 180-190 MBit with short spikes to 230. Finally i replaced it by a "real" router from MT

-faxxe
Top
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Mon Jul 13, 2020 2:57 pm

Thanks for the replies. Having it work so well with 100mbit and a bunch of fw rules did not make sense to see comments to not use CRS125 as the router.
Top
 
sid5632
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 17, 2017 6:05 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Mon Jul 13, 2020 5:08 pm

Code: Select all
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2,switch1-cpu
add customer-vid=0 new-customer-vid=20 ports=ether3,switch1-cpu
It all looks OK. The only thing I would change is this:
Code: Select all
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
seeing as the switch1-cpu link is supposed to be tagged and the intent of having both of those is unclear.
Code: Select all
* Is the CRS125 suitable for 1000Mbit internet acting as a switch and a router?
It certainly won't route that much. It will switch that easily.
* What is the "correct" way to do VLANs now on 6.47.1 on the CRS125?
The same way as before, using the switch chip.
You should of course post the whole configuration, not just selected bits of it.
Top
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Tue Jul 14, 2020 3:00 am

I did some basic tests using pcunite's as a base and the comments above and it seems to be good.

In summary, splitting the CRS125 as router + switch into 2 devices results in:

Router:
DNS
DHCP
VLAN
Firewalling between VLANs

Switch:
Static ARP entries
VLAN
Top
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 5:27 am

Per the message above, the CRS125 is working as the switch, and hapac working as the router. Except I can't quite figure out why the setup is working as it is so wildly different than the CRS125 examples at https://wiki.mikrotik.com/wiki/Manual:C ... s_ports.29

CRS125 has a trunk port that connects to the hapac, and a bunch of access ports. hapac has 3 trunk ports, a wan and management port. Both are running 6.47.1

DHCP server is setup on router, firewall rules are there, and all works as expected. Except the CRS125 config does not match at all what is on the wiki.

What are the drawbacks to this setup if any? The goal is VLANing to fully segment the hosts connected to the access ports in the most secure way possible.

CRS /interface export:
Code: Select all
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf name=bridge

/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=11
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=11
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether24 pvid=99
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1

/interface bridge vlan
add bridge=BR1 tagged=ether1 untagged=ether2,ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=ether7,ether8 vlan-ids=11
add bridge=BR1 tagged=ether1 untagged=ether24 vlan-ids=99

router (hapac) /interface export
Code: Select all
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add admin-mac=22:22:22:22:22:22 auto-mac=no comment=defconf name=bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11
add interface=bridge1 name=vlan99 vlan-id=99

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp1

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4,ether5,sfp1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether3,ether4,ether5,sfp1 vlan-ids=11
add bridge=bridge1 tagged=bridge1,ether3,ether4,ether5,sfp1 vlan-ids=99

/interface ethernet switch vlan
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=11
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=99

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.150.10.1/24 interface=vlan10 network=10.150.10.0
add address=10.150.11.1/24 interface=vlan11 network=10.150.11.0
add address=10.150.0.1/24 interface=vlan99 network=10.150.0.0

/ip dhcp-client
add comment=defconf disabled=no interface=ether1
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13170
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 1:24 pm

Both setups are flawed. CRS setup is using (slow) CPU bridge to deal with all packets and performance-wise VLANs should be configured in /interface ethernet switch configuration subtree.

hAP ac setup is flawed in sense that some things are configured on CPU bridge and some are on switch chip. All of it should be configured in one configuration subtree only. Since hAP ac has a decent switch chip built in it would be best to go with switch chip setup as well ...

More or less follow the VLAN switching manual, but do observe differences which come due to different switch chip used in both of your devices.

BTW, on hAP ac you have same address defined both on bridge interface and ether2 ... since ether2 is bridge port, this is a conflict per-se. If you're using ether2 only for management, you could remove ether2 from bridge and configure IP on ether2 directly.
Top
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 3:26 pm

Both setups are flawed. CRS setup is using (slow) CPU bridge to deal with all packets and performance-wise VLANs should be configured in /interface ethernet switch configuration subtree.

hAP ac setup is flawed in sense that some things are configured on CPU bridge and some are on switch chip. All of it should be configured in one configuration subtree only. Since hAP ac has a decent switch chip built in it would be best to go with switch chip setup as well ...

More or less follow the VLAN switching manual, but do observe differences which come due to different switch chip used in both of your devices.

BTW, on hAP ac you have same address defined both on bridge interface and ether2 ... since ether2 is bridge port, this is a conflict per-se. If you're using ether2 only for management, you could remove ether2 from bridge and configure IP on ether2 directly.
I have made the changes exactly using the CRS125 examples in on the basic VLAN switching page, have not made any changes to the hapac config, and devices on the CRS can no longer pull an IP via DHCP or access the internet, etc. I'm afraid to mess with the hapac since it was working with the config yesterday w/ CRS (albeit broken per your message) because I didn't want to change too much at once.
Code: Select all
/interface vlan
add interface=BR1 name=MGMT vlan-id=99

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether6,ether7,ether8,ether24"

/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
add bridge=BR1 interface=ether8
add bridge=BR1 interface=ether24
add bridge=BR1 interface=ether1

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=11
add tagged-ports=ether1,switch1-cpu vlan-id=99

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=10 ports=ether3
add customer-vid=0 new-customer-vid=10 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether6
add customer-vid=0 new-customer-vid=11 ports=ether7
add customer-vid=0 new-customer-vid=11 ports=ether8
add customer-vid=0 new-customer-vid=99 ports=ether24

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6 vlan-id=10
add ports=ether1,ether7,ether8 vlan-id=11
add ports=ether1,ether24,switch1-cpu vlan-id=99
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13170
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 4:09 pm

The config seems fine to me (but I don't have any CRS1xx to verify it exactly).

How about posting complete CRS config (as printed by /export)? Could be some other setting which breaks things ...
Top
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 6:27 pm

The config seems fine to me (but I don't have any CRS1xx to verify it exactly).

How about posting complete CRS config (as printed by /export)? Could be some other setting which breaks things ...
Just as I was doing the complete export I caught the culprit:

/interface bridge vlan-filtering=yes

Changed it to
/interface bridge vlan-filtering=no

And it works as expected!

On to the hapac changes.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13170
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 8:04 pm

Just as I was doing the complete export I caught the culprit:

Good :-)
Top
 
domon
just joined
Topic Author
Posts: 20
Joined: Sat Dec 03, 2016 4:20 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Wed Jul 15, 2020 11:09 pm

Had second to try on the hapac. I tried the config almost exactly from the Basic VLAN switching guide, and it locks me out as soon as this is set, and the hapac router does not serve up IPs to the CRS attached via trunk port (ether4 or ether5).

locks out after this:
/interface ethernet switch port
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

ether2 is the "fail safe" default interface kept for the ssh console, and I'm using safe mode to apply the config. The one above is the only setting that locks it out.

Here is the export:
Code: Select all
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=22:22:22:22:22:22 auto-mac=no comment=defconf name=bridge
add name=bridge1 protocol-mode=none

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11
add interface=bridge1 name=vlan99 vlan-id=99

/interface ethernet switch port
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=wan
add name=vlan
add name=base

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan10_pool ranges=10.150.10.200-10.0.10.250
add name=vlan11_pool ranges=10.150.11.200-10.0.11.250
add name=vlan99_pool ranges=10.150.99.200-10.0.99.250

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=vlan10_pool disabled=no interface=vlan10 name=vlan10_dhcp
add address-pool=vlan11_pool disabled=no interface=vlan11 name=vlan11_dhcp
add address-pool=vlan99_pool disabled=no interface=vlan99 name=vlan99_dhcp

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1

/interface ethernet switch vlan
add independent-learning=yes ports=ether4,ether5 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether4,ether5 switch=switch1 vlan-id=11
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=99

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.150.10.1/24 interface=vlan10 network=10.150.10.0
add address=10.150.11.1/24 interface=vlan11 network=10.150.11.0
add address=10.150.99.1/24 interface=vlan99 network=10.150.99.0

/ip dhcp-client
add comment=defconf disabled=no interface=ether1

/ip dhcp-server network
add address=10.150.10.0/24 dns-server=10.150.10.1 gateway=10.150.10.1
add address=10.150.11.0/24 dns-server=10.150.11.1 gateway=10.150.11.1
add address=10.150.99.0/24 dns-server=10.150.99.1 gateway=10.150.99.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,9.9.9.9

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes

/ip ssh
set strong-crypto=yes

/system logging
add topics=dhcp
add topics=firewall
add topics=debug,bridge,packet

/system ntp client
set server-dns-names=0.pool.net.org

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server ping
set enabled=no
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13170
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS125 and VLAN on 1Gbps internet.. many questions

Thu Jul 16, 2020 8:26 am

Which ethernet interface are you using to do the management (and locks you out when you execute the offending setting)?

OTOH, if hAP ac needs to route between all VLANs, switch1-cpu interface has to be member of all VLANs (10 and 11 in addition to 99).

Setting vlan-header is for egress behaviour and I usually set vlan-header=leave-as-is on trunk ports. According to manual setting vlan-header=add-if-missing adds VLAN header on egress but needs default-vlan-id to be set to something sensible (default is 1 which doesn't make sense in your case). Manual says it's intended for trunk ports, I don't see logic in it (but it might be my misunderstanding).
Top
Post Reply
  4. RouterOS
  5. General