Help with VLAN Trunk

Farseer · Sun Aug 30, 2020 6:01 pm

Hi,

I have a site where I have a Mikrotik router with 2 UniFi AP's connected on Ether4/5 of the LAN Ports. These 2 AP's would broadcast 2 SSID's, with the guest one being on VLAN 3777. Things were ok, but I have recently added some hardware like an 8-Port Gigabit PoE Switch and an additional AP. So now in the new set up, I have the Router and Ether 4 is going to the new switch, where the 3 access points are connected along with a CloudKey device.

I am trying to create a VLAN trunk on Ether4 that would handle traffic for both untagged packets (the default) and the guest packets on VLAN3777, but what is happening is that no device can get an IP from the DHCP for the guest pool of IP's. I have tried multiple devices, it is the same everywhere. Even setting a static IP on a device in the guest vlan range (192.168.44.0/24), you cannot even ping the router on 192.168.44.1. I have tried following some guides to set it up, but it does not work, so I have reset it back to the previous config, I figure it would be easier from there.

Here is my config:

# aug/30/2020 XXXXXX by RouterOS 6.47.2
# software id = PT13-4U0W
#
# model = 951G-2HnD
# serial number = REDACTED
/interface bridge
add admin-mac=B8:69:F4:29:A7:8C auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=no_country_set distance=indoors frequency=auto \
    frequency-mode=manual-txpower mode=ap-bridge ssid=REDACTED \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=REDACTED
/interface vlan
add interface=bridge name=vlan3777 vlan-id=3777
/interface ethernet switch port
set 4 default-vlan-id=0 vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=GuestDHCP_pool ranges=192.168.44.2-192.168.44.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=GuestDHCP_pool disabled=no interface=vlan3777 name=\
    Guest_DHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=ether2-master list=mactel
add interface=wlan1 list=mactel
add interface=ether2-master list=mac-winbox
add interface=wlan1 list=mac-winbox
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-master network=\
    192.168.1.0
add address=192.168.44.1/24 interface=vlan3777 network=192.168.44.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.44.0/24 dns-server=192.168.44.1 gateway=192.168.44.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.44.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface=pppoe-out1
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
    protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=REDACTED
/system identity
set name=REDACTED
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

anav · Mon Aug 31, 2020 3:54 pm

Then ether4 on the router is a trunk port passing all vlans....................... Since the switch now handles the vlan routing out its ports to the unifi APs etc, it will handle the difference between tagged and untagged frames not the router.

Also since your doing it in switch port I cannot comment further, I do everything the newer bridge vlan bridge port method.....

Farseer · Mon Aug 31, 2020 8:20 pm

Then ether4 on the router is a trunk port passing all vlans....................... Since the switch now handles the vlan routing out its ports to the unifi APs etc, it will handle the difference between tagged and untagged frames not the router.

Also since your doing it in switch port I cannot comment further, I do everything the newer bridge vlan bridge port method.....

Hi Anav,

Thanks for the reply. So firstly, what is the new bridge vlan bridge port method? Secondly, my switch is a layer-2 switch, non-managed (about 80% sure on that), is that fine? And from the above scenario, is there any reason that any guest user connecting to the WiFi is not getting a dynamic IP in the 44 subnet? It seems not to issue a lease and not even allow a static IP device in that range to ping the router.

And ideas?

anav · Tue Sep 01, 2020 4:08 am

Depends if the unmanaged switch passes on the vlan tags...... not all do.
I recommend you get a managed switch to ensure traffic as you want to control it.

Farseer · Wed Sep 02, 2020 3:49 pm

Hi,

So as it turns out, the switch that I have is a L2 Managed switch. I set it up on a static IP on my .1 range, and accessed it. I am now in a weird situation at the moment and I don't understand why the following is happening :

My DLink Switch config :
802.1Q VLAN mode enabled
Ports 1-3 and 5-8 set as Untagged Vlan1.
Port 4 set on tagged Vlan3777. All other ports set as "non-member".
Something called "asymmetrical VLAN" is enabled along with 802.1Q Vlan mode. I have tried also without this mode, but no luck.

What is happening :
My AP's are broadcasting 2 SSIDs, 1 for main and 1 for guest. it SHOULD BE that users connecting to main SSID get 192.168.1.0/24 IP's but instead they are getting 192.168.44.0/24 IP's from the router. Additionally, my 8port switch has become "isolated", it has a static IP on the .1 range along with the AP's and the CloudKey. I cannot access these devices from the router side or from the AP side. AP side = connecting to AP's, getting internet and an ip in .44 range and being able to access anything on the .1 range EXCEPT devices attached to 8 port switch. Router side = same thing except connecting to Mikrotik WLAN and getting an ip in .1 range and being able to access anything on the .44 range.

Any idea why this is happening? Here is another export of the current config. I have disabled all drop rules in the firewall for the moment.

# sep/02/2020 XXXXXX by RouterOS 6.47.2
# software id = MJZQ-96DK
#
# model = RB951G-2HnD
# serial number = REDACTED
/interface bridge
add name=VlanBridge
add admin-mac=C4:AD:34:E1:C5:D7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="REDACTED" disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=REDACTED \
    station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-full,1000M-half,1000M-full auto-negotiation=no \
    name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-OFFICESW
set [ find default-name=ether3 ] name=ether3-POESW
set [ find default-name=ether4 ] name=ether4-SW
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=pppoe-out1 \
    use-peer-dns=yes user=REDACTED
/interface vlan
add interface=VlanBridge name=vlan3777 vlan-id=3777
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.254
add name=GuestDHCP_pool ranges=192.168.44.2-192.168.44.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=GuestDHCP_pool disabled=no interface=VlanBridge name=\
    GuestDHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-OFFICESW
add bridge=bridge comment=defconf interface=ether3-POESW
add bridge=bridge comment=defconf interface=ether4-SW
add bridge=VlanBridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=VlanBridge vlan-ids=3777
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2-OFFICESW network=\
    192.168.1.0
add address=192.168.44.1/24 interface=VlanBridge network=192.168.44.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.44.0/24 dns-server=213.42.20.20 gateway=192.168.44.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface=!VlanBridge in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set ssh disabled=yes
/system clock
set time-zone-name=REDACTED
/system identity
set name=REDACTED
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Farseer · Wed Sep 02, 2020 5:28 pm

Resolved :

My initial problem was having my vlan3777 on it's own bridge, but that made it unable to communicate with the default lan network of 192.168.1.0/24 and devices couldn't get an IP (due to the switch being not-configured at that time). I then spent a lot of time trying to do X and Y to resolve it, but that just took me deeper into other problems. In short, for my purposes of having only 1 VLAN with it's own IP range and the default IP range without any VLAN on 1 port, I should keep the VLAN on the main bridge in Interface.

Help with VLAN Trunk

Help with VLAN Trunk

Re: Help with VLAN Trunk

Re: Help with VLAN Trunk

Re: Help with VLAN Trunk

Re: Help with VLAN Trunk

Re: Help with VLAN Trunk