Hi everyone,
I have just received my CSS610-8G-2S+ and I am unable to configure the VLANs properly.
There is a new scenario in the VLAN setup section: no "enabled" option. I saw in another topic that the developers suggest using "strict" but it is not working at all in my setup.
My setup is fairly simple:
- Trunk: with VLANs 10, 20, 30 and 40
- Hybrid port
- Several access ports.
This scenario is identical to the examples found in the (suggested) switch wiki: https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example. But I've tried all the possible combinations for my Trunk port and it is not working.
Anyone was successful with the VLANs setup?
I guess that running a release-candidate firmware is just ridiculous; even if this is a new product. MikroTik should offer a solution soon because this is absolutely unprofessional.
Re: CSS610-8G-2S+ and VLANs
Please look at threads written by others before you ask something that has already been asked.
Everybody is having problems with CS610-8G-2S+ devices
viewtopic.php?f=17&t=167891
viewtopic.php?f=17&t=168475
viewtopic.php?f=17&t=167049
viewtopic.php?f=17&t=168159
Everybody is having problems with CS610-8G-2S+ devices
viewtopic.php?f=17&t=167891
viewtopic.php?f=17&t=168475
viewtopic.php?f=17&t=167049
viewtopic.php?f=17&t=168159
Re: CSS610-8G-2S+ and VLANs
Please look at threads written by others before you ask something that has already been asked.
Everybody is having problems with CS610-8G-2S+ devices
viewtopic.php?f=17&t=167891
viewtopic.php?f=17&t=168475
viewtopic.php?f=17&t=167049
viewtopic.php?f=17&t=168159
Sorry, my fault. I didn't see viewtopic.php?f=17&t=168159, the main topic in the other threads are other than VLAN setup.
I've been tinkering with the VLAN setup this morning and I've got unsatisfactory results. I can't make it run. On the other hand I rescued and upgraded to the latest firmware an old RB260GS and my net runs fine. Thus, I guess that there is something wrong with the CSS610 firmware. If somebody makes some progress, please let us know.
Thanks.
Re: CSS610-8G-2S+ and VLANs
MikroTik has released their new product with unstable firmware (release candidate) it is full of bugs. This is not what they usually do. I'm disappointed. There are some CSS610 devices sitting on my self right now, and I'm not sure what to do with them. :-(
Re: CSS610-8G-2S+ and VLANs
MikroTik has released their new product with unstable firmware (release candidate) it is full of bugs. This is not what they usually do. I'm disappointed. There are some CSS610 devices sitting on my self right now, and I'm not sure what to do with them. :-(
Same feeling here. I am running a Data Science Lab and we have been upgrading old network stuff (HP and Netgear) to MikroTik. We planned to retire our ancient pfSense whitebox and buy at least one beefy router from Mikrotik. But... guys... I can't hardly believe that the CSS610 was shipped with a rc-firmware that makes impossible to runs VLANs: it is supposed to be a managed switch.
Re: CSS610-8G-2S+ and VLANs
I've received a reply from Mikrotik an hour ago and I did a quick test. And it works!
It is a good starting point.
[...]
First, try to disable the "Add Information Option" under the System menu.
For access or untagged ports, use "VLAN Mode = optional", "VLAN Receive = only untagged" and specify the "Default VLAN ID". For the trunk or tagged ports, use "VLAN Mode = strict", "VLAN Receive = only tagged". And make sure to include all the necessary member ports for each VLAN ID under the VLANs menu.
[...]
The wiki manuals will get updated, thank you for pointing this out. We are still working on a new SwOS version for CSS610 devices, but I cannot predict when this version will be available.
[...]
It is a good starting point.
Re: CSS610-8G-2S+ and VLANs
Oh my, wish I read that before the purchase... My unit was shipped with SwOs 2.12.0 but VLANs still don't work - trunk ports kinda work (though DHCP is not) access ports don't work at all. Looks like the only option is to upgrade to CSS326, however, it's a bit of an overkill for my lab ¯\_(ツ)_/¯
What are you doing MikroTik?!
What are you doing MikroTik?!
Re: CSS610-8G-2S+ and VLANs
So, my setup is something like that is pictured on the diagram - https://www.dropbox.com/s/mt4itbnkif9bc ... k.png?dl=0
With this setup, Philips Hue can't get IP from DHCP (all DHCP servers are running on 4011). Additionally, when a client connects to IoT WAP he receives IP from VLAN1. So to mitigate the above issues I temporarily disabled local forwarding in CAPsMAN and connected Hue to one of the ports on 4011.
I have a feeling that the issue is with VLAN1, however, as soon as I try to switch it to another ID and transfer with TAG - I lose connectivity to both 962 and the switch (switch IP is in VLAN1 subnet). Still playing with RB setting to overcome the issue, any advise will be highly appreciated.
With this setup, Philips Hue can't get IP from DHCP (all DHCP servers are running on 4011). Additionally, when a client connects to IoT WAP he receives IP from VLAN1. So to mitigate the above issues I temporarily disabled local forwarding in CAPsMAN and connected Hue to one of the ports on 4011.
I have a feeling that the issue is with VLAN1, however, as soon as I try to switch it to another ID and transfer with TAG - I lose connectivity to both 962 and the switch (switch IP is in VLAN1 subnet). Still playing with RB setting to overcome the issue, any advise will be highly appreciated.
Re: CSS610-8G-2S+ and VLANs
VLAN ID 1 is indeed tricky to use because it's implicitly used in many places and if you don't reconfigure it as required, it can mess things in various unexpected ways.
Post config export (output of at least /interface export) so we can see what exactly you have currently and we'll advise changes (for the better).
Post config export (output of at least /interface export) so we can see what exactly you have currently and we'll advise changes (for the better).
Re: CSS610-8G-2S+ and VLANs
Sure, part of config for RB4011:
And RB962:
Code: Select all
/interface bridge
add name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=CSS610
set [ find default-name=ether2 ] comment=MBP
set [ find default-name=ether3 ] comment=RPi4
set [ find default-name=ether4 ] comment=Desktop
set [ find default-name=ether7 ] comment="thr-2920x enp4s0"
set [ find default-name=ether8 ] comment="thr-2920x enp6s0" mac-address=C4:AD:34:DB:8A:9D
set [ find default-name=ether9 ] comment="Poweredge T30 enp4s0f0"
set [ find default-name=ether10 ] comment="Poweredge T30 enp4s0f1" mac-address=C4:AD:34:DB:8A:9F poe-out=off
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
/interface bonding
add mode=802.3ad name=bonding-thr-2920x slaves=ether7,ether8
add mode=802.3ad name=bonding-tr30 slaves=ether9,ether10
/interface list
add name=RESTRICTED_LAN
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6 pvid=20
add bridge=bridge-local interface=bonding-tr30
add bridge=bridge-local interface=bonding-thr-2920x
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x untagged=br-vlan111 vlan-ids=111
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether1,ether2 vlan-ids=20
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether1,ether2,bonding-thr-2920x vlan-ids=21
add bridge=bridge-local comment="ProxMox Comms" tagged=bonding-thr-2920x,bonding-tr30 vlan-ids=50
/interface list member
add interface=br-vlan20 list=RESTRICTED_LAN
add interface=br-vlan21 list=RESTRICTED_LAN
And RB962:
Code: Select all
/interface bridge
add admin-mac=CC:2D:E0:B5:2D:B2 auto-mac=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet speed=100Mbps
set [ find default-name=ether2 ] comment="QNAP eth0" speed=100Mbps
set [ find default-name=ether3 ] comment="QNAP eth1" mac-address=CC:2D:E0:B5:2D:B2 speed=100Mbps
set [ find default-name=ether4 ] comment="Philips HUE" speed=100Mbps
set [ find default-name=ether5 ] comment=RB4011 poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
/interface bonding
add disabled=yes mode=802.3ad name=bonding-qnap slaves=ether2,ether3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WAN-IPV6
/interface bridge port
add bridge=bridge-local interface=ether4 pvid=20
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=bonding-qnap
/interface bridge vlan
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether5 untagged=ether3 vlan-ids=20
add bridge=bridge-local comment="Servers VLAN" tagged=bridge-local,bonding-qnap,ether5 vlan-ids=111
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether5 vlan-ids=21
/interface list member
add interface=bridge-local list=LAN
add interface=ether1 list=WAN
Re: CSS610-8G-2S+ and VLANs
Heh, just realised my 962 acts really weird - no 5GHz interface listed and auto-negotiation shows incorrect results on all ports.
Re: CSS610-8G-2S+ and VLANs
One problem is this config line on RB4011:
You should never enumerate VLAN interfaces (created in /interface vlan) as members of bridge which they're based on.
Imagine VLAN interface as a two-way pipe with one tagged and one untagged end. The pipe either strips VLAN tag from packet (when traversing ftom tagged towards untagged end) or it adds VLAN tag to packet (when traversing from untagged towards tagged end). When you create the VLAN interface, you anchor tagged end to underlying interface (and bridge is implicitly an interface as well, in this case you're using the interface personality of bridge). Later on, when you refer to VLAN interface, you're referring to its untagged end.
So when you added VLAN interface as untagged port to bridge, you created a loop between VLAN 111 and untagged "vlan" which is not what you want.
Config of RB962 seems fine to me.
We'd have to see the rest of config (both units) to judge whether L2 setup makes sense for the rest of setup (e.g. which interfaces have DHCP servers enabled, how's addressing done, etc.).
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" \
tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x \
untagged=br-vlan111 \
vlan-ids=111
You should never enumerate VLAN interfaces (created in /interface vlan) as members of bridge which they're based on.
Imagine VLAN interface as a two-way pipe with one tagged and one untagged end. The pipe either strips VLAN tag from packet (when traversing ftom tagged towards untagged end) or it adds VLAN tag to packet (when traversing from untagged towards tagged end). When you create the VLAN interface, you anchor tagged end to underlying interface (and bridge is implicitly an interface as well, in this case you're using the interface personality of bridge). Later on, when you refer to VLAN interface, you're referring to its untagged end.
So when you added VLAN interface as untagged port to bridge, you created a loop between VLAN 111 and untagged "vlan" which is not what you want.
Config of RB962 seems fine to me.
We'd have to see the rest of config (both units) to judge whether L2 setup makes sense for the rest of setup (e.g. which interfaces have DHCP servers enabled, how's addressing done, etc.).
Re: CSS610-8G-2S+ and VLANs
Good catch, that's leftover from some of my experiments - was trying to move VLAN if to another physical if.
RB4011:
RB962:
RB4011:
Code: Select all
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=2.4ghz-channel tx-power=16
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX frequency=5180,5260,5500,5660,5745 name=5ghz-channel tx-power=22
/interface bridge
add name=bridge-ikev2
add name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=CSS610
set [ find default-name=ether2 ] comment=MBP
set [ find default-name=ether3 ] comment=RPi4
set [ find default-name=ether4 ] comment=Desktop
set [ find default-name=ether7 ] comment="thr-2920x enp4s0"
set [ find default-name=ether8 ] comment="thr-2920x enp6s0" mac-address=C4:AD:34:DB:8A:9D
set [ find default-name=ether9 ] comment="Poweredge T30 enp4s0f0"
set [ find default-name=ether10 ] comment="Poweredge T30 enp4s0f1" mac-address=C4:AD:34:DB:8A:9F poe-out=off
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
add interface=bridge-local name=br-vlan1000 vlan-id=1000
/interface bonding
add mode=802.3ad name=bonding-thr-2920x slaves=ether7,ether8
add mode=802.3ad name=bonding-tr30 slaves=ether9,ether10
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=yes name=datapath-local
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapath-iot vlan-id=20 vlan-mode=use-tag
add bridge=bridge-local client-to-client-forwarding=no local-forwarding=no name=datapath-guest vlan-id=21 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name=2.4ghz-rates supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi-local passphrase=******
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi-iot passphrase=******
add disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi-guest
/caps-man configuration
add channel=2.4ghz-channel country=poland datapath=datapath-local distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=2.4ghz-wifi-local rates=2.4ghz-rates rx-chains=0,1,2,3 security=\
wifi-local ssid=Wi-Fi tx-chains=0,1,2,3
add channel=5ghz-channel country=poland datapath=datapath-local distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=5ghz-wifi-local rx-chains=0,1,2,3 security=wifi-local ssid=Wi-Fi \
tx-chains=0,1,2,3
add channel=2.4ghz-channel country=poland datapath=datapath-iot distance=dynamic hide-ssid=yes hw-protection-mode=rts-cts mode=ap multicast-helper=full name=2.4ghz-wifi-iot rates=2.4ghz-rates rx-chains=0,1,2,3 \
security=wifi-iot ssid=IoT tx-chains=0,1,2,3
add channel=5ghz-channel country=poland datapath=datapath-iot distance=dynamic hide-ssid=yes hw-protection-mode=rts-cts mode=ap multicast-helper=full name=5ghz-wifi-iot rx-chains=0,1,2,3 security=wifi-iot ssid=IoT \
tx-chains=0,1,2,3
add channel=2.4ghz-channel country=poland datapath=datapath-guest distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=2.4ghz-wifi-guest rates=2.4ghz-rates rx-chains=0,1,2,3 security=\
wifi-guest ssid="Wi-Fi Guest" tx-chains=0,1,2,3
add channel=5ghz-channel country=poland datapath=datapath-guest distance=dynamic hw-protection-mode=rts-cts mode=ap multicast-helper=full name=5ghz-wifi-guest rx-chains=0,1,2,3 security=wifi-guest ssid="Wi-Fi Guest" \
tx-chains=0,1,2,3
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=RESTRICTED_LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool-iot ranges=172.16.20.1-172.16.20.200
add name=dhcp-pool-guest ranges=172.16.21.1-172.16.21.200
add name=dhcp-pool-servers-111 ranges=172.16.111.0-172.16.111.99
add name=dhcp-pool-local ranges=10.113.121.150-10.113.121.199
add name=ikev2-pool ranges=172.16.86.1-172.16.86.253
/ip dhcp-server
add address-pool=dhcp-pool-iot disabled=no interface=br-vlan20 lease-time=30m name=dhcp-iot
add address-pool=dhcp-pool-guest disabled=no interface=br-vlan21 lease-time=30m name=dhcp-guest
add address-pool=dhcp-pool-servers-111 disabled=no interface=br-vlan111 lease-time=30m name=dhcp-servers-111
add address-pool=dhcp-pool-local disabled=no interface=bridge-local lease-time=30m name=dhcp-local
/queue type
add kind=pcq name=PCQ-Down pcq-classifier=dst-address pcq-limit=100KiB
add kind=pcq name=PCQ-Up pcq-classifier=src-address pcq-limit=100KiB
/queue simple
add limit-at=10M/40M max-limit=10M/40M name="Guest network limit" priority=1/1 queue=PCQ-Up/PCQ-Down target=br-vlan21 total-queue=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
set 3 remote=198.51.100.11
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=2.4ghz-wifi-local name-format=prefix-identity name-prefix=2G slave-configurations=2.4ghz-wifi-iot,2.4ghz-wifi-guest
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=5ghz-wifi-local name-format=prefix-identity name-prefix=5G slave-configurations=5ghz-wifi-iot,5ghz-wifi-guest
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6 pvid=20
add bridge=bridge-local interface=bonding-tr30
add bridge=bridge-local interface=bonding-thr-2920x
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x vlan-ids=111
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether1,ether2 vlan-ids=20
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether1,ether2,bonding-thr-2920x vlan-ids=21
add bridge=bridge-local comment="ProxMox Comms" tagged=bonding-thr-2920x,bonding-tr30 vlan-ids=50
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=switch1 vlan-id=20
/interface list member
add interface=br-vlan20 list=RESTRICTED_LAN
add interface=br-vlan21 list=RESTRICTED_LAN
/ip address
add address=10.113.121.254/24 comment="Local NET" interface=bridge-local network=10.113.121.0
add address=172.16.89.4/24 comment="MGMT subnet" interface=bridge-local network=172.16.89.0
add address=172.16.20.254/24 comment="IoT network" interface=br-vlan20 network=172.16.20.0
add address=172.16.21.254/24 comment="Guest network" interface=br-vlan21 network=172.16.21.0
add address=172.16.111.254/24 comment="Servers VLAN" interface=br-vlan111 network=172.16.111.0
/ip dhcp-client
add comment=WAN disabled=no interface=br-vlan1000
/ip dhcp-server network
add address=10.113.121.0/24 comment="Local network" dns-server=198.51.100.5 domain=yottacloud.org gateway=10.113.121.14 netmask=24 ntp-server=10.113.121.254
add address=172.16.20.0/24 comment="IoT network" dns-server=172.16.20.254 gateway=172.16.20.254 ntp-server=172.16.20.254
add address=172.16.21.0/24 comment="Guest network" dns-server=198.51.100.5 gateway=172.16.21.254 ntp-server=172.16.21.254
add address=172.16.111.0/24 boot-file-name=pxelinux.0 comment="Servers VLAN" dns-server=172.16.111.254 gateway=172.16.111.254 next-server=172.16.111.201 ntp-server=172.16.111.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=172.16.21.0/24 list=Guest
add address=172.16.20.0/24 list=IoT
add address=172.16.20.0/24 list=Not-Local
add address=172.16.21.0/24 list=Not-Local
add address=10.113.121.0/24 list=Local-NET
add address=172.16.89.0/24 list=Local-NET
add address=198.51.100.0/24 list=Local-NET
add address=10.0.3.0/24 list=Local-NET
add address=10.0.5.0/24 list=Local-NET
add address=172.16.86.0/24 list=IKEv2
add address=172.16.10.0/24 list=Local-NET
add address=172.16.111.0/24 list=Local-NET
/ip firewall filter
add action=drop chain=input comment="Drop invalid input connections" connection-state=invalid in-interface-list=RESTRICTED_LAN
add action=accept chain=input comment="Accept established input connections" connection-state=established,related in-interface-list=RESTRICTED_LAN
add action=accept chain=input src-address=172.16.86.0/24
add action=accept chain=input comment=IKEv2 dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Accept DNS requests from IoT network" dst-port=53 in-interface=br-vlan20 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=br-vlan20 protocol=udp
add action=accept chain=input comment="Accept incoming NTP connections from IoT network" dst-port=123 in-interface=br-vlan20 protocol=udp
add action=accept chain=input comment="Accept DHCP connections" dst-port=67 in-interface=br-vlan21 protocol=udp
add action=accept chain=input dst-port=67 in-interface=br-vlan20 protocol=udp
add action=drop chain=input comment="Drop incoming connections from IoT and Guest networks" in-interface-list=RESTRICTED_LAN
add action=drop chain=forward comment="Drop invalid forward connections" connection-state=invalid in-interface-list=RESTRICTED_LAN
add action=accept chain=forward comment=IKEv2 ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward src-address=172.16.86.0/24
add action=accept chain=forward comment="Accept established forward connections" connection-state=established,related in-interface-list=RESTRICTED_LAN
add action=accept chain=forward comment="Accept DNS connections from Guest network" dst-address=198.51.100.6 dst-port=53 in-interface=br-vlan21 protocol=tcp
add action=accept chain=forward dst-address=198.51.100.5 dst-port=53 in-interface=br-vlan21 protocol=udp
add action=accept chain=forward comment="Accept all the rest forward connections from IoT and Guest networks" dst-address-list=!Local-NET in-interface-list=RESTRICTED_LAN
add action=drop chain=forward comment="Drop connections to the Local NET from IoT and Guest networks" in-interface-list=RESTRICTED_LAN
/ip route
add distance=1 gateway=10.113.121.14
/routing bgp peer
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB962 out-filter=AS100000-bgp-out remote-address=172.16.89.1 remote-as=100000 ttl=default
add in-filter=AS64500-bgp-in name=MatalLB1 out-filter=AS64500-bgp-out remote-address=10.113.121.210 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB2 out-filter=AS64500-bgp-out remote-address=10.113.121.211 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB3 out-filter=AS64500-bgp-out remote-address=10.113.121.212 remote-as=64500 ttl=default
add address-families=ip,ipv6 disabled=yes in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB2011 out-filter=AS100000-bgp-out remote-address=172.16.89.3 remote-as=100000 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB4 out-filter=AS64500-bgp-out remote-address=10.113.121.220 remote-as=64500 ttl=default
add disabled=yes in-filter=AS64500-bgp-in name=MetalLB5 out-filter=AS64500-bgp-out remote-address=10.113.121.213 remote-as=64500 ttl=default
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB941 out-filter=AS100000-bgp-out remote-address=172.16.89.2 remote-as=100000 ttl=default
/routing filter
add action=discard chain=AS64500-bgp-in prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-in prefix=198.51.100.0/24
add action=accept chain=AS64500-bgp-in
add action=accept chain=AS64500-bgp-out prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS64500-bgp-out
add action=accept chain=AS100000-bgp-in
add action=discard chain=AS100000-bgp-out prefix=10.113.121.0/24
add action=discard chain=AS100000-bgp-out prefix=172.16.89.0/24
add action=discard chain=AS100000-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS100000-bgp-out prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-out
add action=discard chain=AS64500-bgp-in prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-in prefix=198.51.100.0/24
add action=accept chain=AS64500-bgp-in
add action=accept chain=AS64500-bgp-out prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS64500-bgp-out
add action=accept chain=AS100000-bgp-in
add action=discard chain=AS100000-bgp-out prefix=10.113.121.0/24
add action=discard chain=AS100000-bgp-out prefix=172.16.89.0/24
add action=discard chain=AS100000-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS100000-bgp-out prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-out
/snmp
set trap-generators=interfaces,start-trap
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB4011
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=216.239.35.8
/system ntp server
set enabled=yes
/system package update
set channel=long-term
RB962:
Code: Select all
/interface bridge
add admin-mac=CC:2D:E0:B5:2D:B2 auto-mac=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet speed=100Mbps
set [ find default-name=ether2 ] comment="QNAP eth0" speed=100Mbps
set [ find default-name=ether3 ] comment="QNAP eth1" mac-address=CC:2D:E0:B5:2D:B2 speed=100Mbps
set [ find default-name=ether4 ] comment="Philips HUE" speed=100Mbps
set [ find default-name=ether5 ] comment=RB4011 poe-out=off speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge-local name=br-vlan20 vlan-id=20
add interface=bridge-local name=br-vlan21 vlan-id=21
add interface=bridge-local name=br-vlan111 vlan-id=111
/interface bonding
add disabled=yes mode=802.3ad name=bonding-qnap slaves=ether2,ether3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
set 3 remote=198.51.100.11
/interface bridge port
add bridge=bridge-local interface=ether4 pvid=20
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=bonding-qnap
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether5 untagged=ether3 vlan-ids=20
add bridge=bridge-local comment="Servers VLAN" tagged=bridge-local,bonding-qnap,ether5 vlan-ids=111
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether5 vlan-ids=21
/interface list member
add interface=bridge-local list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.113.121.14/24 interface=bridge-local network=10.113.121.0
add address=172.16.89.1/24 interface=bridge-local network=172.16.89.0
/ip dhcp-client
add comment=WAN disabled=no interface=ether1
add add-default-route=no disabled=no interface=br-vlan20
add add-default-route=no disabled=no interface=br-vlan111
/ip dhcp-relay
add add-relay-info=yes dhcp-server=10.113.121.254 disabled=no interface=bridge-local local-address=10.113.121.14 name=local-net relay-info-remote-id=10.113.121.14
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="*** Connections to router *** Allow L2TP connections" port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=QNAP dst-port=80,443,8080 in-interface-list=WAN protocol=tcp to-addresses=10.113.121.201
add action=dst-nat chain=dstnat comment=IKEv2 dst-port=500,4500 in-interface-list=WAN protocol=udp to-addresses=10.113.121.254
add action=dst-nat chain=dstnat ipsec-policy=in,ipsec to-addresses=10.113.121.254
add action=dst-nat chain=dstnat comment="Public ingress" disabled=yes dst-port=30000 in-interface-list=WAN protocol=tcp to-addresses=198.51.100.0
add action=dst-nat chain=dstnat comment="adguard udp" disabled=yes dst-port=53 in-interface-list=WAN protocol=udp to-addresses=198.51.100.5
add action=dst-nat chain=dstnat comment="adguard tcp" disabled=yes dst-port=53 in-interface-list=WAN protocol=tcp to-addresses=198.51.100.6
/ip route
add comment="QNAP Docker" distance=1 dst-address=10.0.3.0/24 gateway=10.113.121.201
add comment="QNAP Docker" distance=1 dst-address=10.0.5.0/24 gateway=10.113.121.201
/routing bgp peer
add in-filter=AS64500-bgp-in name=MatalLB1 out-filter=AS64500-bgp-out remote-address=10.113.121.210 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB2 out-filter=AS64500-bgp-out remote-address=10.113.121.211 remote-as=64500 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB3 out-filter=AS64500-bgp-out remote-address=10.113.121.212 remote-as=64500 ttl=default
add address-families=ip,ipv6 disabled=yes in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB2011 out-filter=AS100000-bgp-out remote-address=172.16.89.3 remote-as=100000 ttl=default
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB4011 out-filter=AS100000-bgp-out remote-address=172.16.89.4 remote-as=100000 ttl=default
add in-filter=AS64500-bgp-in name=MetalLB4 out-filter=AS64500-bgp-out remote-address=10.113.121.220 remote-as=64500 ttl=default
add disabled=yes in-filter=AS64500-bgp-in name=MetalLB5 out-filter=AS64500-bgp-out remote-address=10.113.121.213 remote-as=64500 ttl=default
add address-families=ip,ipv6 in-filter=AS100000-bgp-in instance=bgp-mikrotik name=RB941 out-filter=AS100000-bgp-out remote-address=172.16.89.2 remote-as=100000 ttl=default
/routing filter
add action=discard chain=AS64500-bgp-in prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-in prefix=198.51.100.0/24
add action=accept chain=AS64500-bgp-in
add action=accept chain=AS64500-bgp-out prefix=10.113.121.0/24
add action=accept chain=AS64500-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS64500-bgp-out
add action=discard chain=AS100000-bgp-in prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-in
add action=discard chain=AS100000-bgp-out prefix=10.113.121.0/24
add action=discard chain=AS100000-bgp-out prefix=172.16.89.0/24
add action=discard chain=AS100000-bgp-out prefix=198.51.100.0/24
add action=discard chain=AS100000-bgp-out prefix=2001:470:70:562::/64
add action=discard chain=AS100000-bgp-out prefix=2001:470:71:562::/64
add action=accept chain=AS100000-bgp-out
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB962
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=216.239.35.8
/system ntp server
set enabled=yes
/system package update
set channel=long-term
/system watchdog
set ping-start-after-boot=15m watch-address=8.8.8.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: CSS610-8G-2S+ and VLANs
Other than setting in /interface ethernet switch vlan (which on RB4011 likely doesn't work anyway) I don't see anything in RB4011 config which would cause IoT devices to get IP address from wrong subnet. So my suspect is CSS config for this one.
My aporoach is this: when I need VLANs, then any link between LAN devices is trunk (no untagged is allowed). This way it's easier to get VLANs right and chance of packets bleeding from one VLAN to another us lower.
My aporoach is this: when I need VLANs, then any link between LAN devices is trunk (no untagged is allowed). This way it's easier to get VLANs right and chance of packets bleeding from one VLAN to another us lower.
Re: CSS610-8G-2S+ and VLANs
Yep, I'll try to switch to trunk ports, thanks for checking anyway.
Just in case, my CSS settings:
https://www.dropbox.com/s/osumvq6vipki9 ... 4.png?dl=0
https://www.dropbox.com/s/u6kn75jqpicjn ... 4.png?dl=0
I've tried playing with VLAN Mode for HUE port, any possible variants give the same results, clearly should go with trunk port for RBs.
Just in case, my CSS settings:
https://www.dropbox.com/s/osumvq6vipki9 ... 4.png?dl=0
https://www.dropbox.com/s/u6kn75jqpicjn ... 4.png?dl=0
I've tried playing with VLAN Mode for HUE port, any possible variants give the same results, clearly should go with trunk port for RBs.
Re: CSS610-8G-2S+ and VLANs
mkx thanks a lot for your help, it works now. :)
The confusing part is that access ports do not work with strict VLAN mode, will test afterwards if I can plug into that port and successfully communicated with some VLAN which is not in the table for that port.
My current setup looks like that - https://www.dropbox.com/s/wjvgiss6llpgg ... w.png?dl=0
And RB configs (only bridge settings changed).
RB4011:
RB962:
Now I'm wondering if I will be able to set up 10G trunk between RB4011 and CSS610 using S+RJ10, the description says I need "MikroTik device with active cooling" while both of my devices are cooled passively. :)
The confusing part is that access ports do not work with strict VLAN mode, will test afterwards if I can plug into that port and successfully communicated with some VLAN which is not in the table for that port.
My current setup looks like that - https://www.dropbox.com/s/wjvgiss6llpgg ... w.png?dl=0
And RB configs (only bridge settings changed).
RB4011:
Code: Select all
/interface bridge
add name=bridge-ikev2
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-local vlan-filtering=yes
/interface bridge port
add bridge=bridge-local frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-local interface=ether2 pvid=3121
add bridge=bridge-local interface=ether3 pvid=3121
add bridge=bridge-local interface=ether4 pvid=3121
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6 pvid=20
add bridge=bridge-local interface=bonding-tr30 pvid=3121
add bridge=bridge-local interface=bonding-thr-2920x pvid=3121
/interface bridge vlan
add bridge=bridge-local comment="Servers VLAN" tagged=ether1,ether2,ether3,bridge-local,bonding-tr30,bonding-thr-2920x vlan-ids=111
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether1,ether2 vlan-ids=20
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether1,ether2,bonding-thr-2920x vlan-ids=21
add bridge=bridge-local comment="ProxMox Comms" tagged=bonding-thr-2920x,bonding-tr30 vlan-ids=50
add bridge=bridge-local comment="WAN VLAN" tagged=bridge-local vlan-ids=1000
add bridge=bridge-local comment="Local NET VLAN" tagged=bridge-local,ether1 untagged=bonding-thr-2920x,bonding-tr30,ether2,ether3,ether4 vlan-ids=3121
Code: Select all
/interface bridge
add admin-mac=CC:2D:E0:B5:2D:B2 auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-local vlan-filtering=yes
/interface bridge port
add bridge=bridge-local frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5 pvid=3121
add bridge=bridge-local interface=sfp1
/interface bridge vlan
add bridge=bridge-local comment="IoT VLAN" tagged=bridge-local,ether5 vlan-ids=20
add bridge=bridge-local comment="Servers VLAN" tagged=bridge-local,ether5 vlan-ids=111
add bridge=bridge-local comment="Guest VLAN" tagged=bridge-local,ether5 vlan-ids=21
add bridge=bridge-local comment="Local NET VLAN" tagged=bridge-local,ether5 vlan-ids=3121
Now I'm wondering if I will be able to set up 10G trunk between RB4011 and CSS610 using S+RJ10, the description says I need "MikroTik device with active cooling" while both of my devices are cooled passively. :)
Re: CSS610-8G-2S+ and VLANs
Improved RB962 performance by using switch chip VLAN table:
Sorry for flood guys. :)
Code: Select all
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-local vlan-filtering=no
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=20
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=21
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=3121
Sorry for flood guys. :)
Re: CSS610-8G-2S+ and VLANs
I am on 2.13rc5, followed support response steps in one of the first posts.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
Re: CSS610-8G-2S+ and VLANs
Hi nannou9, it's a community forum. Please consider reaching out to MKRT support - https://mikrotik.com/supportI am on 2.13rc5, followed support response steps in one of the first posts.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
Re: CSS610-8G-2S+ and VLANs
Got it finally working. But tbh not sure why problem with packet loss got suddenly away. Let’s assume user error.
Re: CSS610-8G-2S+ and VLANs
Apparently there's an RC6 version out. I just contacted support, ill pass on the firmware when I get it. Im using the Netpower 7RI am on 2.13rc5, followed support response steps in one of the first posts.
I am getting 96% packet loss with vlans.
I can wait anymore, I need vlans.
Is there any update from MikroTik please?
Any newer rc build? It can’t be any worse for me.
I will be forced to order different hardware within days if no answer.
Re: CSS610-8G-2S+ and VLANs
This worked for me FYI
Disabling "Add Information Option"
Disabling "Add Information Option"
Who is online
Users browsing this forum: No registered users and 5 guests