Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Need help setting up (VLAN?)  [SOLVED]

Post Reply
 
medi01
just joined
Topic Author
Posts: 23
Joined: Wed Jun 20, 2018 9:49 am

Need help setting up (VLAN?)

Tue Jan 12, 2021 7:39 pm

Black lines on this pic exist, blue is what I'm trying to achieve:

Image

Mikrotik acts as AP/home router (gets IP from the ISP box, has DHCP server, does NAT etc).

I need to build independent connection to the ISP box for PC that would connect to Ethernet 2 port and notebook that would connect via WLAN2.

And to make it harder (need nearly exactly the same setup somewhere else, where speed will matter), I want to use switch chipset's capabilities, when possible (i.e. Eth2).
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13033
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help setting up (VLAN?)  [SOLVED]

Tue Jan 12, 2021 10:24 pm

So basically you want to have eth1 and eth2 switched as ISP "lan" and add to that a dedicated SSID on wlan. On the other hand you'd like to have eth3, eth4 and eth5 switched as LAN and add to that its own SSID?

Prior to reconfiguration, I suggest you to
  1. make backup of device and copy backup file off device
  2. export configuration executing /export file=myexport.txt and copy text export file off device
  3. upgrade device to latest long-term (6.46.8 at this moment, stay away from "stable" version 6.48 as it seems to have a few problems), including routerboot (execute /system routerboard upgrade after it reboots to ROS 6.46.8). This will give you the latest-and-greatest default setup to work with (you'll need it).

Something like this ... in two parts.

Part 1 - configuration fo ethernet, VLANs. Easy to lock self out during this part:
Code: Select all
# ISP: VLAN 100
# LAN: VLAN 200
/interface bridge
add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2

/interface vlan
add interface=bridge name=vlan_ISP vlan-id=100
add interface=bridge name=vlan_LAN vlan-id=200

/interface list
add name=WAN
add name=LAN
/interface list member
add list=WAN interface=ether1  # not really needed, but just in case
add list=WAN interface=ether2  # not really needed, but just in case
add list=WAN interface=vlan-ISP
add list=LAN interface=ether3  # not really needed, but just in case
add list=LAN interface=ether4  # not really needed, but just in case
add list=LAN interface=ether5  # not really needed, but just in case
add list=LAN interface=vlan-LAN
#
# Secure management access via MAC
#
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/interface ethernet switch port
set 0 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure   # eth1
set 1 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure   # eth2
# special warning for the next 3 lines!!!!! (see text below)
set 2 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure   # eth3
set 3 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure   # eth4
set 4 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure   # eth5

/interface ethernet switch vlan
add switch=switch1 independent-learning=yes ports=switch1-cpu,ether1,ether2 vlan-id=100
add switch=switch1 independent-learning=yes ports=switch1-cpu,ether3,ether4,ether5 vlan-id=200

# special warning for the next line!!!!! (see text below)
/interface ethernet switch port
set 5 vlan-mode=secure  # switch1-cpu
Warning about setting vlan-mode on switch1-cpu port and on LAN-to-be ports: you'll probably loose access to the device at this point, but you should be able to re-connect. If not, you'll have to perform factory reset using the button procedure.

Part 2 - configuration of the rest (wireless, IP, ...):
Code: Select all
/interface wireless security-profiles
# set up two security profiles, one for LAN wifi and the other for ISP wifi

/interface wireless
set [ find name=wlan1 ] security-profile=<LAN security profile> ssid=<LAN SSID> vlan-mode=use-tag vlan-id=200 # add other wireless settings
add master-interface=wlan1 name=wlan2 security-profile=<ISP security profile> ssid=<ISP SSID> vlan-mode=use-tag vlan-id=100 # optionally add other settings for virtual AP

/interface list member
add list=LAN interface=wlan1  # probably not needed, but just in case
add list=WAN interface=wlan2  # probably not needed, but just in case

# add WAN configuration, e.g. DHCP client, to vlan-ISP interface
/ip dhcp-client interface=vlan-ISP

# add LAN configuration, e.g. static IP address, DHCP server, to vlan-LAN interface
/ip address 
add address=192.168.88.1/24 interface=vlan-LAN network=192.168.88.0
/ip pool
add name=LAN ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=LAN interface=vlan-LAN name=dhcp-LAN
/ip dhcp-server network
# without setting option dns-server DHCP server will serve addresses obtained by DHCP client run on WAN interface
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
#
# IMPORTANT!
#
# Copy-paste default ip firewall filter rules, as printed out by command
# /system default-configuration print
# (and scroll a bit down)
#

As the config is intended for the unit without any config (not even factory default), you'll have to use winbox and connect using MAC connectivity. Use one of ether ports 3, 4 or 5 (those intended for LAN at the end of config exercise). Still you'll most probably loose connectivity at some point. If you can re-connect, then proceed with config. If you can't reconnect, try using one of other LAN-to-be ports. If you still can not reconnect, then you'll have to reset device config and we'll have to think about some other way of configuring it.
Top
 
medi01
just joined
Topic Author
Posts: 23
Joined: Wed Jun 20, 2018 9:49 am

Re: Need help setting up (VLAN?)

Wed Jan 13, 2021 11:12 am

...
Wow, so elaborate, thank you so much, I haven't tried yet, but thanks to comments, could follow what most commands do.

Regarding "independent-learning" bit, is this useful for anything but "same mac could appear on different ports" scenario?


And another, more complex question: would MAC address of Mikrotik's eth2 port be known to the ISP box?
I don't see why something with MAC-Eth2 would ever be sent over Eth1, but just in case. :)
(answering to some broadcasts perhaps?)
If yes, is it possible to prevent it?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13033
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help setting up (VLAN?)

Wed Jan 13, 2021 8:48 pm

Regarding "independent-learning" bit, is this useful for anything but "same mac could appear on different ports" scenario?
Some OSes (e.g. Linux) use same MAC address for all VLANs using same physical interface. In some circumstances (right now I don't remember an example, but when I read about, it seemed plausible) this would cause some VLANs to leak. When independent-learning is set, switch uses per-VLAN MAC tables preventing from leaking VLANs.

And another, more complex question: would MAC address of Mikrotik's eth2 port be known to the ISP box?
I don't think so. MAC address of an interface is only used if that interface is used as endpoint for L3 (e.g. IP) communication. MAC addresses of L2 devices (e.g. ethernet switches) are normally not "sensed". In your particular case technically speaking ISP would not see MAC of eth1 port either. It would see MAC address of bridge (vlan100 interface uses MAC address of underlying trunk interface) ... which by default assumes MAC address of first active member port if it doesn't have MAC address statically set (use admin-mac=<MAC address> auto-mac=no on /interface bridge).
Top
 
medi01
just joined
Topic Author
Posts: 23
Joined: Wed Jun 20, 2018 9:49 am

Re: Need help setting up (VLAN?)

Fri Jan 15, 2021 6:43 pm

...
And before I start applying it (the "reset" button is broken... I think I still can press it somehow with a screw driver, so it would be some fun), what about this commment:


Note: QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the default-vlan-id property to determine which ports are access ports. The vlan-header is set to leave-as-is and cannot be changed while the default-vlan-id property should only be used on access ports to tag all ingress traffic.

https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
(Atheros8327 is exactly my case, and my future case is QCA8337, bummer)

I honestly cannot get to terms with this note and it only gets worse the more I think about it, e.g. if it is "leave-as-is" what happens to egress traffic on an access port???
Top
 
tdw
Forum Guru
Forum Guru
Posts: 2043
Joined: Sat May 05, 2018 11:55 am

Re: Need help setting up (VLAN?)

Fri Jan 15, 2021 7:15 pm

The 8337 and 8327 work properly, it is just a case of terminology/wording. Basically forget about the vlan-header= setting, with vlan-mode=secure the chip will use the default-vlan-id= setting to tag packets with that VLAN ID on ingress and strip the tag on egress.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13033
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help setting up (VLAN?)

Sat Jan 16, 2021 3:22 pm

Basically forget about the vlan-header= setting
While you can forget about the setting on said switch chips (BTW, I have one of them as well), the correct setting for access port (which should egress only untagged frames) is vlan-header=always-strip none the less.

Regarding reset button: some devices have additional reset way: an area on printed board with two contacts and if these contacts are shorted (e.g. using appropriately-sized screw driver), configuration is reset. Check if your particular device features the same.
Top
 
medi01
just joined
Topic Author
Posts: 23
Joined: Wed Jun 20, 2018 9:49 am

Re: Need help setting up (VLAN?)

Sun Jan 17, 2021 11:37 am

Basically forget about the vlan-header= setting
While you can forget about the setting on said switch chips (BTW, I have one of them as well), the correct setting for access port (which should egress only untagged frames) is vlan-header=always-strip none the less.
In the switch configuration block:
Code: Select all
# Applies only to packets leaving the switch? (egress?)
/interface ethernet switch port
set 0 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure   # eth1
set 1 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure   # eth2
# special warning for the next 3 lines!!!!! (see text below)
set 2 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure   # eth3
set 3 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure   # eth4
set 4 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure   # eth5

# Applies to packets that need to traverse the switch, restricting rules on what could go where
/interface ethernet switch vlan
add switch=switch1 independent-learning=yes ports=switch1-cpu,ether1,ether2 vlan-id=100
add switch=switch1 independent-learning=yes ports=switch1-cpu,ether3,ether4,ether5 vlan-id=200

# special warning for the next line!!!!! (see text below)
/interface ethernet switch port
set 5 vlan-mode=secure  # switch1-cpu
Why does switch1-cpu need no default-vlan-id? (of all VLAN settings in Mikrotik, CPU confuses me the most)

What happens if I leave bridge configuration as is (at the moment, eth1 is not part of it)? I assume creating a bridge implicitly configures switch chip (applying rules... not shown?). So, presumably, unless I change bridge config, switch will do its job, without CPU knowing it?
This question has practical implications, as Eth1 might be public internet in my other use case.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13033
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need help setting up (VLAN?)

Sun Jan 17, 2021 11:55 am

On all but CRS3xx devices bridge settings don't affect the way switch chip is configured. They (switch chip and bridge) act independently[*] but may mess with each other, hence best is to use one of them in "plain" configuration. Which in your case means you should not configure vlan-related stuff on bridge.
Switch-chip interface switch1-cpu is essentially sixth interface on switch chip and is connected to CPU. Whatever you configure on it affects ability for ROS to interact with VLANs on ethernet ports. Unless you're on paranoid side you configure that interface as trunk interface (without PVID aka default vlan) and deal with vlans using vlan interfaces created off bridge (or individual ether interfaces on those not members of bridge). You can skip the security settings on switch1-cpu interface as well if you're not 110% sure you've got everything correct because messing the settings here is the express way to loosing management access to whole device (unless you have wireless set up to offer access).

[*] Not entirely true, bridge does reconfigure switch chip when ports get assigned to bridge. Which includes configuring switched ports groups - if you don't create a bridge and add ports to same bridge, switch chip won't pass traffic between ports even though exposed part of config would allow it. However you don't see most of config bridge does, because if device has Qualcomm switch chip it offers special meta-data for bridge to determine in-interface (and set out-interface) for every frame. If device uses switch chip by other vendors, VLAN setup is not available in ROS because ROS "abuses" vlan tags for determining ingress (and setting egress) interface.
Top
Post Reply

Who is online

Users browsing this forum: abdulschizo and 102 guests
  4. RouterOS
  5. Beginner Basics