Hi,
I have recently stepped into a deeper VLAN configuration and turns out I might lost one important piece somewhere along the way.
The situation:
We are in the network of another company (let's call them Contoso) which is subletting a part of a warehouse to us. Therefore Internet is provided by the Contoso itself, not an ISP.
They have an optical cable leading to our rack and they are doing the usual NAT thing to our router via their UniFi USG.
The kicker is that there's also an office on the opposite side of the warehouse, part of which is also sublet to us. This office has all the wall network plugs leading to the Contoso's rack so there's no easy way for us to physically conenct our part of the warehouse with our offices on the other side.
We have agreed with their IT manager to set up VLANs to solve this.
The idea was to use one VLAN (10) for LAN-to-LAN connection (warehouse to offices) and another VLAN (11) for our Internet access - both of these VLANs would run through the optical connection to our router (sfp-sfpplus1).
Here's the setup picture:
https://imgur.com/a/HRvffIm
My initial thought was to do it "like I always did", i.e. to:
1) Create two VLAN interfaces on the sfp-sfplus1 interface (IDs 10, 11).
2) Enable DHCP client on the VLAN 11 interface, get Internet.
3) Create local bridge for all Ethernet ports.
4) Put the VLAN 10 interface into the bridge.
5) Profit
Somehow once I put the VLAN 10 interface into the bridge, the Internet stopped working so that was probably a mistake.
Then I went on and read most of these articles:
https://help.mikrotik.com/docs/display/ ... getreemode
and most notably this one:
https://help.mikrotik.com/docs/display/ ... linterface
So I changed the settings in the following way according to the wiki:
1) Deleted everything to start from scratch.
2) Created a bridge and enable VLAN filtering on it.
3) Added sfp-sfpplus1 to the bridge, PVID 1.
4) Added all Ethernet ports to the bridge, PVID 10.
5) In the Bridge > VLANs section I added these records:
5.1) VLAN 10 / tagged: sfp-sfpplus1 / untagged: all ethernet ports (though this might be redundant as these ports will be added according to the PVID perhaps?)
5.2) VLAN 11 / tagged: sfp-sfpplus1 / untagged: none
This setup left me with several problems:
1) There was no interface to run the DHCP client on. Should there be a dedicated VLAN interface? No guides on the Misconceptions site mentioned this.
2) The local network communication seems to be somewhat b0rked, random pings lost (like - 30 %, mostly unusable).
So... to sum it up:
Consider that we have a router with an uplink interface and we want to:
1) Get Internet connection (DHCP Client) over the uplink interface, via one tagged VLAN (could be untagged too).
2) Connect via another tagged VLAN over the uplink interface to a remote LAN AND ALSO bridge this VLAN to our local network.
The router in question is CRS326-24G-2S+ with RouterOS v7.3.1 and firmware 7.3.1.
What is the correct way to achieve this?
Hopefully I managed to describe the problem succinctly, if not, please, do let me know, I'd be happy to add any missing details.
Thank you.
Re: VLANs - use one interface as a trunk and also for the Internet access (while bridging)
Bridges have an implicit bridge-to-CPU port which provides access from all of the other bridge ports to IP resources (e.g. DHCP, routing, etc.) on the Mikrotik itself, see viewtopic.php?t=173692
You need to include this port in the bridge VLAN membership
/interface bridge vlan
add bridge-bridge-lan tagged=bridge-lan,sfp-sfpplus1 untagged=ether1,...,ether24 vlan-ids=10
add bridge-bridge-lan tagged=bridge-lan,sfp-sfpplus1 vlan-ids=11
and create VLAN wrappers connected to this port, e.g.
/interface vlan
add name=vlan10 interface=bridge-lan vlan-id=10
add name=vlan11 interface=bridge-lan vlan-id=11
then attach IP addresses, DHCP servers, clients, etc. to these interfaces.
You need to include this port in the bridge VLAN membership
/interface bridge vlan
add bridge-bridge-lan tagged=bridge-lan,sfp-sfpplus1 untagged=ether1,...,ether24 vlan-ids=10
add bridge-bridge-lan tagged=bridge-lan,sfp-sfpplus1 vlan-ids=11
and create VLAN wrappers connected to this port, e.g.
/interface vlan
add name=vlan10 interface=bridge-lan vlan-id=10
add name=vlan11 interface=bridge-lan vlan-id=11
then attach IP addresses, DHCP servers, clients, etc. to these interfaces.
Re: VLANs - use one interface as a trunk and also for the Internet access (while bridging)
Hi tdw,
thank you for the quick reply. I'll read on the mysteries thread, will try to change the setup on Thursday and will report back.
Thanks!
thank you for the quick reply. I'll read on the mysteries thread, will try to change the setup on Thursday and will report back.
Thanks!
Re: VLANs - use one interface as a trunk and also for the Internet access (while bridging)
It is not clear what the consolto is providing.
Do their vlans provide you with DHCP service?
In other words if you connect with your PC on either vlan will they get an IP address from their Router???
or are they simply providing you one IP address/gateway etc for each vlan and no dhcp service.
Drawing a network diagram may be helpful.............
I imagine they have a trunk port carrying both vlans to your router.
Their firewall rules for the internet vlan would allow traffic from vlan11 to the internet ( or trunk port to the internet ), not sure on the other vlan..............
Assuming a closed loop, trunk port to your router and trunk port to office switch with no access elsewhere??
Do their vlans provide you with DHCP service?
In other words if you connect with your PC on either vlan will they get an IP address from their Router???
or are they simply providing you one IP address/gateway etc for each vlan and no dhcp service.
Drawing a network diagram may be helpful.............
I imagine they have a trunk port carrying both vlans to your router.
Their firewall rules for the internet vlan would allow traffic from vlan11 to the internet ( or trunk port to the internet ), not sure on the other vlan..............
Assuming a closed loop, trunk port to your router and trunk port to office switch with no access elsewhere??