ISP connection for each CRS, but traffic is always sent through 1st CRS

NeonStre · Sat Jan 07, 2023 2:40 am

I've run out of network ports on my current CRS328 and decided to expand by adding a CRS354. I am using one SFP+ port for a trunk to carry my VLANs to the new device. Works fine! Each client gets on the correct network and has access to what it should have. Very happy about that so far.

My plan is to avoiding all my WAN traffic passing through the trunk port by adding a link from the CRS354 directly to my ISPs router on its 2nd port. While the first port is used by my existing CRS. Is this actually doable? I seem to be failing after spending half my day and night on this.Obviously something is missing with the implementation or my thoughs. I can't seem to figure it out by myself and would like to ask for assistance please.

My thoughts for attempting this were:

To add a DHCP client on the port connected to me ISP router

Take the port off of the bridge

Create a VLAN interface and assign it a static IP

Add a route from my VLANs IP to the one provided by the ISP router

I hope someone can share insights or maybe has a similar setup already working?

Devices are used and config provided for the CRSs

ISP Router

CRS328-24P-4S+Existing device. Connects via trunk port to the new one

CRS354-48G-4S+2Q+ (new)

CRS328 config - for better readability I [...] repetitive actions like naming or vlan tagging for access ports.

/interface bridge
add auto-mac=yes fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-main vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Fritz!Box" name=e1-179
set [ find default-name=ether2 ] comment="LTE Antenne" advertise=100M-half,100M-full,1000M-half,1000M-full disabled=yes name=e2-LTE
set [ find default-name=ether3 ] comment="TV area switch" name=e3-Extender
[...]
set [ find default-name=sfp-sfpplus3 ] comment="Uplink new CRS" advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full name=sfp3-trunk-uplink speed=10Gbps
	
/interface vlan
add comment="LTE VLAN" interface=bridge-main name=vlan20-LTE vlan-id=20
add comment=Telefon interface=bridge-main name=vlan30-Telefon vlan-id=30
add comment="Monitor VLAN" interface=bridge-main name=vlan99-MGMT vlan-id=99
add comment=Server interface=bridge-main name=vlan181-Server vlan-id=181
add comment="Client" interface=bridge-main name=vlan201-Haus vlan-id=201
add comment="Guest VLAN" interface=bridge-main name=vlan220-Guest vlan-id=220

/ip pool
add name=dhcp_pool-server ranges=192.168.181.100-192.168.181.254
add name=pool-mgmt ranges=192.168.0.100-192.168.0.254
add name=dhcp_guest ranges=192.168.220.2-192.168.220.254
add name=dhcp_haus ranges=192.168.201.2-192.168.201.254
add name=dhcp_telefon ranges=192.168.30.10-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool-server disabled=no interface=vlan181-Server lease-script=dhcp-hostname_update name=dhcp-server
add address-pool=pool-mgmt disabled=no interface=vlan99-MGMT lease-script=dhcp-hostname_update name=dhcp-mgmt
add address-pool=dhcp_guest disabled=no interface=vlan220-Guest lease-script=dhcp-hostname_update name=dhcp-guest
add address-pool=dhcp_haus disabled=no interface=vlan201-Haus lease-script=dhcp-hostname_update name=dhcp-haus
add address-pool=dhcp_telefon disabled=no interface=vlan30-Telefon lease-script=dhcp-hostname_update name=dhcp-telefon

/interface bridge port
add bridge=bridge-main comment="Internet - FritzBox Netzwerk" disabled=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=e1-179
add bridge=bridge-main comment="LTE" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=e2-LTE
add bridge=bridge-main comment="TV area Switch" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=e3-Extender
[..]
add bridge=bridge-main comment=" Uplink" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp3-trunk-uplink
[..]
add bridge=bridge-main comment=Server frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan181-Server pvid=181
add bridge=bridge-main comment="VLAN LTE" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan20-LTE pvid=20
add bridge=bridge-main comment="Guest WLAN" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan220-Guest pvid=220
add bridge=bridge-main comment="Clients" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan201-Haus pvid=201

/ip settings
set tcp-syncookies=yes

/interface bridge vlan
add bridge=bridge-main tagged="bridge-main,e3-Extender,e4-AP-EG,sfp3-trunk-uplink,sfp2-trunk,e5-AP-UG" vlan-ids=181
add bridge=bridge-main tagged="e3-Extender,e4-AP-EG,e5-AP-UG,e2-LTE,bridge-main,sfp3-trunk-uplink,sfp2-trunk" vlan-ids=99
add bridge=bridge-main tagged=e2-LTE,bridge-main vlan-ids=20
add bridge=bridge-main tagged=e4-AP-EG,e5-AP-UG,e3-Extender,bridge-main vlan-ids=220
add bridge=bridge-main tagged=bridge-main,sfp3-trunk-uplink vlan-ids=201
add bridge=bridge-main tagged=bridge-main,e3-Extender vlan-ids=30

/interface list member
add comment="Internet" interface=e1-179 list=WAN
add comment="LTE" interface=vlan20-LTE list=WAN
add interface=vlan99-MGMT list=MGMT
add interface=vlan201-Haus list=HAUS
add interface=vlan181-Server list=SERVER
add interface=vlan220-Guest list=GUEST
add interface=vlan30-Telefon list=TELEFON
add interface=e2-LTE list=LAN
add interface=e3-Extender list=LAN
add interface=e5-AP-UG list=LAN
add interface=e4-AP-EG list=LAN

/ip address
add address=192.168.181.1/24 comment=Server interface=vlan181-Server network=192.168.181.0
add address=192.168.0.1/24 comment=Monitor interface=vlan99-MGMT network=192.168.0.0
add address=192.168.177.2/24 comment=LTE interface=vlan20-LTE network=192.168.177.0
add address=192.168.220.1/24 comment="Guest WLAN" interface=vlan220-Guest network=192.168.220.0
add address=192.168.201.1/24 comment="Clients" interface=vlan201-Haus network=192.168.201.0
add address=192.168.30.1/24 comment=Telefon interface=vlan30-Telefon network=192.168.30.0

/ip dhcp-client
add add-default-route=no comment="Internet via FritzBox" disabled=no interface=e1-179 use-peer-dns=no

/ip dhcp-server network
add address=192.168.0.0/24 comment=Monitor dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.30.0/24 comment=Telefon dns-server=192.168.30.1,1.1.1.1 gateway=192.168.30.1 ntp-server=192.168.30.1
add address=192.168.181.0/24 comment=Server dns-server=192.168.181.1,1.1.1.1 gateway=192.168.181.1
add address=192.168.201.0/24 comment=Clients dns-server=192.168.201.1 gateway=192.168.201.1 ntp-server=192.168.201.1
add address=192.168.220.0/24 comment="Guest WiFi" dns-server=192.168.220.1,1.1.1.1 gateway=192.168.220.1 ntp-server=192.168.220.1

[Don't worry there are firewall rules. I disabled all of those for this test though.]

/ip route
add distance=1 gateway=192.168.176.1

/system ntp client
set enabled=yes primary-ntp=62.108.36.235 secondary-ntp=207.180.204.206

/system ntp server
set enabled=yes multicast=yes

CRS354

/interface bridge
add auto-mac=yes comment="Main Bridge" fast-forward=no frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
add comment="Management Bridge" mtu=1500 name=bridge-mgmt
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] comment="Uplink"

/interface vlan
add interface=bridge name=vlan99-MGMT vlan-id=99
add interface=bridge name=vlan181-Server vlan-id=181

/interface bridge port
add bridge=bridge comment="ISP Router Port 2" disabled=yes interface=ether1
add bridge=bridge comment="Server" frame-types=admit-only-untagged-and-priority-tagged interface=e2 pvid=181
[...]
add bridge=bridge comment="Server" frame-types=admit-only-untagged-and-priority-tagged interface=e13 pvid=200
[...]
add bridge=bridge comment="Uplink to CRS328" frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2

/interface vlan
add interface=bridge name=vlan99-MGMT vlan-id=99
add interface=bridge name=vlan181-Server vlan-id=181

/interface bridge vlan
add bridge=bridge comment="Monitor VLAN" tagged=bridge,sfp-sfpplus2 untagged=e48-V201 vlan-ids=99
add bridge=bridge comment="Server VLAN" tagged=bridge,sfp-sfpplus2 vlan-ids=181
add bridge=bridge comment="Client VLAN" tagged=bridge,sfp-sfpplus2 vlan-ids=201

/ip address
add address=192.168.88.1/24 comment="Management Local" interface=bridge-mgmt network=192.168.88.0
add address=192.168.0.8/24 comment="Monitor VLAN" interface=vlan99-MGMT network=192.168.0.0
add address=192.168.181.2/24 interface=vlan181-Server network=192.168.181.0

/ip dhcp-client
add interface=e1

/ip dns
set servers=1.1.1.1,8.8.8.8,192.168.176.1

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.176.1 pref-src=192.168.176.22 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
#192.168.176.22 is an IP I recieve via DHCP from my IPSs router but is configured to be static there.

I added an illustration to hopefully better convey the topic. Thank you for your thoughts and ideas.

sup5 · Tue Jan 10, 2023 11:54 pm

Why is e1 member of the bridge?

Looks like a Layer-2-Loop / Spanning-Tree problem to me.

NeonStre · Fri Jan 13, 2023 12:38 pm

Thanks for the hint. Yesterday evening I was able to continue investigating and the actual resolution turned out to be a wrong gateway.

As long as the gateway was set to my old device, traffic would of course go through there. I changed the gateway to the new device and everything worked as intended. Now I just need to spend some time on the weekend to distribute the gateways according to the clients plugged into each CRS.

ISP connection for each CRS, but traffic is always sent through 1st CRS

ISP connection for each CRS, but traffic is always sent through 1st CRS

Re: ISP connection for each CRS, but traffic is always sent through 1st CRS

Re: ISP connection for each CRS, but traffic is always sent through 1st CRS