MikroTik

Posted: **Fri May 25, 2018 12:31 pm**

Hi,
I´ve got an issue with my VLAN configuration: The client is connected to 172.16.10.0/24

- If I connect the client to ether3, Winbox can connect to the RB Board via MAC
- If I connect the client to a port on my external switch (Cisco SG250) through the configured trunk (SFP-Port) the WinBox Tool cannot connect to the RB. I also use VLAN10.

I also disabled all firewll rules but it still does not work. What is the reason and why can I connect to the RB via "local Port: ether 3" but not via switch connceted via the SFP trunk. I do not understand this.

Here is my config:

# may/25/2018 11:18:33 by RouterOS 6.42.2

/interface bridge
add fast-forward=no name=br_vlan vlan-filtering=yes
/interface vlan
add interface=br_vlan name=vlan1 vlan-id=1
add interface=br_vlan name=vlan10 vlan-id=10
add interface=br_vlan name=vlan20 vlan-id=20
add interface=br_vlan name=vlan99 vlan-id=99
/interface list
add name=WAN
add name=LAN

/ip pool
add name=pool_admin ranges=172.16.1.101-172.16.1.199
add name=pool_vlan10 ranges=172.16.10.100-172.16.10.199
add name=pool_vlan20 ranges=172.16.20.100-172.16.20.199
add name=pool_vlan99 ranges=192.168.1.100-192.168.1.199
/ip dhcp-server
add address-pool=pool_admin disabled=no interface=vlan1 name=dhcp_admin
add address-pool=pool_vlan10 disabled=no interface=vlan10 name=dhcp_vlan10
add address-pool=pool_vlan20 disabled=no interface=vlan20 name=dhcp_vlan20
add address-pool=pool_vlan99 disabled=no interface=vlan99 name=dhcp_vlan99
/interface bridge port
add bridge=br_vlan hw=no interface=sfp1
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=20
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=99

/interface bridge vlan
add bridge=br_vlan tagged=br_vlan,vlan1 untagged=sfp1 vlan-ids=1
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether3 vlan-ids=10
add bridge=br_vlan tagged=sfp1,br_vlan,vlan20 untagged=ether4 vlan-ids=20
add bridge=br_vlan tagged=sfp1,br_vlan,vlan99 untagged=ether10 vlan-ids=99

/interface list member
add interface=ether1 list=WAN
add interface=br_vlan list=LAN
/ip address
add address=172.16.1.1/24 interface=vlan1 network=172.16.1.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
add address=192.168.1.1/24 interface=vlan99 network=192.168.1.0

Christian

Posted: **Fri May 25, 2018 3:45 pm**

This is my thinking, and I might be totally wrong:

The way you have configured VLAN's is like software based, i.e. emulating VLAN in layer 3 scenario.

The reason it works when you directly connect to port 3, is you are directly connected on layer 2 to the MAC of the interface, but coming from the switch behind, as per above, layer 2 data will not traverse layer 3

Posted: **Fri May 25, 2018 6:21 pm**

Hi,
hm! I cannot believe this because it means that VLAN setup over a trunk would not work correctly. I think, it must be the same, wether I put the Client on the "local" Ether3 nor annother port on a connected switch in the same VLAN. I guess that my configuration is not correct. Can someone shed some light on this?

BTW:
If I connect the Client to VLAN1 it works on the Local Port ether2 and on a VLAN1 Port of the connected Switch.

Christian

Posted: **Sat May 26, 2018 2:56 pm**

Try the following changes and test?

Under /interface bridge port, change VLAN frame types to be "Admit All"

Under /interface bridge vlan, remove the vlanxx from the tagged properties and make sfp1 tagged for vlan1

Posted: **Mon May 28, 2018 11:22 am**

Hi,
thanks for the reply. Before I change this as described above, I would like to understand what happens:
VALN1 is my admin/default LAN. My concerns are that I'm losing access to the Swich itself, if I tagg sfp1 for VLAN 1 The switch IP is 172.16.1.13.

I also learned from this tutorial (https://www.administrator.de/wissen/mik ... 67186.html) (Nr.4) that:

Always define the bridge as tagged port !

VLAN Port always tagged.

Devices Ports always Untagged

VLAN 1 (the default VLAN) on the trunk port to the switch inm y case sfp1) always Untagged !
(VLAN 1 is the default VLAN or native VLAN to the switch and therefore always untagged!

So, what will happen if I change this in the way you described?

Christian

In addition:
maybe I am on the wrong way. Therefore I wanted to explain, what I am going to do:

RB3011 should provide multiple VLANS for the Cisco switch enviroment connected via RB-SFP-Trunk. Defaulf VLAN is VLAN1 and provides a network for all managed "Network Devices" (e.g. RB3011, Cisco SG250, SG200, SG250-10P).
Ether1 of the RB3011 is my WAN interface.
SFP is the Trunk Port to the first switch (2nd SFP-Port of the 1st Cisco switch is connected to the next Cisco Switch and so on...)

My expectation was:

without any Firewall rule, RB3011 routes everything between the different Subnets/VLANs including the traffic for VLAN1, independent of the Ethernet Port (no matter if this is on RB or on the Cisco).

Later on Firewall rules should limitted the traffic between the VLANS (e.g. only VLAN10 can access VLAN1).

Questions:

are my expectations correct, or is Is my thinking faulty?

is the configuration with bridged based VLANs the correct way in terms of performance and firewalling?

Christian

Posted: **Mon May 28, 2018 3:26 pm**

sfp port is your trunk port between RB and Cisco switch, so should be tagged. You can then create an Access Port as member of VLAN1 on the Cisco switch in order to access the RB.

You can also add as example Port 5 of the RB as untagged on VLAN 1, then you should have access to the RB via that port.

I am not sure what the link you posted is trying to do, but to me it seems a lot of unnecessary configs, the example you should be following is this:

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

Posted: **Mon May 28, 2018 4:46 pm**

Hi CZFan,
thanks for reply. If I understood correctly:

I have to configure my DEFAULT VLAN1 in the same way as I did for VLAN10, VLAN20 and VLAN99

I will have access to any Switch behind RB via an untagged VLAN1-Port on RB or on one of the Cisco Switches.

This means:

I have only tagged VLANs in the Trunk.

If the RB dies and the Trunk is off, I will not be able to access the Infrastructure behind the RB,unless I will configure one untagges Port in VLAN1 on one of my Cisco's behind the RB.

Is this the correct understanding?

Question:

Why is it not useful to configure an untagged VLAN over the Trunk?

Sorry for my doggedness, but I try to understand the VLAN stuff

Regards,
Christian

Posted: **Mon May 28, 2018 8:10 pm**

Apologies, I was of the understanding that you can only pass tagged traffic via a trunk port, after reading below, it seems you can pass untagged traffic over trunk, but only the native vlan. The trunk port will tag all tag all untagged traffic with the default / native vlan id.

https://www.cisco.com/c/en/us/td/docs/s ... _00111.pdf

Before I steer you off the road, I suggest you do a search on @sindy posts, couple of write ups re vlans (I think I am going to reread some of them myself again)

Posted: **Mon May 28, 2018 11:36 pm**

Hi,
thank you!. I think, I wasn't clear enough regarding the main issue:

Everything is fine with the VLANS and I can use all of them on the RB and on the Cisco Switches. The only thing which does not work, is the Winbox TooI in VLANnn (ne VLAN1) on the Switch. This is what I do not understand. Why is it working on he RB in a "foreign" VLAN (VLANnn not equal VLAN1) but not in the same VLAN on the Switch? What is different between the VLANs on RB and on the Switch?
As I said, everything else seems to be running fine.

Maybe someone can explain this strangely behaviour.
Christian

Posted: **Wed May 30, 2018 2:47 pm**

Hi everybody,
it is very mysterious, because it works now!

I have configured 4 Networks on the RB3011

VLAN1: 172.16.1.0/24 (DEFAULT)
VLAN10: 172.16.10/24
VLAN20: 172.16.20.0/24
VLAN99: 192.168.1.0/24

If you start Winbox, you can access the RB over the following addresses:

172.16.1.1
172.16.10.1
172.16.20.1
192.168.1.1

But you cannot connect it via MAC Address, because the MAC-Address is not routable! This seems to be correct!

Questions:

Is this a normal behavior of the RB, that you can reach it via GW-Address if the client is in the specific network and GW-Address is configured in DHCP-Server Options?
Does it also mean, that the GW Address of the specific Network is also my DNS Server, if I configure
1. a DNS Server on RB?
2. the GW-Address of the specific network in the DHCP-Server Options

Christian

Posted: **Wed May 30, 2018 4:48 pm**

Is this a normal behavior of the RB, that you can reach it via GW-Address if the client is in the specific network and GW-Address is configured in DHCP-Server Options?

Does it also mean, that the GW Address of the specific Network is also my DNS Server, if I configure
a DNS Server on RB?

the GW-Address of the specific network in the DHCP-Server Options

1. It is normal and if that's not desirable, you have to forbid it using FW rules (chain=input in particular). And it works regardless of RB's function in the network. E.g.: if there's a RB device acting solely as WAP, it can still be accessed using WinBox (and WebFig). That device has to be configured with IP address (MAC connection with WinBox doesn't need it), the way of configuring it (static, DHCP) doesn't matter.
2. Yes. Actually DNS address given in DHCP replies could be any if router's addresses and it would still work, it doesn't have to be the same as address of GW given in DHCP replies.

Posted: **Mon Jun 11, 2018 7:13 pm**

Hi,
I am a little bit insecure! I have configured my VLANs on the same bridge (VLAN filtering). Does this mean that the clients in the different VLANs can talk to each other on Layer 2? Isn´t it better to use separte bridges, or is this the correct way?

Regards,
Christian

Posted: **Mon Jun 11, 2018 7:32 pm**

If your input chain rule is drop all at the end,
Then what determines layer3 access via FW rules is the one that states which subnets or lans as you define, can have access to the router (accept).
Typically one uses a source-address-list for this purpose.
So you could put in in-interface-list=LAN and use the source address to narrow it down to which PCs on which subnets is allowed acess to the WInbox.

What I want to know is what is the difference of using the input rule versus the
services rule (where we allow or disable API, ssh, winbox etc.... and which allows one manually put in allowed IP addresses as well.

What do the admins here advise???
-----------------------------------------------------------

So without knowing your rules to the letter, it depends. But you bring up a good point of VLANs on a bridge and whether that connects VLANS on the bridge even though they have different subnets, at layer2 ???? I would think not, but I have discovered on these forums that I am wrong 50% of the time, and the other 50% where I think I am right, I am actually 50% wrong....................

Posted: **Tue Jun 12, 2018 12:57 am**

Hi,
I am a little bit insecure! I have configured my VLANs on the same bridge (VLAN filtering). Does this mean that the clients in the different VLANs can talk to each other on Layer 2? Isn´t it better to use separte bridges, or is this the correct way?

Regards,
Christian

I am sure you meant "unsure" and not insecure

If VLAN's is setup correctly, then they won't be able to talk via layer 2, but will be able to talk to each other via layer 3, ie routing. To prevent this, configure fw rules

Posted: **Tue Jun 12, 2018 1:34 pm**

Hi CZFan,
yes, my RB is insecure and I am unsure.

...and it seems to be that Google translate is sometimes a little bit "unsure" as well!
Thanks for your answer!

This means for bridged VLANs (please find config below):

although the VLANS are on the same bridge, they cannot communicate to each other on Layer 2
without any FW-Rules they can talk to each other on Layer 3,, because the router routes the networks.
to restrict communication FW rules are needed, as discussed in the threads before.

Thanks a lot for clarification,
Christian

Config extract:

# Bridge config:
/interface bridge
add fast-forward=no name=br_vlan vlan-filtering=yes
#
# VLAN config
/interface vlan
add interface=br_vlan name=vlan1 vlan-id=1
add interface=br_vlan name=vlan10 vlan-id=10
add interface=br_vlan name=vlan20 vlan-id=20
add interface=br_vlan name=vlan99 vlan-id=99
#
#
# Bridge Port:
/interface bridge port
add bridge=br_vlan hw=no interface=sfp1
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=br_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=99

# Bridge VLAN
/interface bridge vlan
add bridge=br_vlan tagged=br_vlan,vlan1 untagged=sfp1 vlan-ids=1
add bridge=br_vlan tagged=sfp1,br_vlan,vlan10 untagged=ether3 vlan-ids=10
add bridge=br_vlan tagged=sfp1,br_vlan,vlan20 untagged=ether4 vlan-ids=20
add bridge=br_vlan tagged=sfp1,br_vlan,vlan99 untagged=ether10 vlan-ids=99

MikroTik

VLAN Issue with RB 3011

VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011

Re: VLAN Issue with RB 3011