Hello, I'm asking you a question because I don't think the VLAN settings are correct.
First of all, I'm going to let you know that we're building an inter VLAN.
I’m Korean , And I am not fluent in English. So I have prepared a picture.
The picture will be uploaded under the name "INTERVLAN" as an attachment.
Router , switch are both running on the router OS !
Router Device = Mikrotik RB1100AH X4
Switch Device = Mikrotik CRS317-1G-16S+
Router interface [ eth 2 – LAN1 ] = Trunk port
VLAN ID 20 : 200.168.20.1/24 [ interface eth5,6 [ LAN5,6 ] ] – Switch part
VLAN ID 30 : 200.168.30.1/24 [ interface eth9,10 [ LAN9,10 ] ] – Switch part
Please take a good look at the instructions I tried
router switch common setting command
security SETTING
[admin@Mikrotik ] > /ip firewall filter add action=drop chain=input comment=”Drop FTP,SSH,Telnet From inbound” dst-port=21,22,23,139,445 protocol=tcp
FASTTRACK SETTING
[admin@Mikrotik ] > /ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
[admin@Mikrotik ] > /ip firewall filter add chain=forward action=accept connection-state=established,related
Router [ RB1100AH x4 ] interface name setting
[admin@Mikrotik ] /interface > set [find name=ether1] name=WAN1
[admin@Mikrotik ] /interface > set [find name=ether2] name=LAN1
Router [ RB1100AH x4 ] DHCP CLIENT WAN1 interface add
[admin@Mikrotik ] > /ip dhcp-client add interface=WAN1
[admin@Mikrotik ] > /ip dhcp-client print
[admin@Mikrotik ] /ip dhcp-client > enable 0
**
The ip is well allocated on the wan1 interface through dhcp here.
It also confirmed that the WAN1 interface was well activated.
Router [ RB1100AH x4 ] ou have set the nat rule on the wan1 interface.
[admin@Mikrotik ] > /ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade
Router [ RB1100AH x4 ] You created Bridge Group Mikrotik-Trunk using protocol RSTP.
[admin@Mikrotik ] > /interface bridge add name = Mikrotik-Trunk protocol-mode=rstp
RB1100AH X4 interface "ETH2 = LAN1 " added to Mikrotik-Trunk.
[admin@Mikrotik ] > /interface bridge port add interface=LAN1 bridge=Mikrotik-Trunk
Create IBM-VLAN , SUPERMICRO-VLAN in the Bridge Mikrotik-Trunk Group.
[admin@Mikrotik ] > /interface vlan add name=IBM-VLAN vlan-id=30 interface=Mikrotik-Trunk
[admin@Mikrotik ] > /interface vlan add name=SUPERMICRO-VLAN vlan-id=20 interface=Mikrotik-Trunk
Assign IP ADDRESS to IBM-VLAN , SUPERMICRO-VLAN
[admin@Mikrotik ] > /ip address add address=200.168.20.1/24 interface=SUPERMICRO-VL;AN
[admin@Mikrotik ] > /ip address add address=200.168.30.1/24 interfsce=IBM-VLAN
Use DNS SERVER as 8.8.8.8 and 8.8.4.4 [Google DNS ].
[admin@Mikrotik ] > /ip dns set servers=8.8.8.8,8.8.4.4
This is where the router rb1100 ah x4 was set. = RB1100 AH x4 setting end!
From here on, switch device [ CRS317-1G-16S+] settings !
Set interface name for switch "CRS317-1G-16S +"
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus1] name=LAN1
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus2] name=LAN2
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus3] name=LAN3
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus4] name=LAN4
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus5] name=LAN5
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus6] name=LAN6
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus7] name=LAN7
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus8] name=LAN8
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus9] name=LAN9
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus10] name=LAN10
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus11] name=LAN11
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus12] name=LAN12
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus13] name=LAN13
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus14] name=LAN14
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus15] name=LAN15
[admin@Mikrotik ] > /interface set [find name=sfp-sfpplus16] name=LAN16
Set Bridge "IBM" and "SUPERMICRO" to PROTOCOL "RSTP". [ PART : CRS317-1G-16S+]
[admin@Mikrotik ] > /interface bridge add name=IBM protocol-mode=rstp
[admin@Mikrotik ] > /interface bridge add name=SUPERMICRO protocol-mode=rstp
Create VLAN "UPERMICRO-VLAN" , "IBM-VLAN".
[admin@Mikrotik ] > /interface vlan add name=SUPERMICRO-VLAN vlan-id=20 interface=LAN1
[admin@Mikrotik ] > /interface vlan add name=IBM-VLAN vlan-id=30 interface=LAN1
Bridge "IBM" and "SUPERMICRO" add VLAN interface.
[admin@Mikrotik ] > /interface bridge port add interface=SUPERMICRO-VLAN bridge=SUPERMICRO
[admin@Mikrotik ] > /interface bridge port add interface=IBM-VLAN bridge=IBM
[admin@Mikrotik ] > /interface bridge port add interface=LAN5 bridge=SUPERMICRO
[admin@Mikrotik ] > /interface bridge port add interface=LAN6 bridge=SUPERMICRO
[admin@Mikrotik ] > /interface bridge port add interface=LAN9 bridge=IBM
[admin@Mikrotik ] > /interface bridge port add interface=LAN10 bridge=IBM
Assign an ip address to the VLAN "SPERMICRO-VLAN" and "IBM-VLAN".
[admin@Mikrotik ] > /ip address add address=200.168.20.2/24 interface=SUPERMICRO-VLAN
[admin@Mikrotik ] > /ip address add address=200.168.30.2/24 interface=IBM-VLAN
Finally, the DNS address was set to 8.8.8.8,8.8.4.4 on the "CRS317-1G-16S+" switch equipment.
[admin@Mikrotik ] > /ip dns set servers=8.8.8.8,8.8.4.4
I've described the problem here. Take a good look.
Problem 1
VLAN20 (200.168.20.0/24) and VLAN30 (200.168.30.0/24). But VLAN 20, 30, they exchange pings.
Problem 2,
call the following message from the switch "CRS317-1G-16S +" (Router OS update) Error message: "Cold not resolve dns name"
Problem 3.
winbox-based gateway "RB1100 AH x4" is not available (Instead, it is available via a web browser.)
I want to make an interVLAN through bridge.
I'd appreciate it if you could redefine and reply to the instructions for resolving this error.
-
-
LEEHYUNWOO
just joined
- Posts: 22
- Joined:
The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
You do not have the required permissions to view the files attached to this post.
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Hi Lee,
No worries, as long as you dont have any small cameras spying on me (kpop).
What you are asking to do is very possible!! Thanks for the very nice diagram!
The best reference i can provide is this link, it has very good examples for what you need.
viewtopic.php?f=13&t=143620
Have a read through that and then come back to ask further questions.
Eventually you will have to post a config for us to look at
/export hide-sensitive file=yourconfigmar21
Basically the idea on the router is to create one bridge, all your vlans run on the bridge.
Do not assign DHCP to the bridge, instead assign another vlan to be your MAIN LAN call it VLAN11.
The bridge retains its default pvid=1 setting so we can leave that alone
Same on the Switch, create one bridge all the vlans created are associated on the bridge etc..
Bridge ports are used to identify any ingress rules we need (applicable for access ports, set pvid etc).
interface bridge vlan settings are for egress rules (untagging of access ports) and tagging of vlans to all required ports.
vlan 11 should be tagged to the bridges as well.
Good luck, we will see you soon.
No worries, as long as you dont have any small cameras spying on me (kpop).
What you are asking to do is very possible!! Thanks for the very nice diagram!
The best reference i can provide is this link, it has very good examples for what you need.
viewtopic.php?f=13&t=143620
Have a read through that and then come back to ask further questions.
Eventually you will have to post a config for us to look at
/export hide-sensitive file=yourconfigmar21
Basically the idea on the router is to create one bridge, all your vlans run on the bridge.
Do not assign DHCP to the bridge, instead assign another vlan to be your MAIN LAN call it VLAN11.
The bridge retains its default pvid=1 setting so we can leave that alone
Same on the Switch, create one bridge all the vlans created are associated on the bridge etc..
Bridge ports are used to identify any ingress rules we need (applicable for access ports, set pvid etc).
interface bridge vlan settings are for egress rules (untagging of access ports) and tagging of vlans to all required ports.
vlan 11 should be tagged to the bridges as well.
Good luck, we will see you soon.
-
-
LEEHYUNWOO
just joined
- Posts: 22
- Joined:
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Hello, anav
I visited the site you introduced me to the vlan setting.
Well... and then I re-painted with some changes in composition.
The picture is saved as attachment: 1111.
We have a problem.
The isp company assured me that I could never use a fixed [statc] ip.
And Only through dhcp can we assign a wan ip address.
Problem 1 : After connecting the client to LAN13 on the router and setting the client to 200.168.10.10, the internet is turned on.
But when I connect to the switch and connect to "LAN12/VLAN30 / 200.168.30.10", there is a phenomenon that is not internetable.
Problem 2 : Attempted ping 8.8.8.8.8 from switch to terminal, but the word time out is output.
Below are some of my new commands, please.
And I uploaded the setup files for the router and the switch. Please!
"ROUTER : RB1100AH X4 start"
#######################################
# Naming
#######################################
/system identity set name="Router"
#######################################
# Bridge
#######################################
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=LAN1
add bridge=BR1 interface=LAN2
add bridge=BR1 interface=LAN3
add bridge=BR1 interface=LAN4
add bridge=BR1 interface=LAN5
add bridge=BR1 interface=LAN6
add bridge=BR1 interface=LAN7
add bridge=BR1 interface=LAN8
add bridge=BR1 interface=LAN9
add bridge=BR1 interface=LAN10
add bridge=BR1 interface=LAN11
add bridge=BR1 interface=LAN12
add bridge=BR1 interface=LAN13
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,LAN1,LAN2 vlan-ids=20
add bridge=BR1 tagged=BR1,LAN1,LAN2 vlan-ids=30
/interface vlan add interface=BR1 name=inter-VLAN vlan-id=100
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on a inter-VLAN
/interface vlan add interface=BR1 name=inter-VLAN vlan-id=100
/ip address add address=200.168.10.1/24 interface=inter-VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
/ip dhcp-client add interface=WAN1
Enable0 [ip-dhcp-client interface "WAN1" enable! ]
#######################################
# IP Services
#######################################
/interface vlan add interface=BR1 name=SUPERMICRO-VLAN vlan-id=20
/ip address add interface=SUPERMICRO-VLAN address=200.168.20.1/24
/ip pool add name=SUPERMICRO-POOL ranges=200.168.20.2-200.168.20.254
/ip dhcp-server add address-pool=SUPERMICRO-POOL interface=SUPERMICRO-VLAN name=SUPERMICRO-DHCP disabled=no
/ip dhcp-server network add address=200.168.20.0/24 dns-server=200.168.10.1 gateway=200.168.20.1
/interface vlan add interface=BR1 name=IBM-VLAN vlan-id=30
/ip address add interface=IBM-VLAN address=200.168.30.1/24
/ip pool add name=IBM-POOL ranges=200.168.30.2-200.168.30.254
/ip dhcp-server add address-pool=IBM-POOL interface=IBM-VLAN name=IBM-DHCP disabled=no
/ip dhcp-server network add address=200.168.30.0/24 dns-server=200.168.10.1 gateway=200.168.30.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=LAN
/interface list add name=VLAN
/interface list member
add interface=WAN1 list=WAN
add interface=SUPERMICRO-VLAN list=VLAN
add interface=IBM-VLAN list=VLAN
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# add chain=forward action=accept connection-state=new in-interface-list=VLAN comment="VLAN inter-VLAN routing"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN2]
# Optional: Change ether7 to be an admin Access port so you can configure device directly over BASE_VLAN
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN13] pvid=100
/interface bridge vlan add bridge=BR1 tagged=BR1 untagged=LAN13 vlan-ids=100
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
"ROUTER : RB1100 AH x4 END! "
"SWITCH : CRS317-1G-16S+ start"
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="Switch"
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=LAN1
add bridge=BR1 interface=LAN2
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member
set bridge=BR1 tagged=LAN1,LAN2 [find vlan-ids=20]
set bridge=BR1 tagged=LAN1,LAN2 [find vlan-ids=30]
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Switch's IP address on a inter-VLAN
/interface vlan add interface=BR1 name=inter-VLAN vlan-id=100
/ip address add address=200.168.10.2/24 interface=inter-VLAN
# The Router's IP this switch will use
/ip route add distance=1 gateway=200.168.10.1
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN12]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN2]
# Allow the BASE_VLAN access over Trunk Ports
/interface bridge vlan add bridge=BR1 tagged=BR1,LAN1,LAN2 vlan-ids=100
# Optional: Change ether24 to be an admin Access port so you can configure device directly over inter-VLAN
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN12] pvid=100
/interface bridge vlan set bridge=BR1 tagged=BR1,LAN1,LAN2 untagged=LAN12 [find vlan-ids=100]
"Switch : CRS317-1G-16S+ END!"
I visited the site you introduced me to the vlan setting.
Well... and then I re-painted with some changes in composition.
The picture is saved as attachment: 1111.
We have a problem.
The isp company assured me that I could never use a fixed [statc] ip.
And Only through dhcp can we assign a wan ip address.
Problem 1 : After connecting the client to LAN13 on the router and setting the client to 200.168.10.10, the internet is turned on.
But when I connect to the switch and connect to "LAN12/VLAN30 / 200.168.30.10", there is a phenomenon that is not internetable.
Problem 2 : Attempted ping 8.8.8.8.8 from switch to terminal, but the word time out is output.
Below are some of my new commands, please.
And I uploaded the setup files for the router and the switch. Please!
"ROUTER : RB1100AH X4 start"
#######################################
# Naming
#######################################
/system identity set name="Router"
#######################################
# Bridge
#######################################
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=LAN1
add bridge=BR1 interface=LAN2
add bridge=BR1 interface=LAN3
add bridge=BR1 interface=LAN4
add bridge=BR1 interface=LAN5
add bridge=BR1 interface=LAN6
add bridge=BR1 interface=LAN7
add bridge=BR1 interface=LAN8
add bridge=BR1 interface=LAN9
add bridge=BR1 interface=LAN10
add bridge=BR1 interface=LAN11
add bridge=BR1 interface=LAN12
add bridge=BR1 interface=LAN13
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,LAN1,LAN2 vlan-ids=20
add bridge=BR1 tagged=BR1,LAN1,LAN2 vlan-ids=30
/interface vlan add interface=BR1 name=inter-VLAN vlan-id=100
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on a inter-VLAN
/interface vlan add interface=BR1 name=inter-VLAN vlan-id=100
/ip address add address=200.168.10.1/24 interface=inter-VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
/ip dhcp-client add interface=WAN1
Enable0 [ip-dhcp-client interface "WAN1" enable! ]
#######################################
# IP Services
#######################################
/interface vlan add interface=BR1 name=SUPERMICRO-VLAN vlan-id=20
/ip address add interface=SUPERMICRO-VLAN address=200.168.20.1/24
/ip pool add name=SUPERMICRO-POOL ranges=200.168.20.2-200.168.20.254
/ip dhcp-server add address-pool=SUPERMICRO-POOL interface=SUPERMICRO-VLAN name=SUPERMICRO-DHCP disabled=no
/ip dhcp-server network add address=200.168.20.0/24 dns-server=200.168.10.1 gateway=200.168.20.1
/interface vlan add interface=BR1 name=IBM-VLAN vlan-id=30
/ip address add interface=IBM-VLAN address=200.168.30.1/24
/ip pool add name=IBM-POOL ranges=200.168.30.2-200.168.30.254
/ip dhcp-server add address-pool=IBM-POOL interface=IBM-VLAN name=IBM-DHCP disabled=no
/ip dhcp-server network add address=200.168.30.0/24 dns-server=200.168.10.1 gateway=200.168.30.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=LAN
/interface list add name=VLAN
/interface list member
add interface=WAN1 list=WAN
add interface=SUPERMICRO-VLAN list=VLAN
add interface=IBM-VLAN list=VLAN
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# add chain=forward action=accept connection-state=new in-interface-list=VLAN comment="VLAN inter-VLAN routing"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN2]
# Optional: Change ether7 to be an admin Access port so you can configure device directly over BASE_VLAN
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN13] pvid=100
/interface bridge vlan add bridge=BR1 tagged=BR1 untagged=LAN13 vlan-ids=100
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
"ROUTER : RB1100 AH x4 END! "
"SWITCH : CRS317-1G-16S+ start"
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="Switch"
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=LAN1
add bridge=BR1 interface=LAN2
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member
set bridge=BR1 tagged=LAN1,LAN2 [find vlan-ids=20]
set bridge=BR1 tagged=LAN1,LAN2 [find vlan-ids=30]
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Switch's IP address on a inter-VLAN
/interface vlan add interface=BR1 name=inter-VLAN vlan-id=100
/ip address add address=200.168.10.2/24 interface=inter-VLAN
# The Router's IP this switch will use
/ip route add distance=1 gateway=200.168.10.1
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN12]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN2]
# Allow the BASE_VLAN access over Trunk Ports
/interface bridge vlan add bridge=BR1 tagged=BR1,LAN1,LAN2 vlan-ids=100
# Optional: Change ether24 to be an admin Access port so you can configure device directly over inter-VLAN
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN12] pvid=100
/interface bridge vlan set bridge=BR1 tagged=BR1,LAN1,LAN2 untagged=LAN12 [find vlan-ids=100]
"Switch : CRS317-1G-16S+ END!"
You do not have the required permissions to view the files attached to this post.
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
It appears you have two connections between the router and the switch? Is this true?
Also, please post your configs in this way...
/export hide-sensitive file=yourconfigrouter (from your router) and change your isp gateway IP and wani IP to letters
/export hide-sensitive file=yourconfigswitch (from your switch)
You can copy and paste the configs here (I use notepad++ to open the files)
Also you can use the code icon above (the one with the black square and white square brackets (to the left of the quotation marks - from the text bar where B I and U are)
Simply select highlight the code text and select that icon.
Also, please post your configs in this way...
/export hide-sensitive file=yourconfigrouter (from your router) and change your isp gateway IP and wani IP to letters
/export hide-sensitive file=yourconfigswitch (from your switch)
You can copy and paste the configs here (I use notepad++ to open the files)
Also you can use the code icon above (the one with the black square and white square brackets (to the left of the quotation marks - from the text bar where B I and U are)
Simply select highlight the code text and select that icon.
-
-
LEEHYUNWOO
just joined
- Posts: 22
- Joined:
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Hello, anav
I read the link you gave me, "Switch with a separate router (RoaS)," and downloaded the "RSC" file and applied the corresponding items.
Let me give you a reminder first.
VLAN 100 = MGMT-VLAN
VLAN 20 = SUPERMICRO-VLAN
VLAN 30 = IBM-VLAN
RB 1100 AH x4 = interface = > WAN1 [ ether1 ] LAN1 [ ether2 ] LAN2 [ ether3 ] LAN3 [ ether4 ] LAN4 ~ LAN12 / LAN3,LAN4 default
CRS317-1G-16S+ = interface => LAN1 ~ LAN16 , ether1 / ether1 default
RB 1100 AH x4 = > INTERFACE TRUNK = LAN1 , LAN2 , INTERFACE CLIENT [VLAN 100 ] => LAN 3 ~ LAN 12
CRS317-1G-16S+ => interface TRUNK => LAN1,LAN2 , INTERFACE VLAN 20 => LAN5,LAN6,LAN7,LAN8 ,LAN13,LAN14 INTERFACE VLAN 30 => LAN9,LAN10,LAN11,LAN12,LAN15,LAN16
RB1100 AH x4 config
CRS317-1G-16S+ config
errors =
Connecting clients to routers and switches does not provide Internet [ no communication ]
The router and switch are not connected, making it difficult to provide the rsc file
I read the link you gave me, "Switch with a separate router (RoaS)," and downloaded the "RSC" file and applied the corresponding items.
Let me give you a reminder first.
VLAN 100 = MGMT-VLAN
VLAN 20 = SUPERMICRO-VLAN
VLAN 30 = IBM-VLAN
RB 1100 AH x4 = interface = > WAN1 [ ether1 ] LAN1 [ ether2 ] LAN2 [ ether3 ] LAN3 [ ether4 ] LAN4 ~ LAN12 / LAN3,LAN4 default
CRS317-1G-16S+ = interface => LAN1 ~ LAN16 , ether1 / ether1 default
RB 1100 AH x4 = > INTERFACE TRUNK = LAN1 , LAN2 , INTERFACE CLIENT [VLAN 100 ] => LAN 3 ~ LAN 12
CRS317-1G-16S+ => interface TRUNK => LAN1,LAN2 , INTERFACE VLAN 20 => LAN5,LAN6,LAN7,LAN8 ,LAN13,LAN14 INTERFACE VLAN 30 => LAN9,LAN10,LAN11,LAN12,LAN15,LAN16
RB1100 AH x4 config
Code: Select all
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Switch with a separate router (RoaS)
# RouterOS: 6.44.1
# Date: April 01, 2019
# Notes: Start with a reset (/system reset-configuration)
# Thanks: mkx, sindy
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="Router"
#######################################
# VLAN Overview
#######################################
# 20 = SUPERMICRO
# 30 = IBM
# 100 = MGMT VLAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=LAN1
add bridge=BR1 interface=LAN2
add bridge=BR1 interface=LAN3
add bridge=BR1 interface=LAN4
add bridge=BR1 interface=LAN5
add bridge=BR1 interface=LAN6
add bridge=BR1 interface=LAN7
add bridge=BR1 interface=LAN8
add bridge=BR1 interface=LAN9
add bridge=BR1 interface=LAN10
add bridge=BR1 interface=LAN11
add bridge=BR1 interface=LAN12
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,LAN2,LAN3,LAN4,LAN5,LAN6,LAN7,LAN8,LAN9,LAN10,LAN11,LAN12 vlan-ids=20
add bridge=BR1 tagged=BR1,LAN2,LAN3,LAN4,LAN5,LAN6,LAN7,LAN8,LAN9,LAN10,LAN11,LAN12 vlan-ids=30
add bridge=BR1 tagged=BR1,LAN2,LAN3,LAN4,LAN5,LAN6,LAN7,LAN8,LAN9,LAN10,LAN11,LAN12 vlan-ids=100
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=MGMT-VLAN vlan-id=100
/ip address add address=200.168.10.1/24 interface=MGMT-VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
# ISP to WAN1 interface DHCP setup
/ip dhcp-client add interface=WAN1
# WNA1 DHCP CLIENT ENABLE
/ip dhcp-client enable 0
#######################################
# IP Services
#######################################
# SUPERMICRO VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=SUPERMICRO-VLAN vlan-id=20
/ip address add interface=SUPERMICRO-VLAN address=200.168.20.1/24
/ip pool add name=SUPERMICRO-POOL ranges=200.168.20.2-200.168.20.254
/ip dhcp-server add address-pool=SUPERMICRO-POOL interface=SUPERMICRO-VLAN name=SUPERMICRO-DHCP disabled=no
/ip dhcp-server network add address=200.168.20.0/24 dns-server=200.168.10.1 gateway=200.168.20.1
# IBM VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=IBM-VLAN vlan-id=30
/ip address add interface=IBM-VLAN address=200.168.30.1/24
/ip pool add name=IBM-POOL ranges=200.168.30.2-200.168.30.254
/ip dhcp-server add address-pool=IBM-POOL interface=IBM-VLAN name=IBM-DHCP disabled=no
/ip dhcp-server network add address=200.168.30.0/24 dns-server=200.168.10.1 gaeway=200.168.30.1
# Optional: Create a DHCP instance for MGMT-VLAN. Convenience feature for an admin.
# /ip pool add name=BASE_POOL ranges=200.168.10.10-200.168.10.254
# /ip dhcp-server add address-pool=MGMT-POOL interface=MGMT-VLAN name=MGMT-DHCP disabled=no
# /ip dhcp-server network add address=200.168.10.0/24 dns-server=200.168.10.1 gateway=200.168.10.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=MGMT
/interface list member
add interface=WAN1 list=WAN
add interface=MGMT-VLAN list=VLAN
add interface=SUPERMICRO-VLAN list=VLAN
add interface=IBM-VLAN list=VLAN
add interface=MGMT-VLAN list=MGMT
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
# Allow MGMT-VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=MGMT comment="Allow Base_Vlan Full Access"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN12]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from MGMT-VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yesCode: Select all
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Switch with a separate router (RoaS)
# Web: https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS: 6.44.1
# Date: April 01, 2019
# Notes: Start with a reset (/system reset-configuration)
# Thanks: mkx, sindy
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="Switch"
#######################################
# VLAN Overview
#######################################
# 20 = SUPERMICRO
# 30 = IBM
# 100 = MGMT VLAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# SUPERMICRO VLAN
add bridge=BR1 interface=LAN5 pvid=20
add bridge=BR1 interface=LAN6 pvid=20
add bridge=BR1 interface=LAN7 pvid=20
add bridge=BR1 interface=LAN8 pvid=20
add bridge=BR1 interface=LAN13 pvid=20
add bridge=BR1 interface=LAN14 pvid=20
# IBM VLAN
add bridge=BR1 interface=LAN9 pvid=30
add bridge=BR1 interface=LAN10 pvid=30
add bridge=BR1 interface=LAN11 pvid=30
add bridge=BR1 interface=LAN12 pvid=30
add bridge=BR1 interface=LAN15 pvid=30
add bridge=BR1 interface=LAN16 pvid=30
# egress behavior
/interface bridge vlan
# Blue, Green, Red VLAN
add bridge=BR1 untagged=LAN5,LAN6,LAN7,LAN8,LAN13,LAN14 vlan-ids=20
add bridge=BR1 untagged=LAN9,LAN10,LAN11,LAN12,LAN15,LAN16 vlan-ids=30
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=LAN1
add bridge=BR1 interface=LAN2
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=LAN1,LAN2 [find vlan-ids=20]
set bridge=BR1 tagged=LAN1,LAN2 [find vlan-ids=30]
set bridge=BR1 tagged=BR1,LAN1,LAN2 [find vlan-ids=100]
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Switch's IP address on a MGMT-VLAN
/interface vlan add interface=BR1 name=MGMT-VLAN vlan-id=100
/ip address add address=200.168.10.2/24 interface=MGMT-VLAN
# The Router's IP this switch will use
/ip route add distance=1 gateway=200.168.10.1
#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN12]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN13]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN14]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN15]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LAN16]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=LAN2]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from MGMT-VLAN, the MGMT network
/interface list add name=MGMT
/interface list member add interface=MGMT-VLAN list=MGMT
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yeserrors =
Connecting clients to routers and switches does not provide Internet [ no communication ]
The router and switch are not connected, making it difficult to provide the rsc file
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+ [SOLVED]
Below, I discuss your setup which may cause some issues and because its hard to understand your config.
+++++++++++++++++++++++++++++++++++++++++++++++++++
First, the naming of your interfaces is very strange. There is no advantage I see to naming your etherport by LAN name and its very confusing.
Just keep them eth1, eth2, eth3 etc.............. If one etherport is a trunk port you could state eth2-trunk for example.
For trunk ports, I don't think lan1 is a member (if this is your wan connection) and thus remove.
add bridge=BR1 interface=eth2
add bridge=BR1 interface=eth3
add bridge=BR1 interface=eth4
add bridge=BR1 interface=eth5
add bridge=BR1 interface=eth6
add bridge=BR1 interface=eth7
add bridge=BR1 interface=eth8
add bridge=BR1 interface=eth9
add bridge=BR1 interface=eth10
add bridge=BR1 interface=eth11
add bridge=BR1 interface=eth12
Your bridge port and interface vlan rules indicate that you have no access ports on the RB router (all connection are to devices that can tag taffic). Is this true??
Normally an etherport tagged with all vlans is what we call a TRUNK port, ie going to a managed switch for example or a WIFI device that can also tag traffic.
Normally ALL vlans do not go to ALL etherports either......
So something is not being communicated so as to understand your configuration?
For firewall rules
I would only allow the management vlan access to the router for winbox etc.......,note you need to add list to that rule!!
add chain=input action=accept in-interface-list =MGMT comment="Allow Base_Vlan Full Access"
For the the other vlans, only allow access for DNS services.
add chain=input action=accept in-interface-list=vlan dst-port=53 protocol=udp connection-state=new
add chain=input action=accept in-interface-list=vlan dst-port=53 protocol=tcp connection-state=new
Changing the port names so its clearer
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth12]
BASED upon your statement here.............
"RB 1100 AH x4 = > INTERFACE TRUNK = LAN1 , LAN2 , INTERFACE CLIENT [VLAN 100 ] => LAN 3 ~ LAN 12
CRS317-1G-16S+ => interface TRUNK => LAN1,LAN2 , INTERFACE VLAN 20 => LAN5,LAN6,LAN7,LAN8 ,LAN13,LAN14 INTERFACE VLAN 30 => LAN9,LAN10,LAN11,LAN12,LAN15,LAN16"
I would guess that we get rid of LAN1 (eth1 because that is your WAN connection). LAN2(eth2) is your trunk port to the switch! LAN3-12(eth3-12) are actually ALL ACCESS ports for vlan 100.
If that is the case then here is what the config would look like......
Bridge Ports
add bridge=BR1 interface=eth2 ingress-filtering=yes allow only tagged packets (trunk port to switch)
add bridge=BR1 interface=eth3 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth4 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth5 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth6 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth7 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth8 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth9 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth10 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth11 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth12 pvid=100 ingress filtering=yes only allow untagged and priority packets.
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2 vlan-ids=20
add bridge=BR1 tagged=BR1,eth2 vlan-ids=30
add bridge=BR1 tagged=BR1,eth2 untagged=eth3,eth4,eth5,eth6,eth7,eth8,eth9,eth10,eth11,eth12 vlan-ids=100
( you could shorten the first two rules to be add bridge=BR1 tagged=BR1,eth2 vlan-ids=20,30 )
Now for the switch..............
I am not as good with switches but will attempt to look at the logic.
I am assuming eth2 on the RB (the trunk port) is attached to eth1(LAN1) of the switch.
On the switch side, I have no issues with keeping your naming convention of LANS as switch doesn't do routing so not confusing for me..........
From your config looks like
a. LAN1(eth1) is the trunk port from the router
b. LAN5-8,13,14 are for VLAN20 (supermicro)
c. LAN9-12,15,16 are for VLAN30 (ibm)
(Missing LAN2-4?? assuming these are?????
(I see that LANS 3,4 are access ports so assuming on management vlan)
(I see that LAN2 is also a trunk port?? YOu cannot have two trunk ports coming from the RB to the same switch, I believe this would be causing collisions and many issues???
Thus for the purposes of config I will treat LAN2(eth2) as another management vlan port.
Also, you are missing the untagged ports in bridge vlan interfaces.........
Bridge Ports
add bridge=BR1 interface=lan1 ingress-filtering=yes allow only tagged packets (trunk port from router)
add bridge=BR1 interface=lan2 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan3 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan4 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan5 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan6 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan7 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan8 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan9 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan10 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan11 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan12 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan13 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan14 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan15 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan16 pvid=30 ingress filtering=yes only allow untagged and priority packets.
/interface bridge vlan
add bridge=BR1 tagged=BR1,lan1 untagged=lan5,lan6,lan7,lan8,lan13,lan14 vlan-ids=20
add bridge=BR1 tagged=BR1,lan1 untagged=lan9,lan10,lan11,lan12,lan15,lan16 vlan-ids=30
add bridge=BR1 tagged=BR1,lan1 untagged=lan2,lan3,lan4 vlan-ids=100
+++++++++++++++++++++++++++++++++++++++++++++++++++
First, the naming of your interfaces is very strange. There is no advantage I see to naming your etherport by LAN name and its very confusing.
Just keep them eth1, eth2, eth3 etc.............. If one etherport is a trunk port you could state eth2-trunk for example.
For trunk ports, I don't think lan1 is a member (if this is your wan connection) and thus remove.
add bridge=BR1 interface=eth2
add bridge=BR1 interface=eth3
add bridge=BR1 interface=eth4
add bridge=BR1 interface=eth5
add bridge=BR1 interface=eth6
add bridge=BR1 interface=eth7
add bridge=BR1 interface=eth8
add bridge=BR1 interface=eth9
add bridge=BR1 interface=eth10
add bridge=BR1 interface=eth11
add bridge=BR1 interface=eth12
Your bridge port and interface vlan rules indicate that you have no access ports on the RB router (all connection are to devices that can tag taffic). Is this true??
Normally an etherport tagged with all vlans is what we call a TRUNK port, ie going to a managed switch for example or a WIFI device that can also tag traffic.
Normally ALL vlans do not go to ALL etherports either......
So something is not being communicated so as to understand your configuration?
For firewall rules
I would only allow the management vlan access to the router for winbox etc.......,note you need to add list to that rule!!
add chain=input action=accept in-interface-list =MGMT comment="Allow Base_Vlan Full Access"
For the the other vlans, only allow access for DNS services.
add chain=input action=accept in-interface-list=vlan dst-port=53 protocol=udp connection-state=new
add chain=input action=accept in-interface-list=vlan dst-port=53 protocol=tcp connection-state=new
Changing the port names so its clearer
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth8]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=eth12]
BASED upon your statement here.............
"RB 1100 AH x4 = > INTERFACE TRUNK = LAN1 , LAN2 , INTERFACE CLIENT [VLAN 100 ] => LAN 3 ~ LAN 12
CRS317-1G-16S+ => interface TRUNK => LAN1,LAN2 , INTERFACE VLAN 20 => LAN5,LAN6,LAN7,LAN8 ,LAN13,LAN14 INTERFACE VLAN 30 => LAN9,LAN10,LAN11,LAN12,LAN15,LAN16"
I would guess that we get rid of LAN1 (eth1 because that is your WAN connection). LAN2(eth2) is your trunk port to the switch! LAN3-12(eth3-12) are actually ALL ACCESS ports for vlan 100.
If that is the case then here is what the config would look like......
Bridge Ports
add bridge=BR1 interface=eth2 ingress-filtering=yes allow only tagged packets (trunk port to switch)
add bridge=BR1 interface=eth3 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth4 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth5 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth6 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth7 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth8 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth9 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth10 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth11 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=eth12 pvid=100 ingress filtering=yes only allow untagged and priority packets.
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2 vlan-ids=20
add bridge=BR1 tagged=BR1,eth2 vlan-ids=30
add bridge=BR1 tagged=BR1,eth2 untagged=eth3,eth4,eth5,eth6,eth7,eth8,eth9,eth10,eth11,eth12 vlan-ids=100
( you could shorten the first two rules to be add bridge=BR1 tagged=BR1,eth2 vlan-ids=20,30 )
Now for the switch..............
I am not as good with switches but will attempt to look at the logic.
I am assuming eth2 on the RB (the trunk port) is attached to eth1(LAN1) of the switch.
On the switch side, I have no issues with keeping your naming convention of LANS as switch doesn't do routing so not confusing for me..........
From your config looks like
a. LAN1(eth1) is the trunk port from the router
b. LAN5-8,13,14 are for VLAN20 (supermicro)
c. LAN9-12,15,16 are for VLAN30 (ibm)
(Missing LAN2-4?? assuming these are?????
(I see that LANS 3,4 are access ports so assuming on management vlan)
(I see that LAN2 is also a trunk port?? YOu cannot have two trunk ports coming from the RB to the same switch, I believe this would be causing collisions and many issues???
Thus for the purposes of config I will treat LAN2(eth2) as another management vlan port.
Also, you are missing the untagged ports in bridge vlan interfaces.........
Bridge Ports
add bridge=BR1 interface=lan1 ingress-filtering=yes allow only tagged packets (trunk port from router)
add bridge=BR1 interface=lan2 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan3 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan4 pvid=100 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan5 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan6 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan7 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan8 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan9 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan10 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan11 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan12 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan13 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan14 pvid=20 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan15 pvid=30 ingress filtering=yes only allow untagged and priority packets.
add bridge=BR1 interface=lan16 pvid=30 ingress filtering=yes only allow untagged and priority packets.
/interface bridge vlan
add bridge=BR1 tagged=BR1,lan1 untagged=lan5,lan6,lan7,lan8,lan13,lan14 vlan-ids=20
add bridge=BR1 tagged=BR1,lan1 untagged=lan9,lan10,lan11,lan12,lan15,lan16 vlan-ids=30
add bridge=BR1 tagged=BR1,lan1 untagged=lan2,lan3,lan4 vlan-ids=100
-
-
LEEHYUNWOO
just joined
- Posts: 22
- Joined:
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Hello, anav!
I reconfigured and re-ordered the equipment on the basis of what you proposed today!
I judged that I had succeeded in setting up the equipment. And I've written this in a separate report form!
Thank you very much. anav!
If it were not your hard work, it would not have succeeded.
A successful record!
A. Access to routers and switches is now available!
B. VLAN 20, VLAN30 DHCP communication successfully from the switch!
C. router's VLAN100 communication has been successful!
Finally, I share PDF for people who have the same troubles as me!
PDF FILE : MIKROTIK D16 LAB [ 11 PAGE! ]
anav! A small question!
I want to implement the "IKEv2" VPN in the router in this state. Can you give me advice?
I reconfigured and re-ordered the equipment on the basis of what you proposed today!
I judged that I had succeeded in setting up the equipment. And I've written this in a separate report form!
Thank you very much. anav!
If it were not your hard work, it would not have succeeded.
A successful record!
A. Access to routers and switches is now available!
B. VLAN 20, VLAN30 DHCP communication successfully from the switch!
C. router's VLAN100 communication has been successful!
Finally, I share PDF for people who have the same troubles as me!
PDF FILE : MIKROTIK D16 LAB [ 11 PAGE! ]
anav! A small question!
I want to implement the "IKEv2" VPN in the router in this state. Can you give me advice?
You do not have the required permissions to view the files attached to this post.
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Glad you got your network working just right. Kudos go to pcunite who developed the best reference for vlans!
I like noodle based soups so if I ever get to Korea you can take me to the best soup restaurants LOL.
No worries, I will post later on IKE vpn, at least what the patient people here helped me setup to allow me to use my smart phone to use the MT app and vpn to my router.
I like noodle based soups so if I ever get to Korea you can take me to the best soup restaurants LOL.
No worries, I will post later on IKE vpn, at least what the patient people here helped me setup to allow me to use my smart phone to use the MT app and vpn to my router.
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Gun Bae!
My IKE v2 implementation was done for my use case. The following is the general sense of what I did.
The details will be in my next post later today or tomorrow.
User: admin
Scenario: I want to be able to access the router via secure connection and use the Mikrotik APP on my iphone to access winbox, from inside the router (on my LAN).
Conditions:
- Has to work for remote connections via wifi or LTE
- Want to be able to browse the internet remotely but through my router (and its firewall) and my ISP.
- Remote IP is never known
- Local IP (of router) is accessed via dyndns name (one could use MT Cloud MT IP DDNS as well, and one of these days I will end up using that functionality).
- Decide on a LANIP that is not associated with any VLAN or subet on your router. *****
**** This is the most strange part because its basically creating what I call a temporary or FAKE LANIP behind the router but that is not part of any subnet, LAN, VLAN etc.
It just exists as a landing point for the remote connection. Someone can correct me if I am wrong but I believe this connection is connected at LAYER 2 with all subnets, vlans and lans but has no connectivity to the router itself or the WAN (unless one makes firewall rules). I may be wrong but I can access everything but maybe I made a fw rule, not at home so not sure.
Basic Router Setup
1. Firewall Rules
a. input chain allow RemoteVPN to Router
b. input chain allow MobileConnect to Router
c. forward chain allow MobileConnect to Internet
The hardest parts were.
a. generating IKE certificates from the MT device
i. generate MT Router certificate
ii generate certificate for iphone
iii export certificates
b. Download and use a program from the internet to convert Iphone certificate in the proper format
c. Upload the certificate to the iphone.
d. Finish the IPSEC configuration on the MT router (IP IPSEC), there are a few things here to be careful of!
Finally, here is the link I used to get me the certiifcates part properly. The problem is that its for an older version of RouterOS so I had to improvise a bit in terms of the IPSEC part of the setup, but the certificate generation advice was excellent.
https://jcutrer.com/howto/networking/mi ... n-mikrotik
My IKE v2 implementation was done for my use case. The following is the general sense of what I did.
The details will be in my next post later today or tomorrow.
User: admin
Scenario: I want to be able to access the router via secure connection and use the Mikrotik APP on my iphone to access winbox, from inside the router (on my LAN).
Conditions:
- Has to work for remote connections via wifi or LTE
- Want to be able to browse the internet remotely but through my router (and its firewall) and my ISP.
- Remote IP is never known
- Local IP (of router) is accessed via dyndns name (one could use MT Cloud MT IP DDNS as well, and one of these days I will end up using that functionality).
- Decide on a LANIP that is not associated with any VLAN or subet on your router. *****
**** This is the most strange part because its basically creating what I call a temporary or FAKE LANIP behind the router but that is not part of any subnet, LAN, VLAN etc.
It just exists as a landing point for the remote connection. Someone can correct me if I am wrong but I believe this connection is connected at LAYER 2 with all subnets, vlans and lans but has no connectivity to the router itself or the WAN (unless one makes firewall rules). I may be wrong but I can access everything but maybe I made a fw rule, not at home so not sure.
Basic Router Setup
1. Firewall Rules
a. input chain allow RemoteVPN to Router
b. input chain allow MobileConnect to Router
c. forward chain allow MobileConnect to Internet
The hardest parts were.
a. generating IKE certificates from the MT device
i. generate MT Router certificate
ii generate certificate for iphone
iii export certificates
b. Download and use a program from the internet to convert Iphone certificate in the proper format
c. Upload the certificate to the iphone.
d. Finish the IPSEC configuration on the MT router (IP IPSEC), there are a few things here to be careful of!
Finally, here is the link I used to get me the certiifcates part properly. The problem is that its for an older version of RouterOS so I had to improvise a bit in terms of the IPSEC part of the setup, but the certificate generation advice was excellent.
https://jcutrer.com/howto/networking/mi ... n-mikrotik
Re: The Problem of InterVLAN Construction of RB1100AHx4 and CRS317-1G-16S+
Gun Bae!
My IKE v2 implementation was done for my use case. The following is the general sense of what I did.
The details will be in my next post later today or tomorrow.
User: admin
Scenario: I want to be able to access the router via secure connection and use the Mikrotik APP on my iphone to access winbox, from inside the router (on my LAN).
Conditions:
- Has to work for remote connections via wifi or LTE
- Want to be able to browse the internet remotely but through my router (and its firewall) and my ISP.
- Remote IP is never known
- Local IP (of router) is accessed via dyndns name (one could use MT Cloud MT IP DDNS as well, and one of these days I will end up using that functionality).
- Decide on a LANIP that is not associated with any VLAN or subet on your router. *****
**** This is the most strange part because its basically creating what I call a temporary or FAKE LANIP behind the router but that is not part of any subnet, LAN, VLAN etc.
It just exists as a landing point for the remote connection. Someone can correct me if I am wrong but I believe this connection is connected at LAYER 2 with all subnets, vlans and lans but has no connectivity to the router itself or the WAN (unless one makes firewall rules). I may be wrong but I can access everything but maybe I made a fw rule, not at home so not sure.
Basic Router Setup
1. Firewall Rules
a. input chain allow RemoteVPN to Router
b. input chain allow MobileConnect to Router
c. forward chain allow MobileConnect to Internet
The hardest parts were.
a. generating IKE certificates from the MT device
i. generate MT Router certificate
ii generate certificate for iphone
iii export certificates
b. Download and use a program from the internet to convert Iphone certificate in the proper format (okay this was creating a web server on my pc using python (very easy) to upload the certificate to the iphone.
c. Upload the certificate to the iphone.
d. Finish the IPSEC configuration on the MT router (IP IPSEC), there are a few things here to be careful of!
Finally, here is the link I used to get me the certificates part properly. The problem is that its for an older version of RouterOS so I had to improvise a bit in terms of the IPSEC part of the setup, but the certificate generation advice was excellent.
https://jcutrer.com/howto/networking/mi ... n-mikrotik
My IKE v2 implementation was done for my use case. The following is the general sense of what I did.
The details will be in my next post later today or tomorrow.
User: admin
Scenario: I want to be able to access the router via secure connection and use the Mikrotik APP on my iphone to access winbox, from inside the router (on my LAN).
Conditions:
- Has to work for remote connections via wifi or LTE
- Want to be able to browse the internet remotely but through my router (and its firewall) and my ISP.
- Remote IP is never known
- Local IP (of router) is accessed via dyndns name (one could use MT Cloud MT IP DDNS as well, and one of these days I will end up using that functionality).
- Decide on a LANIP that is not associated with any VLAN or subet on your router. *****
**** This is the most strange part because its basically creating what I call a temporary or FAKE LANIP behind the router but that is not part of any subnet, LAN, VLAN etc.
It just exists as a landing point for the remote connection. Someone can correct me if I am wrong but I believe this connection is connected at LAYER 2 with all subnets, vlans and lans but has no connectivity to the router itself or the WAN (unless one makes firewall rules). I may be wrong but I can access everything but maybe I made a fw rule, not at home so not sure.
Basic Router Setup
1. Firewall Rules
a. input chain allow RemoteVPN to Router
b. input chain allow MobileConnect to Router
c. forward chain allow MobileConnect to Internet
The hardest parts were.
a. generating IKE certificates from the MT device
i. generate MT Router certificate
ii generate certificate for iphone
iii export certificates
b. Download and use a program from the internet to convert Iphone certificate in the proper format (okay this was creating a web server on my pc using python (very easy) to upload the certificate to the iphone.
c. Upload the certificate to the iphone.
d. Finish the IPSEC configuration on the MT router (IP IPSEC), there are a few things here to be careful of!
Finally, here is the link I used to get me the certificates part properly. The problem is that its for an older version of RouterOS so I had to improvise a bit in terms of the IPSEC part of the setup, but the certificate generation advice was excellent.
https://jcutrer.com/howto/networking/mi ... n-mikrotik