MikroTik

Posted: **Sat May 27, 2023 8:34 am**

Hi, I'm quite new in setup Mikrotik devices here is my setup.

model: CRS328-24P-4S+ 
current-firmware: 7.9

I've also a 'cAP ax' but it's not the point here.

I'm looking for a documentation on how to implement vlan on bridge with filtering on .

Bellow a diagram of what I did :

network.png

For general environnement, my switch router name 'SwRo' is directly connected to the ONT of my internet provider (no internet box anymore).

/interface vlan add interface=sfp1 name=ONT-Bouygue-Fibre vlan-id=100
/ip dhcp-client option add code=60 name=vendorid value=0x42594754454c494144
/ip dhcp-client add dhcp-options=vendorid disabled=no interface=Fibre_ByTel_vl100
/interface bridge port add bridge=bridge interface=ether1
[...]
/interface bridge port add bridge=bridge interface=ether24
/interface bridge port add bridge=bridge interface=sfp-sfpplus1
/interface bridge port add bridge=bridge interface=sfp-sfpplus3
/interface bridge port add bridge=bridge interface=sfp-sfpplus4

/ip firewall nat add action=masquerade chain=srcnat out-interface=ONT-Bouygue-Fibre
/ip address add address=192.168.0.2/24 comment=LAN_HOME interface=bridge network=192.168.0.0
/ip address add address=192.168.0.88/24 comment=defconf interface=ether2 network=192.168.0.0

All above works as attended.

Next I setup a Trunk port with 2 tagged vlan.

I did my setup following this guide : viewtopic.php?f=13&t=143620#p706997
post #2 : Switch with a separate router (RoaS) : section Router Configuration at a glance.

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-v vlan-filtering=no
	
/interface vlan
add interface=bridge-v name=VLAN2 vlan-id=2
add interface=bridge-v name=VLAN5 vlan-id=5
	
/interface bridge vlan
add bridge=bridge-v tagged=sfp-sfpplus2 vlan-ids=2,5

/interface list member
add interface=VLAN2 list=VLAN
add interface=VLAN5 list=VLAN

/ip address
add address=192.168.2.1/24 interface=VLAN2 network=192.168.2.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0

On the other side I plug a FreeBSD host with Jail on Vlan. All seems to work I can ping internet or anyone in my lan from booth Vlan.

What I wanted is to isolate VLAN2 and VLAN5 of anyone else. But they need to be able to go to internet.

For this I had to change on bridge-v vlan-filtering to yes.
But when I did this on booth vlan I can't even ping there gateway (192.168.2.1 / 192.168.5.1).

I think I add to add some rules in : /interface/bridge/nat and /interface/bridge/filter/ .

I'm looking for documentation about bridge vlan filtering.

Posted: **Mon May 29, 2023 3:47 am**

WHY???

Read para C. PCUNITE wrote the bible on bridge vlan filtering. --> viewtopic.php?t=182373
BUT................ you dont have a router, you have a switch that can act as a poor router.
Basically if you have a 1 gig internet connection you probably will be lucky to get half that speed.

In any case, the last point is that its a switch so to configure it for efficient use may be bettered suited to switch vlan setup methods.
Which can be found at para P.

Posted: **Wed Jun 14, 2023 12:25 pm**

Thanks for your answer, you are right.
In my use case will the hEX S be enough ?

Posted: **Wed Jun 14, 2023 2:55 pm**

What I wanted is to isolate VLAN2 and VLAN5 of anyone else. But they need to be able to go to internet.

You need to add the CPU port towards the bridge port itself as tagged interface for your VLANs so the switch forwards tagged packets to the CPU. After that, you will be able to enable VLAN filtering with the clients still be able to reach the CPU.

/interface bridge vlan
add bridge=bridge-v tagged=VLAN2,VLAN5,sfp-sfpplus2 vlan-ids=2,5

More details in the link provided by anav.

For traffic between VLAN2 and VLAN5:
You have different subnets for VLAN2 and VLAN5. Traffic between those is hence routed routed (L3) and not switched (L2). For isolation, add a forward firewall dropping packets with input interface VLAN2 and output VLAN5 and vice versa. Or in your case you can add one rule dropping packets with input and output interface in the VLAN interface group.

Posted: **Wed Jun 14, 2023 3:32 pm**

No a HEX S is not enough if talking about a 1gig connection.
The cheapest guaranteed throughput of 1 gig is the hapax3.

Posted: **Wed Jun 14, 2023 4:00 pm**

https://mikrotik.com/product/hex_s#fndtn-testresults

Depending on the packet size the HEX S can reach 1GB for routing with firewalling. I suggest to give it a try for your usage scenario.
Depending on the number of parallel connections and packet sizes, it might be enough or not.

Posted: **Wed Jun 14, 2023 4:11 pm**

Lets stick to the facts shall we!

Looking at the Test Results: 512 byte
for 25 simple queues (736 Mbps)
and
25 filter rules (385 Mbps)

Realistically one should expect something between those two numbers and hopefully closer to the 736 number.
This is reflective of Version 7.0 firmware.
Older Vers 6 numbers, don't recall off the top of my head but were more in the range of 900/500 numbers ( guessing ).
I have hexes and used one as my first router and even on vers6, I was never able to hit 900Mbps on my 1 gig connection.

Thus from both a user perspective and from the MT results pages, dont waste your money on anything else than a hapax3 if you desire to optimize your ISP throughput.

Posted: **Wed Jun 14, 2023 10:23 pm**

Asking if the hEX is sufficient for your use case without describing what your use case is won't get you useful answers.

Why did you specifically ask about the hEX? And by hEX do you mean RB750Gr3?

If you already have the hEX, I would try it to see if it is sufficient. It will be faster than the CPU that is built into the CRS328-24P-4S+ (which has a single core 800Mhz processor, the RB750Gr3 has a MediaTek MT7621 SoC with two 800 Mhz cores (4 virtual cores with hyperthreading).

If you will need to buy something for routing, the hEX isn't the best, especially since you won't really need the HW assisted vlan bridge in the hEX with v7, since you already have the capable CRS328-24P-4S+ switch.

Since you said that you want the vlans to be isolated from each other, the primary routing will be between the internet and your LANS, not inter-vlan routing between the vlans.

Posted: **Thu Jun 15, 2023 9:49 am**

If you will need to buy something for routing, the hEX isn't the best, especially since you won't really need the HW assisted vlan bridge in the hEX with v7, since you already have the capable CRS328-24P-4S+ switch.

Since you said that you want the vlans to be isolated from each other, the primary routing will be between the internet and your LANS, not inter-vlan routing between the vlans.

The CRS328, if running ROS v7, should be a nice device to do the routing between VLANs ... specially if that doesn't involve too much of firewalling. CRS328 does support L3HW (HW assisted routing): https://help.mikrotik.com/docs/display/ ... iceSupport

So if requirements and topology allow, then hEX could be used only as border router/gateway/firewall with a bit lower performance requrements (obviously depends on WAN line specs).

MikroTik

help or documentation about bridge vlan filtering

help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering

Re: help or documentation about bridge vlan filtering