Page 1 of 1
VLAN configuration help
Posted: Wed Mar 19, 2014 11:20 pm
by benitton
Hi, I have the following scenario and I have been having a lot of issues working on the VLAN configuration. I am not sure whether to use switching (I tried using the wiki but with no luck), or bridging (also tried, but lost access to mikrotik on the attempt).
[img]MikrotikSetup.jpg[/img]
Any help will be more than appreciated, just need to know the logic on how to do it so that I can try, but I am not sure how to even begin.
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:27 pm
by rextended
I'm writing, wait 5 min
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:36 pm
by efaden
I'm writing, wait 5 min
I'll let him post.. but I would use the switch chip for most of that. It will be faster.
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:38 pm
by rextended
I help you only on VLAN and NAT:
I suppose you set all the other parameters, like IPs and routes correctly.
[the IPs must be setted on the bridge, not on the single interface]
And also you do not have set already any port as master or slave.
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] name=ether3-slave master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master2
set [ find default-name=ether7 ] name=ether7-slave2 master-port=ether6-master2
set [ find default-name=ether8 ] name=ether8-slave2 master-port=ether6-master2
set [ find default-name=ether9 ] name=ether9-slave2 master-port=ether6-master2
/interface vlan
add interface=ether1 name="eher1-vlan-id-90" vlan-id=90
add interface=ether1 name="eher1-vlan-id-92" vlan-id=92
add interface=ether1 name="eher1-vlan-id-199" vlan-id=199
/interface bridge
add name="bri-untag-vlan-id-90" protocol-mode=rstp
add name="bri-untag-vlan-id-92" protocol-mode=rstp
add name="bri-untag-vlan-id-199" protocol-mode=rstp
/interface bridge port
add bridge=bri-untag-vlan-id-90 interface=eher1-vlan-id-90
add bridge=bri-untag-vlan-id-90 interface=ether2-master
add bridge=bri-untag-vlan-id-92 interface=eher1-vlan-id-92
add bridge=bri-untag-vlan-id-199 interface=eher1-vlan-id-199
add bridge=bri-untag-vlan-id-199 interface=eher4
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for vlan-id-92" out-interface=bri-untag-vlan-id-92 in-interface=ether6-master2
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:40 pm
by rextended
[...]
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:40 pm
by efaden
I help you only on VLAN and NAT:
I suppose you set all the other parameters, like IPs and routes correctly.
[the IPs must be setted on the bridge, not on the single interface]
And also you do not have set already any port as master or slave.
/interface vlan
add interface=ether1 name="eher1-vlan-id-90" vlan-id=90
add interface=ether1 name="eher1-vlan-id-92" vlan-id=92
add interface=ether1 name="eher1-vlan-id-199" vlan-id=199
/interface bridge
add name="bri-untag-vlan-id-90" protocol-mode=rstp
add name="bri-untag-vlan-id-92" protocol-mode=rstp
add name="bri-untag-vlan-id-199" protocol-mode=rstp
/interface bridge port
add bridge=bri-untag-vlan-id-90 interface=eher1-vlan-id-90
add bridge=bri-untag-vlan-id-90 interface=eher2
add bridge=bri-untag-vlan-id-92 interface=eher1-vlan-id-92
add bridge=bri-untag-vlan-id-92 interface=eher3
add bridge=bri-untag-vlan-id-199 interface=eher1-vlan-id-199
add bridge=bri-untag-vlan-id-199 interface=eher4
/interface ethernet
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] name=ether7-slave master-port=ether6-master
set [ find default-name=ether8 ] name=ether8-slave master-port=ether6-master
set [ find default-name=ether9 ] name=ether9-slave master-port=ether6-master
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for vlan-id-92" out-interface=bri-untag-vlan-id-92
I'd actually use the switch chip. It will be much faster and will put basically no load on to the switch... I'll post a config after I put my son to bed.
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:42 pm
by benitton
Thank you very much guys!!!! this is just what I needed...
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:42 pm
by rextended
I have fix my misreading on first post, please check now the script, it use both switch chips.
1st for 2-3 [but you can add also the 5 and sfp1 (or add the 4 and use the 5 as 4 before]
/interface ethernet
set [ find default-name=ether5 ] name=ether5-slave master-port=ether2-master
set [ find default-name=sfp1 ] name=sfp1-slave master-port=ether2-master
and
2nd for 6-7-8-9 [but you can add also the 10!!!]
/interface ethernet
set [ find default-name=ether10 ] name=ether10-slave2 master-port=ether6-master2
If you find useful, please add Karma!
efaden, please edit your post and remove the script inside, is fixed now.
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:52 pm
by efaden
If you are going to use the switch chip for this you actually have to set the settings, not just set the master port.
See my config:
ros code
/interface ethernet switch
set switch-all-ports=yes
/interface bridge
add name=bridge-local protocol=rtsp
/interface bridge port
add bridge=bridge-local interface=ether6
/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=none
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/interface vlan
add interface=ether1 l2mtu=1594 name=Vlan90 vlan-id=90
add interface=ether1 l2mtu=1594 name=Vlan92 vlan-id=92
add interface=ether1 l2mtu=1594 name=Vlan199 vlan-id=199
/ip pool
add name=local-pool ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=local-pool interface=bridge-local name=local-dhcp
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Vlan92
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/interface ethernet switch port
add vlan-id=90 switch=switch1 ports=ether1,ether2,ether3,cpu
add vlan-id=92 switch=switch1 ports=ether1,cpu
add vlan-id=199 switch=switch1 ports=ether1,ether4,cpu
/interface ethernet switch vlan
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=199
set ether5 vlan-mode=secure
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=Vlan92
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Vlan92 in-interface=bridge-local
Re: VLAN configuration help
Posted: Wed Mar 19, 2014 11:56 pm
by efaden
I have fix my misreading on first post, please check now the script, it use both switch chips.
1st for 2-3 [but you can add also the 4-5 and sfp1!!!]
/interface ethernet
set [ find default-name=ether4 ] name=ether4-slave master-port=ether2-master
set [ find default-name=ether5 ] name=ether5-slave master-port=ether2-master
set [ find default-name=sfp1 ] name=sfp1-slave master-port=ether2-master
and
2nd for 6-7-8-9 [but you can add also the 10!!!]
/interface ethernet
set [ find default-name=ether10 ] name=ether10-slave2 master-port=ether6-master2
If you find useful, please add Karma!
efaden, please edit your post and remove the script inside, is fixed now.
rextended: you need to actually have settings in /interface ethernet switch port and vlan to control the vlans if you are going to set the master-port. Just setting the master-port won't actually work since some of them need to be tagged/untagged and modified... your config as it is wouldn't actually work.
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:03 am
by benitton
Thank you very much for your help on this, reading the configuration on both methodologies gives me a better understanding on how to work with VLANs and the switching feature. Coming from a Cisco background I need to get used to the new way.
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:06 am
by efaden
Thank you very much for your help on this, reading the configuration on both methodologies gives me a better understanding on how to work with VLANs and the switching feature. Coming from a Cisco background I need to get used to the new way.
Yeah. Not gonna lie, it's odd.
Sent from my SCH-I545 using Tapatalk
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:12 am
by rextended
Reworked config:
/interface ethernet switch
set switch-all-ports=yes
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
/interface vlan
add interface=ether1 name=Vlan90 vlan-id=90
add interface=ether1 name=Vlan92 vlan-id=92
add interface=ether1 name=Vlan199 vlan-id=199
/ip pool
add name=local-pool ranges=192.168.0.101-192.168.0.199
/ip dhcp-server
add address-pool=local-pool interface=ether6 name=local-dhcp
/ip dhcp-client
add disabled=no interface=Vlan92
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4
/interface ethernet switch port
add vlan-id=90 switch=switch1 ports=ether1,ether2,ether3,cpu
add vlan-id=92 switch=switch1 ports=ether1,cpu
add vlan-id=199 switch=switch1 ports=ether1,ether4,cpu
/interface ethernet switch vlan
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=90
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=199
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Vlan92 in-interface=ether6
Removed:
/interface bridge
add name=bridge-local protocol=rtsp
/interface bridge port
add bridge=bridge-local interface=ether6
/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=none
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=Vlan92
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
On the DNS the allow-remote-requests default value is "no"
must be set to yes and must be added some DNS, if you specify dns-server=192.168.0.1 on DHCP server
[DHCP client DNS or PPPoE peer DNS not always working.]
About switch and VLAN: I must check again later, if I remember wrong. Thanks.
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:33 am
by benitton
I am running routeros 6.9 and some of the commands in your configuration example are a bit different. I think I have covered, but I don't have the masquerading working just yet.
One main difference is that my box has two switches, one for the gig ports and one for the fast ethernet ports. I will post what I got once I am done with the configuration. So far the VLAN ports on the "outside" portion are working.
Thanks again for your help guys.
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:36 am
by efaden
Post your config. My example had nat working.
Sent from my SCH-I545 using Tapatalk
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:37 am
by rextended
I hope you solve the problems, but first of all, install 6.11 and update bios to 3.12
Too much bug on 6.8 / 6.9 / 6.10
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 12:39 am
by rextended
... My example had nat working ...
Exactly.
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 10:24 pm
by dcuk
Won't vlan92 need an IP address assigned to it for NAT to work?
None of the router interfaces have the gateway address on them either.
Re: VLAN configuration help
Posted: Thu Mar 20, 2014 10:49 pm
by rextended
Won't vlan92 need an IP address assigned to it for NAT to work?
None of the router interfaces have the gateway address on them either.
Read with attention the previous post:
>>>I suppose you set all the other parameters, like IPs and routes correctly.
>>>[the IPs must be setted on the bridge, not on the single interface]
>>>And also you do not have set already any port as master or slave.
Because "benitton" has not specified the IP needed.
I hope he know the IP....
Re: VLAN configuration help
Posted: Mon Mar 31, 2014 5:01 pm
by benitton
Won't vlan92 need an IP address assigned to it for NAT to work?
None of the router interfaces have the gateway address on them either.
I actually get the IP address assigned via DHCP. I got this working w/o any problem. My main issue with the setup was to get the switching/bridging part of the setup going... Thanks again for your help guys!