MikroTik

Posted: **Sun Mar 08, 2015 12:09 am**

Hi,

I have an CRS125 which unforunately due to the speed i'm only using as switch. but i want some trunks and VLAN's setup on it and i can't get this figured out.

Scenario:
Background:
I use an extra router (pfSense with VLAN capable NIC, this is already installed on the router and works fine, having a netgear switch with VLAN options and works like a charm, VLANning, trunking etc) My Engenius ECB350 Access Point is capable of handling VLANS and tested on the netgear it also works like a charm.

Mikrotik switch:
VLAN2 Clients
VLAN3 Admin Network
VLAN4 Untrusted (Internet Only)
VLAN5 Internal WiFi
VLAN6 Guest WiFi Untrusted (Internet Only)

Trunks:
Port 22 to WiFi AP
Port 23 to other Switch with all VLANS
Port 24 from Router with all VLANS

I don't use port 1 and 2 at the moment so i am only focussing on port 3-24.

Port 3-13,23,24 as VLAN2
Port 14,15,22,23,24 as VLAN3
Port 16,17,23,24 as VLAN4
Port 18,19,22,23,24 as VLAN5
Port 20,21,22,23,24 as VLAN6

This is the background information of it all,

What have i done so far:
Created VLANS, Master ports, nothing seems to work...

I came up with this last settings but i can't get this to work. Does anybody has an idea how to realise this?

Thanks for the help!

Regards, Paul

/interface ethernet
set numbers=3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 master-port=ether24

/interface ethernet switch vlan
add ports=ether03,ether04,ether05,ether06,ether07,ether08,ether09,ether10,ether11,ether12,ether13,ether23,ether24,switch1-cpu vlan-id=2
add ports=ether14,ether,15,ether22,ether23,ether24,switch1-cpu vlan-id=3
add ports=ether16,ether,17,ether23,ether24,switch1-cpu vlan-id=4
add ports=ether18,ether,19,ether22,ether23,ether24,switch1-cpu vlan-id=5
add ports=ether20,ether,21,ether22,ether23,ether24,switch1-cpu vlan-id=6

/interface ethernet switch ingress-vlan-translation
add ports=ether03,ether04,ether05,ether06,ether07,ether08,ether09,ether10,ether11,ether12,ether13,ether23,ether24 new-customer-vid=2
add ports=ether14,ether,15,ether22,ether23,ether24 new-customer-vid=3
add ports=ether16,ether,17,ether23,ether24 new-customer-vid=4
add ports=ether18,ether,19,ether22,ether23,ether24 new-customer-vid=5
add ports=ether20,ether,21,ether22,ether23,ether24 new-customer-vid=6

/interface ethernet switch egress-vlan-tag
add vlan-id=2 tagged-ports=ether03,ether04,ether05,ether06,ether07,ether08,ether09,ether10,ether11,ether12,ether13,ether23,ether24,switch1-cpu
add vlan-id=3 tagged-ports=ether14,ether,15,ether22,ether23,ether24,switch1-cpu
add vlan-id=4 tagged-ports=ether16,ether,17,ether23,ether24,switch1-cpu vlan
add vlan-id=5 tagged-ports=ether18,ether,19,ether22,ether23,ether24,switch1-cpu
add vlan-id=6 tagged-ports=ether20,ether,21,ether22,ether23,ether24,switch1-cpu

Posted: **Fri Mar 13, 2015 2:26 pm**

Anybody?

Posted: **Sat Mar 14, 2015 8:27 am**

You have trunk ports and access ports mixed up.
Assuming your interfaces are all 2 digits....
Try this:

# either use the interface names or check the numbers.....on my crs, ether3 is number 2
# also are the ports all renamed to have 2 digits?
/interface ethernet
set numbers=3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 master-port=ether24
#
/interface ethernet switch vlan
# don't need cpu port unless you plan to route/manage via that vlan so drop it except for admin vlan.
add ports=ether03,ether04,ether05,ether06,ether07,ether08,ether09,ether10,ether11,ether12,ether13,ether23,ether24 vlan-id=2
#
# need cpu port here as this is admin vlan
add ports=ether14,ether,15,ether22,ether23,ether24,switch1-cpu vlan-id=3
#
add ports=ether16,ether,17,ether23,ether24 vlan-id=4
add ports=ether18,ether,19,ether22,ether23,ether24 vlan-id=5
add ports=ether20,ether,21,ether22,ether23,ether24 vlan-id=6
#
# don't translate your trunk ports
/interface ethernet switch ingress-vlan-translation
add ports=ether03,ether04,ether05,ether06,ether07,ether08,ether09,ether10,ether11,ether12,ether13 new-customer-vid=2
add ports=ether14,ether,15 new-customer-vid=3
add ports=ether16,ether,17 new-customer-vid=4
add ports=ether18,ether,19 new-customer-vid=5
add ports=ether20,ether,21 new-customer-vid=6
#
# only tag trunk ports and cpu for admin vlan.  all others are untagged
/interface ethernet switch egress-vlan-tag
add vlan-id=2 tagged-ports=ether23,ether24
add vlan-id=3 tagged-ports=ether22,ether23,ether24,switch1-cpu
add vlan-id=4 tagged-ports=ether23,ether24
add vlan-id=5 tagged-ports=ether22,ether23,ether24
add vlan-id=6 tagged-ports=ether22,ether23,ether24
#
# you might have this already, but don't forget to put vlan3 on ether24 so the router can be reached for admin.
/inteface vlan add interface=ether24 vlan-id=3 name=vlan3
#
# and an ip address on vlan3.... 
# /ip address add interface=vlan3 address=x.x.x.x/y

I hope this helps.....
If you need port isolation, there is info in the wiki.
If any part of this is a public network, I recommend port isolation.

Posted: **Sat Mar 14, 2015 7:41 pm**

Thank you for your answer reverged!

I tried it out, after some trial and error and understanding what you mean with the numbers i did the following config on the device:

/interface ethernet
set numbers=2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 master-port=ether24

/interface ethernet switch vlan
add ports=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether23,ether24 vlan-id=2
add ports=ether14,ether15,ether22,ether23,ether24,switch1-cpu vlan-id=3
add ports=ether16,ether17,ether23,ether24 vlan-id=4
add ports=ether18,ether19,ether22,ether23,ether24 vlan-id=5
add ports=ether20,ether21,ether22,ether23,ether24 vlan-id=6

/interface ethernet switch ingress-vlan-translation
add ports=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13 new-customer-vid=2
add ports=ether14,ether15 new-customer-vid=3
add ports=ether16,ether17 new-customer-vid=4
add ports=ether18,ether19 new-customer-vid=5
add ports=ether20,ether21 new-customer-vid=6

/interface ethernet switch egress-vlan-tag
add vlan-id=2 tagged-ports=ether23,ether24
add vlan-id=3 tagged-ports=ether22,ether23,ether24,switch1-cpu
add vlan-id=4 tagged-ports=ether23,ether24
add vlan-id=5 tagged-ports=ether22,ether23,ether24
add vlan-id=6 tagged-ports=ether22,ether23,ether24

/interface vlan add interface=ether24 vlan-id=3 name=vlan3

/ip address add interface=vlan3 address=192.168.3.100/24

After connecting my TRUNK cable of my pfSense router to port 24 i only managed to get an IP from VLAN2 one time. After that all the VLAN's still didnt work. Is there something i'm doing wrong?

Posted: **Mon Mar 16, 2015 8:46 pm**

So i fiddled around a bit and came up with this config. In this particular config the different VLAN's work as the computer attached get's an DHCP address from the correct VLAN but after that nothing happens. No internet, not able to Ping anything except local host. Does anyone has any ideas?

p.s. in this particular example i tried only a bunch of ports just to check if everything is working correctly. which means that

Port 19 is VLAN2
Port 20 is VLAN3
Port 21 is VLAN4
Port 22 is VLAN5
Port 23 is VLAN6
Port 24 is Trunk from my Router with all the VLAN's on that link...

/interface ethernet
set ether19 master-port=ether24
set ether20 master-port=ether24
set ether21 master-port=ether24
set ether22 master-port=ether24
set ether22 master-port=ether24

/interface ethernet switch ingress-vlan-translation
add ports=ether19 customer-vid=0 new-customer-vid=2 sa-learning=yes
add ports=ether20 customer-vid=0 new-customer-vid=3 sa-learning=yes
add ports=ether21 customer-vid=0 new-customer-vid=4 sa-learning=yes
add ports=ether22 customer-vid=0 new-customer-vid=5 sa-learning=yes
add ports=ether23 customer-vid=0 new-customer-vid=6 sa-learning=yes

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=2
add tagged-ports=ether24 vlan-id=3
add tagged-ports=ether24 vlan-id=4
add tagged-ports=ether24 vlan-id=5
add tagged-ports=ether24 vlan-id=6

/interface ethernet switch vlan
add ports=ether24,ether19 vlan-id=2 learn=yes
add ports=ether24,ether20 vlan-id=3 learn=yes
add ports=ether24,ether21 vlan-id=4 learn=yes
add ports=ether24,ether22 vlan-id=5 learn=yes
add ports=ether24,ether23 vlan-id=6 learn=yes

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether24,ether19,ether20,ether21,ether22,ether23

/interface ethernet switch port
set 18 dscp-based-qos-dscp-to-dscp-mapping=no
set 19 dscp-based-qos-dscp-to-dscp-mapping=no
set 20 dscp-based-qos-dscp-to-dscp-mapping=no
set 21 dscp-based-qos-dscp-to-dscp-mapping=no
set 22 dscp-based-qos-dscp-to-dscp-mapping=no

/interface ethernet switch port
set ether24 isolation-leakage-profile-override=0
set ether19 isolation-leakage-profile-override=2
set ether20 isolation-leakage-profile-override=3
set ether21 isolation-leakage-profile-override=4
set ether22 isolation-leakage-profile-override=5
set ether23 isolation-leakage-profile-override=6

/interface ethernet switch port-isolation
add port-profile=2 ports=ether24,ether19 type=dst
add port-profile=3 ports=ether24,ether20 type=dst
add port-profile=4 ports=ether24,ether21 type=dst
add port-profile=5 ports=ether24,ether22 type=dst
add port-profile=6 ports=ether24,ether23 type=dst

/interface ethernet switch
set forward-unknown-vlan=no

Posted: **Tue Mar 17, 2015 2:13 am**

Take a look at the forwarding database with:

/interface ethernet switch unicast-fdb print

Make sure macs are on the vlan you expect - especially the pfsense intefaces.

And make sure there are no bridges config'd in the CRS that could mess things up.

Lastly, what version ROS? Early versions with CRS support did not work......at all.....

Edit: I do have a few of these (CRS125 and CRS226) working fine connected to other MT routers.

MikroTik

VLAN Trunking and port setup CRS125

VLAN Trunking and port setup CRS125

Re: VLAN Trunking and port setup CRS125

Re: VLAN Trunking and port setup CRS125

Re: VLAN Trunking and port setup CRS125

Re: VLAN Trunking and port setup CRS125

Re: VLAN Trunking and port setup CRS125