Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

I made a mess of config

Post Reply
 
gferen
just joined
Topic Author
Posts: 5
Joined: Thu Feb 29, 2024 2:59 pm

I made a mess of config

Fri Mar 01, 2024 4:21 pm

Hello everyone,
I apologize if similar was asked. Iam begginer with Mikrotik and networking.
I was inspired by coleges that Mikrotik is great ruters and switches, so i got 1 to replace current router that I have. I am trying to configure it for past 14 days. One day 50% works and other 50% not, Next day is vice versa.
What i use as equipment:
  • - 1x L009UiGS
    - 2x Netgeat GS108Tv3
    - 1x TP-link TL-SG108E
    - 1x Netgear GS105E
I want to use 4 VLANs to separate management, laptops, IOT devices and VMWare servers.

-vlan 100 - mgmt
-vlan 200 - laptops
-vlan 800 - IOT
-vlan 1000 - VMWare

L009 port:
  • - sfp - internet
    - ether1 to ether4 VLAN 200
    - ether5 to ether8 TRUNK to each switch
    - each port 1 on switches is trunk
    - other ports i managed to set with VLNAs 100,200,800,1000
Each switch has static IP for VLAN100 static assigned
---------------------------------------------------------------------------
Currently working:
4 trunk ports connecting to switches work. Each port on switch that has different VLAN assigned takes IP from DHCP's on router.

First 4 ports on L009 ethr1 - ethr4 refuse to give dhcp ips. If I turn on VLAN filetring on Bridge --> situation turns 180 degress.
ethr1 to ethr4 works normally and gives DHCP addresses, and Trunk side just dies and doesnt want to give anything.

I would assume there is some small mistake somewhere. attaching config what i did.

Thanks in advance for suggestinons.
Code: Select all
# 2024-03-01 15:53:47 by RouterOS 7.14
# software id = XXXXXXXXXX
#
# model = L009UiGS
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no mtu=1500 name=TrunkBridge
/interface vlan
add interface=TrunkBridge name="Desktop V200" vlan-id=200
add interface=TrunkBridge name="IOT V800" vlan-id=800
add interface=TrunkBridge name="MGMT V100" vlan-id=100
add interface=TrunkBridge name="VMWare V1000" vlan-id=1000
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="MGMT pool" ranges=192.168.250.111-192.168.250.122
add name="IOT pool" ranges=192.168.8.111-192.168.8.150
add name="vmware pool" ranges=192.168.200.50-192.168.200.90
add name="desktop pool" ranges=192.168.10.105-192.168.10.200
/ip dhcp-server
add add-arp=yes address-pool="MGMT pool" interface="MGMT V100" name=\
    "MGMT 250 dhcp"
add add-arp=yes address-pool="IOT pool" interface="IOT V800" name=\
    "IOT 8 DHCP"
add add-arp=yes address-pool="vmware pool" interface="VMWare V1000" name=\
    "vmware V1000 DHCP"
add add-arp=yes address-pool="desktop pool" interface="Desktop V200" name=\
    "Desktop V200 DHCP"
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=TrunkBridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=TrunkBridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=TrunkBridge frame-types=admit-only-vlan-tagged interface=ether7
add bridge=TrunkBridge frame-types=admit-only-vlan-tagged interface=ether8
add bridge=TrunkBridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether2 pvid=200
add bridge=TrunkBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=200
add bridge=TrunkBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=200
add bridge=TrunkBridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=200
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=TrunkBridge tagged=TrunkBridge,ether5,ether6,ether7,ether8 \
    untagged=ether1,ether2,ether3,ether4 vlan-ids=200
/interface list member
add interface=TrunkBridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.250.1/24 interface="MGMT V100" network=192.168.250.0
add address=192.168.8.1/24 interface="IOT V800" network=192.168.8.0
add address=192.168.200.1/24 interface="VMWare V1000" network=192.168.200.0
add address=192.168.10.1/24 interface="Desktop V200" network=192.168.10.0
/ip arp
add address=192.168.250.3 interface="MGMT V100" mac-address=08:36:C9:19:16:30
add address=192.168.250.4 interface="MGMT V100" mac-address=08:36:C9:19:16:64
/ip dhcp-client
add interface=sfp1
/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.200.0/24 gateway=192.168.200.1
add address=192.168.250.0/24 gateway=192.168.250.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Jupiter/Europa
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: I made a mess of config

Sat Mar 02, 2024 11:35 am

If I turn on VLAN filetring on Bridge --> situation turns 180 degress.
ethr1 to ethr4 works normally and gives DHCP addresses, and Trunk side just dies and doesnt want to give anything.
Are you saying that when you turn on vlan-filtering, that vlan200 access ports on the switches do not work? It seems to me it should allow vlan 200 to work through vlan 200 access ports on the downstream switches.

When you turn on vlan-filtering, you are making the bridge "vlan-aware", and it will no longer be "vlan-transparent". This means that any traffic from vlan-interfaces (which are adding tag to the frames) will be dropped by the bridge unless those vlans are specifically allowed with an /interface bridge vlan entry for the vlan. The following is what you currently have:
Code: Select all
/interface bridge vlan
add bridge=TrunkBridge tagged=TrunkBridge,ether5,ether6,ether7,ether8 \
    untagged=ether1,ether2,ether3,ether4 vlan-ids=200
I think it should be like the following instead, so tagged frames for vlans 100, 800 and 1000 are allowed to pass through the trunk ports to the switches.
Code: Select all
/interface bridge vlan
add bridge=TrunkBridge tagged=TrunkBridge,ether5,ether6,ether7,ether8 \
    untagged=ether1,ether2,ether3,ether4 vlan-ids=200
add bridge=TrunkBridge tagged=TrunkBridge,ether5,ether6,ether7,ether8 \
    vlan-ids=100
add bridge=TrunkBridge tagged=TrunkBridge,ether5,ether6,ether7,ether8 \
    vlan-ids=800
add bridge=TrunkBridge tagged=TrunkBridge,ether5,ether6,ether7,ether8 \
    vlan-ids=1000
But if it really isn't currenly working for vlan 200 access ports on the switches, then there is some other problem too.
Top
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: I made a mess of config

Sat Mar 02, 2024 11:44 am

Relevant documention for reference:

https://help.mikrotik.com/docs/display/ ... +Switching
https://help.mikrotik.com/docs/display/ ... NFiltering
https://help.mikrotik.com/docs/display/ ... se+Studies
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: I made a mess of config

Sat Mar 02, 2024 1:16 pm

viewtopic.php?t=143620

Also would need to see complete config...
Top
 
gferen
just joined
Topic Author
Posts: 5
Joined: Thu Feb 29, 2024 2:59 pm

Re: I made a mess of config

Sun Mar 03, 2024 11:15 am

@Buckeye The addition of yours for Bridge VLAN made situation to Work. Now each port on switches and 4 ports on L009 work as configured. Each giving corresponding DHCP.
I am testing this now to 100% confirm working.
Next steps will be to ADD some mikrotik AP's foe WIFI. I guess that is possible that 1AP can give out 2 or more different SSID's with corresponding DHCP addresses. SSID 1 for Vlan200, one SSID for VLAN800 and probaly one new VLAN that will be separated from everything only for Guest WIFI.
Will there AP's do the job --> MikroTik RBWAPG-5HACD2HND
Top
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: I made a mess of config

Mon Mar 04, 2024 10:51 am

Will there AP's do the job --> MikroTik RBWAPG-5HACD2HND
I don't use them, so I can't say. My guess is that they will work, but if you really want to know, start a new thread with a title that will get more nibbles from people that use the device. i.e. a title like "Question about vlan capabilities of RBWAPG-5HACD2HND with L009UiGS and smart switches"
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests
  4. RouterOS
  5. Beginner Basics