Help with VLans.

Nicksdirt · Sat Sep 30, 2023 6:55 am

Hello,
I'm reasonably new to Mikrotik, however, I have a Mikrotik RB2011 as my home router for the past year or so.
I have recently gotten a CRS326-24G-2S+RM and I've been attempting to configure it with VLans. I have been beating my head against a wall on this. Can't quite figure it out. I think my issue relates to IP routing.

Anyways I have several VLANs and bridges set up along with a DHCP server, and when I connect a device to say my PCBridge I can a DHCP address and can ping the switch, HOWEVER, I have an Uplink bridge that connects to my Sophos XG firewall. I cannot ping that device, but I can from the switch.
Also, my "Uplink" VLAN can get to my firewall fine. Just no other VLAN and communicate or get to the firewall.

This is for home use so I like all my devices to communicate with one other; like my PC streaming to my Chromecast and my phone streaming to my Chromecast.

I have no idea where to go from here... Any help would be greatly appreciated. Heres my switch config:

/interface bridge
add name=CamerasBridge
add name=PCBridge
add name=ServersBridge
add name=Uplink
add name=WAPsBridge
/interface ethernet
set [ find default-name=ether9 ] name="Cameras - Eth9"
set [ find default-name=ether10 ] name="Cameras - Eth10"
set [ find default-name=ether7 ] name=Cameras-Eth7
set [ find default-name=ether8 ] name=Cameras-Eth8
set [ find default-name=ether22 ] name="DNS - Eth22"
set [ find default-name=ether24 ] name=Eth24-Uplink
set [ find default-name=ether1 ] name=PC-Eth1
set [ find default-name=ether2 ] name=PC-Eth2
set [ find default-name=ether3 ] name=PC-Eth3
set [ find default-name=ether4 ] name=PC-Eth4
set [ find default-name=sfp-sfpplus1 ] name=SFP1-Uplink
set [ find default-name=sfp-sfpplus2 ] name=SFP2-Servers
set [ find default-name=ether14 ] name="WAPs - Eth14"
set [ find default-name=ether13 ] name="WAPs- Eth13"
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether23 ] disabled=yes
/interface vlan
add interface=Uplink name=VLAN10 vlan-id=10
add interface=Uplink name=VLAN20 vlan-id=20
add interface=Uplink name=VLAN30 vlan-id=30
add interface=Uplink name=VLAN40 vlan-id=40
add interface=Uplink name=VLAN50 vlan-id=50
/ip pool
add name=dhcp_pool0 ranges=10.10.50.2-10.10.50.254
add name=dhcp_pool1 ranges=10.10.50.2-10.10.50.254
add name=dhcp_pool2 ranges=10.10.10.10-10.10.10.20
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool5 ranges=10.10.40.2-10.10.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=PCBridge name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=Uplink name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=CamerasBridge name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=ServersBridge name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=WAPsBridge name=dhcp5
/interface bridge port
add bridge=Uplink interface=Eth24-Uplink pvid=10
add bridge=PCBridge interface=PC-Eth2 pvid=50
add bridge=PCBridge interface=PC-Eth4 pvid=50
add bridge=PCBridge interface=PC-Eth1 pvid=50
add bridge=PCBridge interface=PC-Eth3 pvid=50
add bridge=CamerasBridge interface="Cameras - Eth9" pvid=30
add bridge=CamerasBridge interface="Cameras - Eth10" pvid=30
add bridge=CamerasBridge interface=Cameras-Eth7 pvid=30
add bridge=CamerasBridge interface=Cameras-Eth8 pvid=30
add bridge=WAPsBridge interface="WAPs - Eth14" pvid=40
add bridge=WAPsBridge interface="WAPs- Eth13" pvid=40
add bridge=ServersBridge interface="DNS - Eth22" pvid=20
add bridge=ServersBridge interface=SFP2-Servers pvid=20
add bridge=Uplink interface=ether6 pvid=10
add bridge=Uplink interface=SFP1-Uplink pvid=10
/interface bridge vlan
add bridge=Uplink tagged=Uplink untagged=\
    CamerasBridge,PCBridge,ServersBridge,WAPsBridge vlan-ids=10
add bridge=CamerasBridge tagged=PCBridge,ServersBridge,WAPsBridge untagged=\
    Uplink vlan-ids=30
add bridge=ServersBridge tagged=CamerasBridge,PCBridge,WAPsBridge untagged=\
    Uplink vlan-ids=20
add bridge=WAPsBridge tagged=PCBridge untagged=Uplink vlan-ids=40
add bridge=PCBridge tagged=CamerasBridge,ServersBridge,WAPsBridge untagged=\
    Uplink vlan-ids=50
/ip address
add address=10.10.10.2/24 interface=Uplink network=10.10.10.0
add address=10.10.50.1/24 interface=PCBridge network=10.10.50.0
add address=10.10.40.1/24 interface=WAPsBridge network=10.10.40.0
add address=10.10.30.1/24 interface=CamerasBridge network=10.10.30.0
add address=10.10.20.1/24 interface=ServersBridge network=10.10.20.0
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.50.0/24 gateway=10.10.50.1
/ip route
add distance=1 gateway=10.10.10.1
/system note
set note="10.10.10.1/24 pfSense\r\
    \n10.10.10.2/24 router\r\
    \n\r\
    \n10.10.20.1/24 servers\r\
    \n10.10.30.1/24 cameras\r\
    \n10.10.40.1/24 waps\r\
    \n10.10.50.1/24 pcs (mangement)"
/system routerboard settings
set boot-os=router-os
/tool romon
set enabled=yes

Sat Sep 30, 2023 11:47 am

You only need 1 bridge.

You may want to start reading this EXCELLENT tutorial on VLAN made by pcunite.
Read it, try to understand it, read it again.

viewtopic.php?t=143620

Nicksdirt · Sat Sep 30, 2023 9:47 pm

I went through that post and learned a lot, thank you!

I rebuilt my config, although I'm still having issues and I have something misconfigured. A little bit flustered I cant figure this out, but this is any sort of learning right?
So any active port I connect to can get to WinBox and login, however I have my DHCP servers set to the VLANs. No matter what I do I cannot get any traffic to go over the VLAN? I must be missing something.

Any help is greatly appreciated (including criticism)

/interface bridge
add name=PortsBridge
/interface ethernet
set [ find default-name=ether7 ] name=Cameras-Eth7
set [ find default-name=ether8 ] name=Cameras-Eth8
set [ find default-name=ether9 ] name=Cameras-Eth9
set [ find default-name=ether10 ] name=Cameras-Eth10
set [ find default-name=ether21 ] name=Management-Eth21
set [ find default-name=ether22 ] name=Management-Eth22
set [ find default-name=ether1 ] name=PCs-Eth1
set [ find default-name=ether2 ] name=PCs-Eth2
set [ find default-name=ether3 ] name=PCs-Eth3
set [ find default-name=ether4 ] name=PCs-Eth4
set [ find default-name=ether13 ] name=Servers-Eth13
set [ find default-name=ether14 ] name=Servers-Eth14
set [ find default-name=sfp-sfpplus1 ] name=Servers-SFP1
set [ find default-name=ether24 ] name=Uplink-Eth24
set [ find default-name=sfp-sfpplus2 ] name=Uplink-SFP2
set [ find default-name=ether17 ] name=WAPs-Eth17
set [ find default-name=ether18 ] name=WAPs-Eth18
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether23 ] disabled=yes
/interface vlan
add interface=Uplink-Eth24 name=VLAN2 vlan-id=2
add interface=Uplink-Eth24 name=VLAN3 vlan-id=3
add interface=Uplink-Eth24 name=VLAN4 vlan-id=4
add interface=Uplink-Eth24 name=VLAN5 vlan-id=5
add interface=PortsBridge name=VLAN6 vlan-id=6
/ip pool
add name=dhcp_pool0 ranges=10.10.1.5-10.10.1.254
add name=dhcp_pool1 ranges=10.10.2.2-10.10.2.254
add name=dhcp_pool2 ranges=10.10.3.2-10.10.3.254
add name=dhcp_pool3 ranges=10.10.4.2-10.10.4.254
add name=dhcp_pool4 ranges=10.10.5.2-10.10.5.254
add name=dhcp_pool5 ranges=10.10.6.2-10.10.6.254
add name=dhcp_pool6 ranges=10.10.2.2-10.10.2.254
add name=dhcp_pool7 ranges=10.10.3.2-10.10.3.254
add name=dhcp_pool8 ranges=10.10.4.2-10.10.4.254
add name=dhcp_pool9 ranges=10.10.5.2-10.10.5.254
add name=dhcp_pool10 ranges=10.10.6.2-10.10.6.254
add name=dhcp_pool11 ranges=10.10.1.2-10.10.1.254
add name=dhcp_pool12 ranges=10.10.2.2-10.10.2.254
add name=dhcp_pool13 ranges=10.10.3.2-10.10.3.254
add name=dhcp_pool14 ranges=10.10.5.2-10.10.5.20
/ip dhcp-server
add address-pool=dhcp_pool12 disabled=no interface=VLAN2 name=dhcp1
add address-pool=dhcp_pool14 disabled=no interface=VLAN5 name=dhcp2
/interface bridge port
add bridge=PortsBridge interface=Cameras-Eth7 pvid=4
add bridge=PortsBridge interface=Cameras-Eth8 pvid=3
add bridge=PortsBridge interface=Cameras-Eth9 pvid=3
add bridge=PortsBridge interface=Cameras-Eth10 pvid=3
add bridge=PortsBridge interface=Management-Eth21 pvid=6
add bridge=PortsBridge interface=Management-Eth22 pvid=6
add bridge=PortsBridge interface=PCs-Eth1 pvid=5
add bridge=PortsBridge interface=PCs-Eth2 pvid=6
add bridge=PortsBridge interface=PCs-Eth3 pvid=5
add bridge=PortsBridge interface=PCs-Eth4 pvid=5
add bridge=PortsBridge interface=Servers-Eth13 pvid=2
add bridge=PortsBridge interface=Servers-Eth14 pvid=2
add bridge=PortsBridge interface=Servers-SFP1 pvid=2
add bridge=PortsBridge interface=Uplink-Eth24
add bridge=PortsBridge interface=Uplink-SFP2
add bridge=PortsBridge interface=WAPs-Eth17 pvid=4
add bridge=PortsBridge interface=WAPs-Eth18 pvid=4
/interface bridge vlan
add bridge=PortsBridge comment=Servers tagged=Uplink-Eth24,PortsBridge \
    untagged=Servers-Eth13,Servers-Eth14,Servers-SFP1 vlan-ids=3
add bridge=PortsBridge comment=Cameras tagged=Uplink-Eth24,PortsBridge \
    untagged=Cameras-Eth7,Cameras-Eth8,Cameras-Eth9,Cameras-Eth10 vlan-ids=4
add bridge=PortsBridge comment=WAPs tagged=Uplink-Eth24,PortsBridge untagged=\
    WAPs-Eth17,WAPs-Eth18 vlan-ids=5
add bridge=PortsBridge comment=PCs tagged=Uplink-Eth24,PortsBridge untagged=\
    PCs-Eth1,PCs-Eth2,PCs-Eth3,PCs-Eth4 vlan-ids=6
add bridge=PortsBridge comment=Management tagged=Uplink-Eth24,PortsBridge \
    untagged=Management-Eth21,Management-Eth22 vlan-ids=7
/ip address
add address=10.10.2.1/24 interface=VLAN2 network=10.10.2.0
add address=10.10.3.1/24 interface=VLAN3 network=10.10.3.0
add address=10.10.4.1/24 interface=VLAN4 network=10.10.4.0
add address=10.10.5.1/24 interface=VLAN5 network=10.10.5.0
add address=10.10.6.1/24 interface=VLAN6 network=10.10.6.0
/ip dhcp-server network
add address=10.10.1.0/24 gateway=10.10.1.1
add address=10.10.2.0/24 gateway=10.10.2.1
add address=10.10.3.0/24 gateway=10.10.3.1
add address=10.10.5.0/24 gateway=10.10.5.1
/ip dns
set servers=10.10.1.3
/system note
set note="10.10.1.1 pfSense\r\
    \n10.10.1.2 switch\r\
    \n10.10.1.3 PiHole DNS\r\
    \n10.10.2.1/24 Servers\r\
    \n10.10.3.1/24 Cameras\r\
    \n10.10.4.1/24 WAPs\r\
    \n10.10.5.1/24 PCs\r\
    \n10.10.6.1/24 Management\r\
    \n" show-at-login=no
/system routerboard settings
set boot-os=router-os
/tool romon
set enabled=yes

gigabyte091 · Sat Sep 30, 2023 10:26 pm

Did you enabled VLAN filtering on the bridge ?

Nicksdirt · Sun Oct 01, 2023 12:12 am

I did try enabling VLAN Filtering on the bridge and I get a DHCP address however then I have no internet, I cant get to 10.10.1.1 (firewall) and 10.10.1.3 (PiHole DNS).

Not sure what to do

Nicksdirt · Sun Oct 01, 2023 12:15 am

In my IP Route I added 0.0.0.0/0 and 10.10.1.1 and it says unreachable.

Why would that be unreachable?

tdw · Sun Oct 01, 2023 12:48 am

You have no /ip address in the 10.10.1.0/24 subnet.

The /interface vlan should refer to the bridge, not any member ports.

There are also unnecessary duplicates in /ip pool.

gigabyte091 · Sun Oct 01, 2023 5:25 pm

I missed that... As @tdw said you are missing 10.10.1.0/24 in ip addresses. When you add that, route will be created automatically.

Nicksdirt · Tue Oct 03, 2023 9:35 am

Thank you for the help guys, but I said to hell with it and bought an Aruba switch.

I'm well versed in Aruba and understand the untagged/tagged/trunk far better than I do Mikrotik. That's not to say I won't still learn how to do it on Mikrotik, but I will be using Mikrotik as an L2 switch and firewalls where I don't use OPNSense.

It's always good to learn new things, but at that time I needed something quick and something I knew off the bat.

Furthermore, as I continue my journey I will probably end up buying a few HEX switches and learning trunking that way. It seems Mikrotik isn't the best switch with vlans / trunking between other providers. I could be wrong but that's just what I've observed over the bit I've used it.

gigabyte091 · Tue Oct 03, 2023 12:50 pm

You didn't use it enough

ROS is a little bit intimidating at the beginning but when you learn something you see all the possibilities.

I have Aruba switch packed neatly in a box, it's replaced with Mikrotik

mozerd · Tue Oct 03, 2023 3:36 pm

Thank you for the help guys, but I said to hell with it and bought an Aruba switch.

I'm well versed in Aruba and understand the untagged/tagged/trunk far better than I do Mikrotik.

HPE Aruba make EXCELLENT switches … nothing in the MikroTik switch line up can even compare … you made a very wise choice …

Help with VLans.

Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Re: Help with VLans.

Who is online