Management VLAN issue

webnoob · Mon Apr 22, 2024 10:55 am

Hello!
It's my first Mikrotik and I'm trying to replace my Tomato based configuration. I need some VLAN-s but I realized I can have only one to manage my router. I have RB5009 (no WiFi, no PoE).
I was failing each time when I was enabling VLANS for the bridge. As a workaround I configured all VLANs on new bridge and now it is like:
eth8 - WAN
eth7 - LAN-mgmt & LAN (bridge with single eth, untagged, no VLANs)
eth1-eth6 - LAN (running VLANs)
For now I don't understand fully idea of management VLAN, so I created vlan100-mgmt, but I left it unconfigured and for now I want to have ability to manage the router from VLAN 1 (192.168.10.0/24).
I understand to make it happen I need to move vlan1 part to the first place here, so from:

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-mgmt network=192.168.88.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan4 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan5 network=192.168.50.0

to:

/ip address
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=bridge-mgmt network=192.168.88.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan4 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan5 network=192.168.50.0

Correct? Or fust modify this part of my config, OK?

# 2024-04-21 21:49:02 by RouterOS 7.14.2
# software id = YEVK-ILAI
#
# model = RB5009UG+S+
# serial number = HFE09765FH3
/interface bridge
add name=bridge pvid=2 vlan-filtering=yes
add admin-mac=78:9A:18:CA:4E:C4 auto-mac=no name=bridge-mgmt
/interface ethernet
set [ find default-name=ether8 ] name=ether8-WAN
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan3 vlan-id=3
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan100-mgmt vlan-id=100
/interface list
add name=WAN
add name=LAN
add name=LAN-mgmt
/ip pool
add name=default-dhcp ranges=192.168.88.220-192.168.88.229
add name=dhcp_pool21 ranges=192.168.30.200-192.168.30.219
add name=dhcp_pool31 ranges=192.168.40.200-192.168.40.219
add name=dhcp_pool53 ranges=192.168.50.200-192.168.50.219
add name=dhcp_pool11 ranges=192.168.10.200-192.168.10.219
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-mgmt lease-time=1m name=defconf
add address-pool=dhcp_pool21 interface=vlan3 lease-time=1m name=dhcp3
add address-pool=dhcp_pool31 interface=vlan4 lease-time=1m name=dhcp4
add address-pool=dhcp_pool53 interface=vlan5 lease-time=1m name=dhcp5
add address-pool=dhcp_pool11 interface=vlan1 lease-time=1m name=dhcp1
/interface bridge port
add bridge=bridge-mgmt hw=no interface=ether7 pvid=2
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=100
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 untagged=ether6 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether1,ether2,ether3,ether4 vlan-ids=1
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 untagged=ether5 vlan-ids=3
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=4
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4 vlan-ids=5
/interface list member
add interface=bridge-mgmt list=LAN
add interface=ether8-WAN list=WAN
add interface=bridge list=LAN
add interface=bridge-mgmt list=LAN-mgmt
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-mgmt network=192.168.88.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan4 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan5 network=192.168.50.0
/ip dhcp-client
add interface=ether8-WAN
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1 netmask=24
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
# Removed for example
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
# Removed for example
/ipv6 firewall filter
# Removed for example
#error exporting "/ipv6/nd/prefix" (timeout)
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Later I'll probably have question how to apply new config in my router, but now let me understand my mistake.

anav · Mon Apr 22, 2024 8:55 pm

dont use vlan1
do use this guide for vlans - viewtopic.php?t=143620

Your best bet to config bridge and vlans safely is to take one etherport off bridge lets say 10.
Remove from bridge.
Give it its own IP address 192.168.55.1/24
Add it to the management Interface.

/interface list members
add vlanX list=LAN
add vlanY list=LAN
add vlan99 list=LAN
add vlan99 list=Management
add ether10 list=Management

Then hook up your desktop or laptop to port10 and change IPV4 settings to something like 192.168.55.5
Enjoy, trouble free config setup experience.

webnoob · Mon Apr 22, 2024 11:03 pm

dont use vlan1

Do you mean vlan-id=1? Or interface=vlan1? And why? It won't work or it's not safe?

Other things... I need to read and do vlans again. Unfortunatelly now I'm using vlan id=1 in my network and on some devices I have this hardcoded. That will not be fast and easy configure and switch the router :/

anav · Mon Apr 22, 2024 11:21 pm

Vlan-id of 1 Not the name but the actual ID. Nothing should get a vlan-id of 1 as that is a background default vlan id in most devices.
Leave it out of any data flow or any management vlan etc.... This also applies to MT, where the bridge uses it in the background already.

tdw · Tue Apr 23, 2024 3:15 am

Unfortunatelly now I'm using vlan id=1 in my network and on some devices I have this hardcoded. That will not be fast and easy configure and switch the router :/

Using VLAN ID 1 is not incorrect, however you can easily get things wrong as a result unless you are familiar with exactly how manufacturers use it in their equipment.

Whilst many hard code the use of VLAN ID 1 for untagged packets on Mikrotiks it is merely a default pvid=1 setting on bridge ports, including the implicit bridge-to-cpu port. It is not shown in the output of /export, you have to use /export verbose to see all the defaults.

The most common mistake is adding an /interface bridge, which has the default pvid=1 for the bridge-to-cpu port, and also adding an /interface vlan with a vlan-id=1.

webnoob · Tue Apr 23, 2024 2:47 pm

@anav, thank you, I'll try on my free time.
@tdw, great explanation! Thank you very much!

webnoob · Tue Apr 23, 2024 7:37 pm

I tried to fix this 'on the fly', so fresh config and new setup. I didn't set VLAN Filtering on the bridge and now I'm able to do configuration on ether 1-6. On ether7 I can get IP, but I'm unable to configure MT from that point. Current config below. I'll also enable VLAN Filtering on the bridge and I'll write the situation in next message.

# 2024-04-23 18:35:10 by RouterOS 7.14.2
# software id = YEVK-ILAI
#
# model = RB5009UG+S+
# serial number = HFE09765FH3
/interface bridge
add admin-mac=78:9A:18:CA:4E:C4 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan1 vlan-id=11
add interface=bridge name=vlan2 vlan-id=12
add interface=bridge name=vlan3 vlan-id=13
add interface=bridge name=vlan4 vlan-id=14
add interface=bridge name=vlan100-mgmt vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.11.200-192.168.11.219
add name=dhcp_pool2 ranges=192.168.21.200-192.168.21.219
add name=dhcp_pool3 ranges=192.168.31.200-192.168.31.219
add name=dhcp_pool4 ranges=192.168.53.100-192.168.53.109
add name=dhcp_pool5 ranges=192.168.99.10-192.168.99.14
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=vlan1 lease-time=1m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2 lease-time=1m name=dhcp2
add address-pool=dhcp_pool3 interface=vlan3 lease-time=1m name=dhcp3
add address-pool=dhcp_pool4 interface=vlan4 lease-time=1m name=dhcp4
add address-pool=dhcp_pool5 interface=ether7 lease-time=10m name=dhcp5
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge comment=defconf interface=ether5 pvid=11
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3 untagged=ether6 vlan-ids=100
add bridge=bridge tagged=bridge,ether1,ether2,ether3 untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1,ether2,ether3 vlan-ids=12
add bridge=bridge tagged=bridge,ether1,ether2,ether3 untagged=ether4 vlan-ids=13
add bridge=bridge tagged=bridge,ether1,ether2,ether3 vlan-ids=14
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan4 list=LAN
add interface=vlan100-mgmt list=MGMT
add interface=ether7 list=MGMT
add interface=ether8 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.100.1/24 interface=vlan100-mgmt network=192.168.100.0
add address=192.168.11.1/24 interface=vlan1 network=192.168.11.0
add address=192.168.21.1/24 interface=vlan2 network=192.168.21.0
add address=192.168.31.1/24 interface=vlan3 network=192.168.31.0
add address=192.168.53.1/24 interface=vlan4 network=192.168.53.0
add address=192.168.99.1/24 interface=ether7 network=192.168.99.0
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.21.0/24 dns-server=192.168.21.1 gateway=192.168.21.1
add address=192.168.31.0/24 dns-server=192.168.31.1 gateway=192.168.31.1
add address=192.168.53.0/24 dns-server=192.168.53.1 gateway=192.168.53.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
# Removed for more clear view
/ip firewall nat
# Removed for more clear view
/ipv6 firewall filter
# Removed for more clear view
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[EDIT]
After VLAN Filtering enable:
- I can manage via ether1-5 (tested vlan1, vlan3 and on ether1-3: vlan-id=1 (IP 192.168.88.0))
- I _can't_ manage via ether7 and ether6 (dedicated ports)

I have no idea why it is working like that... What's wrong with ether7 config and why when I set IP on vlan100 (192.168.100.111/24 / gate ...1) I can't manage.

tdw · Tue Apr 23, 2024 8:11 pm

Do you get an address via DHCP on ether7? You have no DNS server specified in /ip dhcp-server network for that subnet which may cause issues.

Can you ping the gateway addresses when connected via those ports having obtained or set an address?

Most likely is the firewall filter rules don't allow access for the MGMT interface list, only the LAN interface list.

webnoob · Tue Apr 23, 2024 9:56 pm

On ether7 DHCP is working. It is network ..99.0. Maybe you want to ask about ether6? Yes, there is no DHCP and I manually set IP, mask and gw on my PC. Then I can ping ..100.1, but no config is possible on both ether6 (vlan 100) and ether7 (no vlan, outside of bridge).

webnoob · Tue Apr 23, 2024 10:04 pm

Looks like management is possible on LAN only. Not on MGMT and WAN (this one I didn't test). So if I rename them then it should have more sense... But this is the reason? If no answers I'll test it tomorrow evening.

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan4 list=LAN
add interface=vlan100-mgmt list=MGMT
add interface=ether7 list=MGMT
add interface=ether8 list=WAN

webnoob · Wed Apr 24, 2024 8:55 pm

Looks like now everything is fine. I configured management on ports I want. Now it's time for firewall, but that's completly different topic. Thank you all very, very much!

Management VLAN issue [SOLVED]

Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue [SOLVED]

Re: Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue

Re: Management VLAN issue

Who is online