Community discussions

MikroTik App
 
LifeGame
newbie
Topic Author
Posts: 28
Joined: Mon Sep 26, 2016 5:30 pm

vlan on bridge

Mon Nov 28, 2022 12:44 pm

Hi,
Simple topology;
2.png
Conf Mikrotik x86 v7.5 ;
/interface vlan
add interface=bridge name=vlan1010 vlan-id=1010

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=1010

/ip dhcp-server
add address-pool=LAN_Pool disabled=yes interface=bridge name=DHCP
add address-pool=Guest_Poll interface=vlan1010 name=Guest
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8 gateway=\
10.0.10.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=\
192.168.10.1

/ip address
add address=XXX.XXX.XXX.XX comment=pubaddr interface=ether1 network=\
XXX.XXX.XXX.XX
add address=192.168.10.1/24 comment=Default_LAN interface=bridge network=\
192.168.10.0
add address=10.0.10.1/24 comment=vlan1010 interface=vlan1010 network=\
10.0.10.0

Qnap and other devices cannot get ip from vlan1010. Where am i doing wrong ?
You do not have the required permissions to view the files attached to this post.
 
erlinden
Forum Guru
Forum Guru
Posts: 1279
Joined: Wed Jun 12, 2013 1:59 pm

Re: vlan on bridge

Mon Nov 28, 2022 1:48 pm

I don't see the pools specified...is this your complete config?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14354
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan on bridge

Mon Nov 28, 2022 2:28 pm

"Where am I doing wrong ?"

Yet, you know what to show us ?

See the problem....

As per erlindens comment.............
/export file=anynameyouwish ( minus router serial # and any public WANIP information )
 
LifeGame
newbie
Topic Author
Posts: 28
Joined: Mon Sep 26, 2016 5:30 pm

Re: vlan on bridge

Tue Nov 29, 2022 9:02 am

"Where am I doing wrong ?"

Yet, you know what to show us ?

See the problem....

As per erlindens comment.............
/export file=anynameyouwish ( minus router serial # and any public WANIP information )
I am sorry, I was thoughtless

/interface bridge
add ingress-filtering=no name=Bridge_Local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disable-running-check=no name=ether1
set [ find default-name=ether1 ] disable-running-check=no name=ether2
set [ find default-name=ether2 ] disable-running-check=no disabled=yes name=\
    ether3
/interface vlan
add interface=Bridge_Local name=vlan1010 vlan-id=1010
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] src-address-list=local
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h nat-traversal=no
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name=IKE_Crypto nat-traversal=no
/ip ipsec peer
add address=28.XXX.XXX.XXX/32 local-address=21.XXX.XXX.XXX name=master \
    profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=\
    modp2048
add enc-algorithms=aes-256-cbc lifetime=1h name=IPSec_Crypto pfs-group=\
    modp2048
/ip pool
add name=LAN_Pool ranges=192.168.10.20-192.168.10.200
add name=Guest_Poll ranges=10.0.10.20-10.0.10.200
/ip dhcp-server
add address-pool=LAN_Pool disabled=yes interface=Bridge_Local name=DHCP_Local
add address-pool=Guest_Poll interface=vlan1010 name=DHCP_Guest
/port
set 0 baud-rate="(unknown)" name=serial0
set 1 name=serial1
/interface bridge port
add bridge=Bridge_Local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=4096
/ipv6 settings
set max-neighbor-entries=2048
/interface bridge vlan
add bridge=Bridge_Local tagged=Bridge_Local,ether2 vlan-ids=1010
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=Bridge_Local list=LAN
add interface=ether1 list=WAN
/ip address
add address=21.XXX.XXX.XXX comment=pubaddr interface=ether1 network=\
    21.XXX.XXX.XXX
add address=192.168.10.1/24 comment=Local_NET interface=Bridge_Local network=\
    192.168.10.0
add address=10.0.10.1/24 comment=vlan1010_NET interface=vlan1010 network=\
    10.0.10.0
/ip dhcp-relay
add dhcp-server=192.168.101.2 disabled=no interface=Bridge_Local \
    local-address=192.168.10.1 name=Local_NET_DHCP
add dhcp-server=192.168.101.2 interface=*11 local-address=10.0.10.1 name=\
    Gues_DHCP
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=\
    10.0.10.1
add address=192.168.10.0/24 dns-server=192.168.200.5,192.168.200.6 gateway=\
    192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=28.XXX.XXX.XXX list=Master_WAN
add address=192.168.100.0/23 list=Master_NET
add address=28.XXX.XXX.XXX list=Master_WAN
add address=28.XXX.XXX.XXX list=Master_WAN
add address=192.168.101.2 list=Master_DHCP
add address=192.168.10.0/24 list=Local_NET
/ip firewall filter
add action=accept chain=input comment="Allow WinBox" dst-port=62321,8088 \
    protocol=tcp src-address-list=Master_NET
add action=accept chain=input comment="Allow DHCP" src-address-list=\
    Master_DHCP
add action=accept chain=input comment="IPSec Port" dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=input comment=Established,related,untracked \
    connection-state=established,related,untracked disabled=yes
add action=accept chain=input comment=ICMP disabled=yes protocol=icmp
add action=accept chain=input comment="Local loopback (for CAPsMAN)" \
    disabled=yes dst-address=127.0.0.1
add action=accept chain=input comment="Master to WAN" in-interface-list=WAN \
    src-address-list=Master_WAN
add action=drop chain=input comment=Invalid connection-state=invalid
add action=drop chain=input comment="All not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="In IPSec" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Out IPSec" ipsec-policy=out,ipsec
add action=accept chain=forward comment="Established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment=Invalid connection-state=invalid
add action=drop chain=forward comment="WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=input comment="Anti Hack Exploit" content=user.dat \
    reject-with=icmp-network-unreachable
add action=drop chain=input comment="Anti Hack Exploit" content=user.dat
add action=drop chain=forward comment=\
    "Memcrashed - Amplification Attacks UDP 11211" dst-port=11211 protocol=\
    udp
/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="Route Traffic" dst-address=0.0.0.0/0 \
    src-address-list=Local_NET
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec identity
add peer=master
/ip ipsec policy
add action=none dst-address=192.168.10.0/24 src-address=192.168.10.0/24
add action=none dst-address=10.0.10.0/24 src-address=10.0.10.0/24
add dst-address=0.0.0.0/0 level=unique peer=master proposal=IPSec_Crypto \
    src-address=192.168.10.0/24 tunnel=yes
add dst-address=0.0.0.0/0 level=unique peer=master proposal=IPSec_Crypto \
    src-address=10.0.10.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=21.XXX.XXX.XXX routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.100.0/23 gateway=Bridge_Local \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8088
set ssh disabled=yes
set api disabled=yes
set winbox port=62321
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Istanbul
/system hardware
set allow-x86-64=yes
/system identity
set name=On
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.101.2
/system scheduler
add disabled=yes interval=1h name=PubIP on-event=ReNewPubIP policy=\
    read,write,policy,test start-date=jan/01/1970 start-time=23:59:59
/system script
add dont-require-permissions=no name=ReNewPubIP owner=admin policy=\
    read,write,policy,test source=":local NewIP [/ip cloud get public-address]\
    \r\
    \n/ip address set [find where comment=\"pubaddr\"] address=\$NewIP network\
    =\$NewIP\r\
    \n/ip ipsec peer set master local-address=\$NewIP"
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14354
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan on bridge

Tue Nov 29, 2022 12:58 pm

/interface list member
add interface=Bridge_Local list=LAN

add interface=vlan1010 list=LAN


Is the only thing I see at first glance that is missing.........
 
LifeGame
newbie
Topic Author
Posts: 28
Joined: Mon Sep 26, 2016 5:30 pm

Re: vlan on bridge

Tue Nov 29, 2022 1:08 pm

/interface list member
add interface=Bridge_Local list=LAN

add interface=vlan1010 list=LAN


Is the only thing I see at first glance that is missing.........
+add interface=vlan1010 list=LAN
The problem continues..
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 557
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: vlan on bridge

Thu Dec 01, 2022 3:58 am

My suggestion would be to configure ES48 port 47 as mirror port and start by mirroring port 48 to verify you are seeing the same thing there that you see with /tool sniffer on the Mikrotik x86 on ether2.
 
LifeGame
newbie
Topic Author
Posts: 28
Joined: Mon Sep 26, 2016 5:30 pm

Re: vlan on bridge  [SOLVED]

Mon Dec 05, 2022 11:48 am

@Buckeye, @anav
:( i found my mistake...
ESXi - Networking - Port Groups - Port_Name (which is used for lan) VLAN ID must be "4095".. not "0"

All done now.. Thanks for help ...

Who is online

Users browsing this forum: Ahrefs [Bot] and 20 guests