Mikrotik: Port Based VLANs – HQ


Hello there again everybody. This is David again right here with one of the tutorials that I’ve been posting on YouTube long time, no see yeah. I’Ve been away for a bit, but lots of work and stuff to do so. Basically, today we’re going to do some mikrotik and we’re going to do some VLAN and networking exciting stuff. So basically, this video will cover the configuration of a mikrotik router board, the CRS 109, which is this device right here.

This is the monster little monster that we will be dealing with. I am going to be setting up some VLANs, some routing on these device and the wireless capabilities of it so we’ll be using it as a router and as a switch and we’ll also benefit from the VLAN switching capabilities that this device has to offer. So let’s go back to square one, okay, so that’s it for the presentation of what we’re going to do this time, I’m going to be like ordered. So let’s try to go over my current setup. I have the mikrotik router board.

This is the CRS 109. 8 G 1 s 2, H and D dash in this is the device that I just showed you great device recommend it because of its capabilities is power, it’s powerful, CPU and also a lot of features that it’s got to offer. Secondly, we have the tree comb. 4200 supper stack, 26 port, fast, ethernet switch, which is this device right here. This is uh, I I got it as a loan, let’s say from a teacher in exchange for another one that I had so.

Basically, I’m using these two for my testing experimentation and all of that my model do does not have the SFP modules, but basically, if you do not look at this, basically this switches all of this right here all of these are 100 megabit ports, and these two, I am using as trunk ports as 802, the tree ad link aggregation so for redundancy and double the bandwidth, I’m using this as one trunk port to my mikrotik router. So my current LAN is set up like this. I have four villains. This first villain is for the cloud stack, I’m using some virtualization, I’m doing some virtualization. So I wanted to separate this from my normal work and wireless clients, so I decided to segment eight to divide virtually divide, my network into villains.

Secondly, we have the 167 network, which is for the mikrotik hotspot capability, which I’m like serving wireless clients using some uvt radios. The 254 network is the one that I use for normal daily work when, where my a satellite receiver, my computer, my laptop the other laptop here, some raspberry PI’s and some other land devices are connected. So this is my normal work line and this fourth one is the management feelin that I created but, as I said as it says here, I have not yet implemented. So that’s about it for the setup. So, let’s cross over that, what I have created on my critique is a switch port which I’m going to show you right here.

Let’S see if we can see it on wind box or it’s better to see through the console, I’m using my mikrotik using a Cisco, a serial cable console, cable so for the villains, as you can see right here, I have Belen ten one, six, seven, two: five. Four and I didn’t create, as I told you, the management villain, so basically what I’m going to show you I’m going to try to login to my critique right here using the serial and son. Come six! Let’S try to log into mikrotik right here and go to interface Ethernet print, my current configuration as you can see these ports, ports, two ports, three four, five and six are grouped together in a switch group under master interface. Is port ether eight, as you see by the description, this is a trunk port which goes uh which drives and transports the VLAN tag frames and sends and receives all of the tagged traffic.

The tag frames from the frickin switch. So basically, this is the part that concerns the switch. So basically, this is a four port switch and these ports are access ports. Let’S go over that. Okay, they go, as I told you, hmm, to gain more access ports.

I’M using the 4200 switch now to be able to use the mikrotik as router and switch in just one device. We have to use the switch CPU as it were, as it was an interface another port. So basically, this is what this guy from this tutorial – that I also followed explains in great detail right here. So I will put a link in the description of the video below, so you can go and have a look to this excellent post, which explains how the mikrotik CPU works. He also extracted that from the my critique wiki, but he explains it a little better.

So I choose, I chose his explanation over the my critique 1 because it’s quite technical, I’m not I’m, not a so wiser, brilliant to understand that you know what I mean so basically, ah he chose what he’s going to do with his B lens and I also Use this, but I accommodated it to my own needs. I use the wireless chip on the csr because, as I showed you right here and it’s going to wireless, I have some access points. I do not directly use the first interface, but I created virtual access points. One for my David Wi-Fi network, which is on the 254 villain and the clients Wi-Fi, which I use to serve Wi-Fi, as I told you earlier, so I’m using a bridge to be able to use the W D Wireless, the WLAN capabilities of the mikrotik. Now the configuration I have three four: this should be four, not three, because, as I was telling you earlier using this image, I am using ports one and two as my ah ones.

I have two providers, so basically I’m using one once one and two ports, one and two ether, one and either two as one interfaces: ports, ether, 3 and E 2 for our access ports for the CloudStack Network. I have two servers connected right here. The cloud stack and sigh tricks and server are connected to these ports and their access ports. Again. Port 4.

sorry is seeing the 1 6 7 Network. The hotspot network port 6 is used for my laptop. I have a cable connected directly to my laptop because these guys only fast ethernet, so hundred megabits. Only so I connected my laptop right here and ports. Seven and eight are users trunk ports they have, they are bonded together.

Let me show you that right here under the interfaces you go to bonding and you can see that I have a d800 2.3 protocol, so I’m using a link, aggregation control protocol to double the bandwidth of this link, and these two ports go to ports 25 and 26 from d4 4200 trichome switch as trunk ports, so they carry the tagged traffic back and forth, and now that I show you this, I am going to go into a little detail on how I did create the well, not exactly detail as to create the violence. On the tree, comb switch, you will find documentation for that on the web, so basically, ports 1 through 8, are used for a VLAN 10 for the CloudStack Network. They are access ports, so they see and tagged traffic ports 9 to 16. I am using for my 2 5 4 Network.

They are also access ports for that network for ports 17 to 20 or 21. I cannot remember from the top of my head right now. They I use those for VLAN, 1. 6. 7.

Then again, the hotspot network to be able to probably extend it, connect more radios in Wi-Fi radios in the future and ports 23 and 24. They are unused. So basically, I have those for be LAN 1, which be the management feeling for the switch. If I’m not mistaken, so basically, this is about Oh for this part of the setup. Now I I created the VLANs under port 8, which you can see right here to be more clear: they are children, children of the ether 8 interface.

Why I’m using this? If you come from Cisco, this will be your sub interfaces and, in my case, I’m using these right here as ingress. This is a configuration for the access ports, the VLAN tagging. You see that I’m using VLAN tagging on ports 8 and the switch CPU for VLAN 99, I’m using the switch CPU only and for villains, 167 and 254, I’m also using the ether 8 and the switch CPU ports respectively. What I’m trying to achieve with this is to be able to use mikrotik as switch device and as routing device.

So basically, this is what you would do if you had this guy the trick on switch as thus your only switch and this guy, the mikrotik. As your router as if you were using Cisco, you will do all of the Cisco stuff, our routing and everything there and the Cisco. The router, in my case that tree come, will send all of the tag traffic through the trunk ports to the trunk port. On the mikrotik – and it will do all of the routing – and in my case, that all of the VLAN routing, which will we will use to do inter VLAN routing and, in my case, inter vielen, giving a internet access to all of the VLANs. As it says here, travaillons created with eater 8 as master interface, this will be the sub interfaces.

If you come from cisco and to be able to use the w land a wireless network on the mikrotik, you will need to switch or add. You will need to add rather the switch 1 CPU as a port and also the WLAN to a bridge interface. Then we will create later on the video and change the IP from the sub interface. My case, the villain to 5/4 to the bridge, as you can see from this IP configuration, i have the 2 v for going to the BR lan bridge, which you can see right here – has ports WLAN 3, which is a virtual access point, virtual wireless access point And the VLAN 5 for this is to be able to send traffic back and forth seamlessly from the wireless interface to the internet and also if I want to communicate, to do inter LAN communication from my mobile phone or the tablet or whatever other device that you Want to connect and do inter VLAN, inter land, inter land routing and sending packages back and forth on the same local area network. So basically, this is about that.

Now we are going to explain what we are going to do. Firstly, we will restart the mikrotik 2 system to system defaults or factory reset, and then we will create the group of switch ports and then we’ll start with the VLAN configuration so I’ll be back and we will start doing the interesting and the fun stuff from this Tutorial right after this char commercial break, okay and now we’re back I’m gon na continue with the steps that I outlined before this time. We will go to reset we’re going to reset the mikrotik device and make it like a brand new device to start configuring. The villains and all of the stuff that I showed you right here so you can see this is a this – has gotten quite complex with time to time as the villains grow. I have the hotspot.

I have some port forwarding, so you can see right here. Some netting some rules for the hotspot for a web cam that I use to monitor my little pet, some restrictions to block access and authorized access, yeah, some brute force rules. I will probably share of this with you in future presentations, but for now let’s go and do the reset. So first of all I am going to and you should do to take a backup of your current configuration. Oh working, I’m not going to encrypt the backup.

Let’S hit the backup, you can see it right there now that system, reset configurations, give the user no default configuration and do not backup, because I’ve already taken one. So, let’s go to the reset and through the console you can see that I’m actually resetting the device. I’M not cheating, you could hear the beep and in a couple of seconds you will hear the two beeps that indicate that the mikrotik device is reset to defaults and we can start working with it. So wind box should have thrown O’s out and there you have. The B beep now we login as admin I’m using again a cable console, cable, I’m in let’s log in as you can see, the name is back to mikrotik.

Let’S do on interface, Ethernet print. You can see that everything is back to factory defaults. So, basically, and following this tutorial first, we will need to create a switch group like create a virtual at sub switch in our mikrotik. This will serve as a placeholder or switch group like you can see right here on this tutorial, you will have. We will have a switch port, it will be like a switch inside our mikrotik with 4 ports.

In our case, it will be 5 ports, eater, 3, 4, 5 & 6, with master interface as eater 8. So to carry on with the tutorial. We will do this, but I have done that. I have taken a backup from my configuration. I have it right here.

So basically, the first steps that I do want every mind. Critic that I set up is set of the time zone, change the SSH port and set the time the NTP client network time protocol. So I am just going to copy this and I’m using putty, and I am going to paste this using the right-click there. You go, you have the basic configuration and now we will create the switch port. In my case, I have named the interfaces accordingly, as I showed you on the first part of the video, and this is the name for the two one interfaces.

So, let’s again copy this and paste it into the micro tech console window like this great now, let’s do a print to make sure that everything is as we expect it to be. Okay, so we have either three four five and six with their master port as either eight oh. This is working go out of that. Now, let’s follow along with the tutorial. It said that you have to set VLAN tagging on the CPU port for the villains to make packets tagged or tagged packets before they get routed and create some ingress VLAN translation rules to ensure the correct VLAN ID assignment is done on the access ports.

So this is something that has to do with the ports with the access ports – let’s login to the mikrotik, but this time using the MAC address, as you can see, there is no configuration. The valence is just a 4095, which is the default for every magnetic device. All ports belong to that VLAN. There is no villain tagging, there is no ingress or egress peel and rules apart from the defaults, so basically no switches, no weird or strange configurations. The bond that I created.

These appears, as you can see, the VLANs are no longer there so to continue with the tutorial. We just did this, so let’s cross that out for forwarding the villain traffic in this tutorial. It’S a villain, 3, 200, 300 and 400 respectively, and they create the ingress beeline translation so that all of the pockets get untagged or arrive into the access ports. This is the rules for creating the access ports and making sure that n tag traffic is on those specific ports. In my personal case, my configuration, which I had before the reset I will create, I have comments on all of the villains to have everything organized so interface 8.

The L layer to maximum maximum transfer unit is that 1584 and the VLAN name is VLAN 10 and the VLAN ID again VLAN 10. So we will create the V lens, but let’s do it on the console there you go. I used to do a print after I execute a comment to make sure that everything is okay, so the CloudStack VLAN the management deal and a hotspot villain and the work villain are created and they’re created under or with ether 8 as their master or father interface. Let’S, if you want to call it like that, so basically they are the villains. But in my critic, if you come from Cisco, you just create the interfaces on the villain segment of the computer terminal section of the of the Cisco routers.

Here you have to make the villains be like children if you want to call it like that of the interface. So in our case we will do that with the either 8 port. Now we create the aggress Beall and translation. Let’S do that. What’S that for okay, so the switch ports grass VLANs set the VLAN tagging on the CPU port.

Okay, I’ve already gone through that. So basically I’m going to copy this chunk of code first and then the other one. Let’S go out of that mode. Let’S finish: creating the VLAN tagging for the aggress translation. So, as you can see here, we’re going to add the switch 1 CPU port, the switch CPU port as a tagged port, because my critic will internally remove those tags and said, send the traffic accordingly and following the beeline rule, and it will use its intelligence.

Let’S call it that, like that to send the packets and route them to the right port now we create the same, but for the access ports. In my case, I will use let’s do this by the keyboard like this. Do this and then do a print okay, I expected that you can see the ingress VLAN translation, the rules that I just created and which ports will be and tagged or access ports. If you come from Cisco again so either 3 & 4 belong to VLAN 10 e 2. 5 belongs to villain 167 and ether 6 belongs to VLAN to 5.

So basically, that’s about that. I didn’t do the print on the previous comment, so please forgive about that. So, let’s reconnect to the mikrotik, because I was kicked out: okay now you can see that configuration starts to look more familiar to the one that I had before. We created the children, VLAN interfaces or sub interfaces. If your Cisco people, we created the VLAN tagging rules we created and set up the ingress villain, translation and the USB LAN translation will not show here.

You will see that right here here. Okay, so you go right here right here: you can see the ports, okay, transport isolation. You can see that boards three four five, six and eight and the switch CPU port are here because we created the egress or egress VLAN translation. So, basically, if you want to see that you will go to interface, Ethernet switch, egress, VLAN, translation or tagging, I can’t remember correctly yeah. It was a VLAN, my grass VLAN tagging, yeah grass feel and tagging we print the rules and you can see the tagging.

That is taking place. This is a dynamic VLAN, as I told you, the 4095, which is the default mikrotik VLAN, and you see that this is not important. This is the management VLAN that is not working at the moment, but VLAN 10 has tag ports, the either 8 and switch CPU, and so does VLAN 167 and VLAN to 5 for good, so showed you everything that done up until now now we will actually create The VLAN interfaces, as you will do on a Cisco or another device. What we are going to do here is add all of the ports that we will be using on that specific villain. In this case, we will use either 3 4 & 8 and the switch CPU for VLAN 10 ports, five and eight, and the switch cpu port for VLAN 167 and ports, eater six ether, six, eight and the switch CPU port for VLAN 254.

As you see, I didn’t create a VLAN 99 because I’m not actually using it, so I’m not using that. So, let’s copy and paste that and then print our new brand-new configuration and you can see all of the ports belonging to all of the villains here it doesn’t differentiate between access and trunk ports. This case, the access ports are three four five and six and trunk ports will be the ether, a port and a switch CPU port respectively alrighty. Now we’re going to assign IP addresses to the virtual interfaces or again, if you come from Cisco to the sub interfaces that we created earlier, this will serve the purpose of gateway or layer 3, our upper layer for the villains. So we get routing inter VLAN routing, which is the sole purpose of this tutorial.

Isn’T it so? Basically, what we’ll do here is create a virtual gateway for all of the villains that we just created. We copy this paste, it ok for this two interfaces. We have a errors because I do not yet have neither the VR VLAN interface nor the hot spot in face. But I will start or add an address to the interface.

So add: address 192.168.1
1. 2. 5.

4 interface. It’S not at a comment and let’s print what we just did so. Basically now you have the interfaces. This will be the virtual interfaces. If you go here and you say eh, why didn’t that work?

Because, as I was telling you, i breached the WLAN one of the virtual wireless access points that i created and VLAN interface for my to 5 for network to be able to have clients, wired and wireless lis connected to my network on the same subnet. In this case bill and 2 5 4, so the bridge has not been created, so my critic says that there is no such interface, so if you get lost there with that mistake there you have the explanation. So here you have what I just did. This is the gate wait. This will be the Gateway for the 254 Network.

So, let’s move to that, I am going to create the default gateways for the networks. There you go and let’s bring those again. 1. 1 & 1 2. There is some inconsistencies here, because this will be 2, 5.

0. So basically that’s about it alrighty good. So now, let’s do some dns configuration, so I can show you that all of the clients inside the villain’s work and are able to browse the net, because this was this – is the sole tutorial. The purpose of this tutorial. And finally, I will show you what I did with the bridge and show you, via wind box, how I reached the villain and the WLAN interfaces to be able to browse wirelessly and with wired clients.

So let’s copy and paste these default routes. Let’S do that. You will see some routing routing marks here, because I’m doing the PCC load balancing thing with my two ones to have more bandwidth and redundant 1 links. So that’s about that. So don’t worry about it.

Ok, so let’s do some testing now, okay, we enable the routing, we add the VLAN interfaces on the master port, because it connect with the CPU port and the IP address is created on the VLAN interfaces. I was as I was telling you earlier, so this is what they do. Okay, so I just turned on one of the cloud stack servers which is connected to port. I don’t know I can remember, let me check and so on board for so now what I am going to do is I’m going to try to ping one of the servers, the cloudstock server that I was telling you about earlier, which is on the one. Seven.

Two docks one: seven 2.16 dot ten network and is host number two. There you go it’s reachable from the mikrotik which shouldn’t be really weird because it’s directly connected to it. So, let’s do that from the windows computer to test inter VLAN routing well, which is what we came for today, yeah. So basically, what I’m gon na do, first and foremost, is to remind you that I was previously with my router, my mikrotik setup, with DHCP server.

I was telling you that I was on the two five four Network. Now there is no DHCP on that Network and Windows obviously felt back to the standard or default configuration with that 169.254 something network, so I have to use less aesthetically assigned IP in that range. So for this test I will use 2 5, 4, 2, 5, 4 on the same network, I’m going to need to test and use the gateway, because that way it will know about the other networks. Ok!

So now I’m on that yeah on the 254. Yes, ok! So, let’s first ping, my gateway, the mikrotik okay, so see what’s going on they’re on so okay here is the problem. I do not have any address assigned to that interface. I have to do that not being able interface.

If there is no such interface, there you go. The thing is up good. Now, let’s test the CloudStack server mentioned earlier, which is two there, you go inter VLAN routing is set up and configured all right good. Now, let’s log in to that cloud, stack server. Let’S go there good, it will take some time because it’s I’m not.

I have not yet configure the NAT rules to make them internet aware, so it will take a bit good. Now, let’s try to ping the server’s default gateway good, so the server sorry is seeing the mikrotik, which is great, let’s see if it’s able to ping one of the hosts on the 254 network, my own computer, there you go inter VLAN, routing and interconnection is working. Now, for the final step, let’s see if any of these guys has internet which they shouldn’t know yeah, obviously not because the not rule that we should have here for that purpose is not there, so we will create it as masquerade right here. We can either use rules for all of the networks that we’ll be connecting to our mikrotik via the VLANs using the V lens, or we can just leave it as default. If you want some of your valence to not have access to the internet, you just will have to list them right here on the SRC or source address.

Let’S try that I am going to allow the too far for network to be able to browse the net. So check that the ping is not working, I’m pinging one of the Google DNS s or some of those DNS s. I have not enabled the rule yet not apply the changes, but technically as soon as I hit the apply button, the ping should come up and the statistics enter traffic will start flowing what happens to the Linux machine? Okay, let’s go back, let’s go back there, it threw me out okay, so my computer is now internet able there you go so, let’s see if our CloudStack server has internet access well, this is not about NAT or anything like that. I just want to show you that you can have inter VLAN communication, but you can segregate or ya discriminate between the networks that will and those that will note not have internet access.

So basically it’s not working for the Linux server. But if you go to the same rule and instead of 192.168 block, you use the network on the cloud stack range. Let’S do that again. The Lacey works double so apply and the ping should go up which it doesn’t.

Okay, let’s try pinging a another host, so that was about it and now Windows and Linux hosts work. The way they should so there you go, it was down for a bit yeah one dropped pocket, probably the internet connection failed or something, and if you want all of your villains to have internet access, just do this, remove the source address being again and all of The networks have internet connectivity, the villains are reachable okay. So now I am going to do one of the tests because, as you can see uh, as I told you rather because you have not seen that I have the cloud stack server, which is on the ten on the VLAN number. Ten is connected directly to the mikrotik to port 4, so I am going to disconnect. Let’S wait for a bit, so you can probably hear when I disconnect.

You will see that the ping will stop yeah very hot, and I am going to connect it to port 1 on the tree. Comm switch and the ping should return after some seconds see. If it does there, you have it Beale and tagging trunk, port and interval and routing is working as expected. So basically there you have it. If I remove the server cable – and I am going – you have to take my word for it – I am going to place this computer on another port.

I am going to place it on port ah 10, which is one of the two five four, which is a on the 254 network on the veal and one of the access port. For the too far for network being shouldn’t return, it will always timeout, because I am connecting the cable of that server to an access port of a network that it doesn’t know about. So there you have it not timeout this time, but it doesn’t know who is the Gateway for that Network. So let’s go back to the right port. Let’S connect it again to port 1 and the pig the ping should come back up in a few seconds there.

You have it okay, so our villains are working internet access for all of the VLANs, so this is V line, so you can see that I’m not lying to you here. You have the right interface from the Linux machine, constant ping, mikrotik setup for all of the VLANs and switch base and port vase VLAN with my critic, acting as our switch and our router, so VLAN tagging working and now I am to wrap this up. I am going to show you from the word document show the working set up. So basically this one and this one can be crossed out. And finally, I am going to show you how I will I did manage to integrate or bond, let’s say, bridge the wireless interface and the villain.

Let’S first go to the wireless: it’s used, The Fault mikrotik hit applied there with this is test, so no need for password or anything. So, basically, what you will need to do is go into bridge, create a bridge. Let’S call these be. Are we Wi-Fi the faults? Pretty much the same: now we go to the ports, we add the WLAN one interface and we add the VLAN 254, but this is not all ok.

We now need to change the IP on the villain to the Bridgeport, so that DHCP, which we will just set up in a few seconds, will work. So you go into the IP and change the interface from VLAN 254. In my case, we are Wi-Fi. Ok, now we’re going to set a DHCP right here. Let’S do it the quick and dirty way be our Wi-Fi.

Ok, we have the address space, the gateway, that’s correct. Ok, this is also fine yeah, but let’s, let’s just set shorter-range dns is okay. The least time is okay, and now I am going to go right here, I’m going to disable my wire land. I am going to enable let’s close out of this, I am going to enable my Wi-Fi. I will look for a network called mikrotik.

Okay yeah. I forgot something: let’s go back and or I can do it from the console right here. So basically I can do interface wireless. Ah, let’s not go over crap. So basically, you see that DHCP is working on that interface because I breached the wired and the wireless interfaces.

So basically I’m going to go back to my critique to win box. Okay, let’s go there and I missed a step which is very important. I didn’t set up the wireless interface as access point bridge and I didn’t enable it either. So, basically silly me, yes, okay, so let’s disable this one re-enable this one. Okay, look for the right network, which should be right here as mikrotik with no password connect automatically.

Let’S try to connect, it says, limited connected and let’s check mikrotik internet access which address and there you go. We have managed to turn our mikrotik into a full-fledged solution for routing and switching. So basically, what you see here is a the good old router bore this baby right here, working as a switch with trunk port access, port wireless wire clients, management Network, everything working and everything set up from scratch. So I think this is just about it. Thanks for watching, if you like, please comment rate and subscribe, all of the links of the tutorials used in this video will be down there on the description of the video.

Thank you for watching muchas gracias. Goodbye,

You May Also Like