Using a Mikrotik router for UFB VLAN10 802.1Q tagging

By Steve Biddle, in , posted: 7-Nov-2014 08:03

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

PLEASE NOTE: Unless you have very good reason for wanting to move away from the hardware your ISP supplies you should always use it. Using non ISP supplied hardware does break the terms & conditions of some ISPs and I am not responsible if they come chasing after you. You should never expect to receive any support at all from your ISP if you are planning to use non approved hardware. I will not provide support or help if you can’t get this working – I suggest you post in the Geekzone Forums if you need help and somebody may be able to help you.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Here in New Zealand the number of UFB connections is currently increasing rapidly as the network rollout focus moves from high priority schools and business users towards residential users. While many people signing up for UFB are happy to use the router or residential gateway (RGW) supplied by their ISP, some may want to use their own hardware. There are a few obstacles to overcome to do this which I’ll explain below.

Most ISPs by default will require a 802.1Q VLAN tag of 10 to be set on the WAN interface of your router. The vast majority of Ethernet routers available on the market do not support the ability to set a VLAN on the WAN port, but this is changing quickly as vendors realise this has become the default standard on fibre networks around the world. In the fibre world this is known as a tagged UNI port.

So why does a VLAN have to be set?

To understand that requires a a basic understanding of networking. Traffic over your UFB connection is split into two categories – low priority, and high priority. The 30Mbps, 50Mbps, 100Mbps or 200Mbps headline speeds that are available with current UFB connections are known as an Excess Information Rate (EIR) and fall into the low priority category. This speed is best effort, with absolutely no guarantee of performance or throughput. There is certainly no guarantee this headline speed will be available 24/7, and a user should not have an expectation that this will be the case.

Your UFB connection also has a Committed Information Rate (CIR) component which falls into the high priority category. The CIR value ranges from 2.5Mbps to 10Mbps on most plans and is guaranteed bandwidth for both upstream and downstream (which may have different CIR figures in each direction). You should expect be able to obtain this guaranteed bandwidth 24/7 between your router and your ISP.

The catch with the CIR is that it’s only accessible with the correct 802.1p tag on your traffic. The 802.1p tag is a value between 0 and 7 inside the 802.1Q section of an Ethernet header that specifies the priority of individual packets. By default all Ethernet traffic will typically have a 802.1q value of 0 and will be placed in the low priority EIR queue. To access the CIR component of your connection you need to tag traffic with an 802.1p value of 4 or 5 (depending on your connection type) on a UFB connection here in New Zealand.

So what use is the CIR? The High Priority CIR component is especially suited to voice or video applications where guaranteed bandwidth and low latency is important. If your ISP offers VoIP services they are most likely using this CIR component to guarantee the quality of their VoIP service as traffic in the low priority and high priority queues have different network performance targets for common network measurements such as jitter and packet loss. If you’re using your own router with VoIP it’s best practice to create QoS or firewall rules to tag voice traffic to use the CIR. As usual with any CIR you need to ensure that you have local policies in place to manage this bandwidth to handle traffic that may be generated in excess of the CIR.

It’s worth mentioning now that Chorus along with the other Local Fibre Companies (LFCs) responsible for the UFB rollout support untagged UNI ports and this is something that some ISPs do offer. An untagged UNI port means there is no requirement for a VLAN10 tag, but it also means you will have no high priority CIR component on your connection as a 802.1p tag can only be set inside a 802.1Q VLAN header.

So what solutions are there for somebody wanting to use a device that doesn’t support VLAN tagging? There are two that are simple – a switch capable of VLAN tagging that you can use to add the VLAN 10 tag to your traffic, or a Mikrotik Routerboard which can also do the same thing. I’ll describe how to do this with a Mikrotik Routerboard.

You will need to be aware with either approach that you will be unable to set any 802.1p tagging in your router with this approach as traffic leaving your router will not have a 802.1Q header. If you are using a Mikrotik it is possible to create mangle firewall rules inside your Mikrotik to set the priority of traffic inside the bridge, but this is outside the scope of this guide.

Something such as a Mikrotik RB750 device makes the perfect solution to tag your traffic. While any Mikrotik device out there with multiple Ethernet ports can be used, the RB750 is a nice low cost device that will achieve this. One thing to note is that the RB750 only supports 10/100 Fast Ethernet ports, if you have a UFB connection with a faster speed you’ll need something such as a RB750GL that supports Gigabit Ethernet ports.

The basic principle of this setup is to create a VLAN10 tag on an interface, and create a bridge to bridge together VLAN10 with another Ethernet port that you can plug your router into. The example below will create VLAN10 on Ethernet port 1, and bridge this to Ethernet port 2. You would then run a cable from Ethernet port 1 to your ONT, and plug your router into Ethernet port 2.

There are multiple ways to log into a Mikrotik router (SSH, telnet, Winbox or web browser) so I’ll leave that option up to the end user. This is not a guide to using Mikrotik hardware or RouterOS (which does have a steep learning curve) so please don’t ask me questions on this.

Once logged in ensure you delete all existing configuration in the device and either add an IP address to a port you will not be using, or use Winbox MAC address discovery to log into the Mikrotik.

From the terminal enter the following commands:

/interface vlan
add interface=ether1 l2mtu=1522 name=vlan10 vlan-id=10

/interface bridge
add name=UFB_Bridge
/interface bridge port
add bridge=UFB_Bridge interface=vlan10
add bridge=UFB_Bridge interface=ether2

Or if you want to create this from Winbox via a GUI the following screenshots will help

1) Add a VLAN with a VLAN ID of 10 to the interface you wish to use as your WAN port (in this case I’ve used ether1)

ufb vlan1 

2) Create a Bridge – you can call this whatever you like.

ufb vlan4

3) Add VLAN10 and the Ethernet port you wish to plug your router into to the Bridge

ufb vlan3

You should now connect an Ethernet cable from Ether1 (or the port you selected) of your Mikrotik device to your ONT, and plug your router into Ether2 (or the port you selected). Assuming your router is configured with the correct PPPoE or DHCP settings for your ISP, you should now be connected. Some ISPs may tie DHCP leases to a specific MAC address in which case you’ll need to clone the MAC address of your ISP supplied router into your router.



Other related posts:
Air New Zealand launches Flexitime Membership (and how it can save you $$$)
Have an interest in retail payments and credit card interchange rates? Here’s your chance to have a say.
Fairfax takes journalism ethics and integrity to a whole new low with Stuff fibre








Comment by sdavisnz, on 7-Nov-2014 08:20

Also this google doc shows options of other hardware availablehttps://docs.google.com/spreadsheet/ccc?key=0AsEaMHWu3hWedHhhdjdEZkhiNTZIYVJKd0pidzB5REE&usp=docslist_api


Comment by pohutukawa, on 7-Nov-2014 19:54

Note: http://w00tsec.blogspot.co.nz/2014/07/hacking-asus-rt-ac66u-and-preparing-for.html


Comment by TangoNZ, on 9-Nov-2014 12:37

Interesting article. I'm curious as to the reason why you would bridge through to another router when Mikrotik is so capable already? Is there something you use on another router that Mikrotik cannot do? I have an RB2011 in place for UFB on Snap and its great. Cheers.


Author's note by sbiddle, on 9-Nov-2014 13:23

You could easily use a Mikrotik (I deploy them daily), but the learning curve for configuring one is beyond many people. There are also many reasons why you wouldn't want to, including wanting an all in one device for VoIP / and/or 802.11ac which you're not going to get from Mikroti.

 


Comment by deadlyllama, on 10-Nov-2014 10:18

Why use an RB750 when you could use an RB260GS switch? Cheaper, and gigabit.  Not that I have any experience with them...


Comment by pohutukawa, on 14-Jan-2015 15:51

Hey there!"You would then run a cable from Ethernet port 1 to your ONT, and plug your router into Ethernet port 2."Do you mean plug your switch into Ethernet port 2, or are you only utilising the RB750 for VLAN tagging and not performing any routing role with it?Is there any way to have the RB750 do the VLAN tagging and be the main router?Thx!


Comment by Paul Martin, on 25-Apr-2015 16:37

+1 for pohutukawKeen to use a RB750 as a replacement for orcon genius. Struggling a bit with the set up though.


Comment by HamishMacEwan, on 25-Apr-2016 16:12

Hi Steve,

Thanks for this helpful article.  

Could you clarify one thing for me, "The 802.1p tag is a value between 0 and 7 inside the 802.1Q section of an Ethernet header that specifies the priority of individual packets."

You detail how the 802.1Q VLAN tagging is imposed by the MikroTik, but what sets the 802.1p tag?  Who decides what gets the higher priority?

Apart from prioritisation, why the VLAN 10 requirement (except when there isn't any as you point out)?

Since I haven't explicitly set any 802.1Q tagging, I guess I've got "An untagged UNI port" but would like to know if I set up VLAN 10 and some how 802.1p tag appropriate packets I can still bring up PPPoE?

Thanks again for the tips.


Comment by Andy, on 3-May-2016 23:22

Nice article you have there!I'm also using MikroTik as dialer, and here's my configuration:I created vlan10 on ether1, then created pppoe-out1 (as dialer) using interface vlan10, and it worked like charm.Ps: Don't forget to set: ip firewall nat -> chain: srcnat, out interface: pppoe-out1, action: masquerade.


Comment by pohutukawa, on 19-Jun-2016 16:17

Hey Andy, do you have an email I can contact you on? I have a couple of questions re. your setup. Thanks!


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:

sbiddle's profile

Steve Biddle
Wellington
New Zealand


I'm an engineer who loves building solutions to solve problems.


I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)
  -Polycom
  -Cisco
  -Linksys
  -Patton
  -Zyxel
  -Snom
  -Sangoma
  -Audiocodes

*Telecommunications/Broadband
  -xDSL deployments
  -WiMAX
  -GSM/WCDMA
  -WiFi

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
   
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.


+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.


You can contact me here or by email at stevenbiddle@gmail.com

twitter.com/stevebiddle