Using a Mikrotik router for UFB VLAN10 802.1Q tagging

By Steve Biddle, in , posted: 7-Nov-2014 08:03

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

PLEASE NOTE: Unless you have very good reason for wanting to move away from the hardware your ISP supplies you should always use it. Using non ISP supplied hardware does break the terms & conditions of some ISPs and I am not responsible if they come chasing after you. You should never expect to receive any support at all from your ISP if you are planning to use non approved hardware. I will not provide support or help if you can’t get this working – I suggest you post in the Geekzone Forums if you need help and somebody may be able to help you.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Here in New Zealand the number of UFB connections is currently increasing rapidly as the network rollout focus moves from high priority schools and business users towards residential users. While many people signing up for UFB are happy to use the router or residential gateway (RGW) supplied by their ISP, some may want to use their own hardware. There are a few obstacles to overcome to do this which I’ll explain below.

Most ISPs by default will require a 802.1Q VLAN tag of 10 to be set on the WAN interface of your router. The vast majority of Ethernet routers available on the market do not support the ability to set a VLAN on the WAN port, but this is changing quickly as vendors realise this has become the default standard on fibre networks around the world. In the fibre world this is known as a tagged UNI port.

So why does a VLAN have to be set?

To understand that requires a a basic understanding of networking. Traffic over your UFB connection is split into two categories – low priority, and high priority. The 30Mbps, 50Mbps, 100Mbps or 200Mbps headline speeds that are available with current UFB connections are known as an Excess Information Rate (EIR) and fall into the low priority category. This speed is best effort, with absolutely no guarantee of performance or throughput. There is certainly no guarantee this headline speed will be available 24/7, and a user should not have an expectation that this will be the case.

Your UFB connection also has a Committed Information Rate (CIR) component which falls into the high priority category. The CIR value ranges from 2.5Mbps to 10Mbps on most plans and is guaranteed bandwidth for both upstream and downstream (which may have different CIR figures in each direction). You should expect be able to obtain this guaranteed bandwidth 24/7 between your router and your ISP.

The catch with the CIR is that it’s only accessible with the correct 802.1p tag on your traffic. The 802.1p tag is a value between 0 and 7 inside the 802.1Q section of an Ethernet header that specifies the priority of individual packets. By default all Ethernet traffic will typically have a 802.1q value of 0 and will be placed in the low priority EIR queue. To access the CIR component of your connection you need to tag traffic with an 802.1p value of 4 or 5 (depending on your connection type) on a UFB connection here in New Zealand.

So what use is the CIR? The High Priority CIR component is especially suited to voice or video applications where guaranteed bandwidth and low latency is important. If your ISP offers VoIP services they are most likely using this CIR component to guarantee the quality of their VoIP service as traffic in the low priority and high priority queues have different network performance targets for common network measurements such as jitter and packet loss. If you’re using your own router with VoIP it’s best practice to create QoS or firewall rules to tag voice traffic to use the CIR. As usual with any CIR you need to ensure that you have local policies in place to manage this bandwidth to handle traffic that may be generated in excess of the CIR.

It’s worth mentioning now that Chorus along with the other Local Fibre Companies (LFCs) responsible for the UFB rollout support untagged UNI ports and this is something that some ISPs do offer. An untagged UNI port means there is no requirement for a VLAN10 tag, but it also means you will have no high priority CIR component on your connection as a 802.1p tag can only be set inside a 802.1Q VLAN header.

So what solutions are there for somebody wanting to use a device that doesn’t support VLAN tagging? There are two that are simple – a switch capable of VLAN tagging that you can use to add the VLAN 10 tag to your traffic, or a Mikrotik Routerboard which can also do the same thing. I’ll describe how to do this with a Mikrotik Routerboard.

You will need to be aware with either approach that you will be unable to set any 802.1p tagging in your router with this approach as traffic leaving your router will not have a 802.1Q header. If you are using a Mikrotik it is possible to create mangle firewall rules inside your Mikrotik to set the priority of traffic inside the bridge, but this is outside the scope of this guide.

Something such as a Mikrotik RB750 device makes the perfect solution to tag your traffic. While any Mikrotik device out there with multiple Ethernet ports can be used, the RB750 is a nice low cost device that will achieve this. One thing to note is that the RB750 only supports 10/100 Fast Ethernet ports, if you have a UFB connection with a faster speed you’ll need something such as a RB750GL that supports Gigabit Ethernet ports.

The basic principle of this setup is to create a VLAN10 tag on an interface, and create a bridge to bridge together VLAN10 with another Ethernet port that you can plug your router into. The example below will create VLAN10 on Ethernet port 1, and bridge this to Ethernet port 2. You would then run a cable from Ethernet port 1 to your ONT, and plug your router into Ethernet port 2.

There are multiple ways to log into a Mikrotik router (SSH, telnet, Winbox or web browser) so I’ll leave that option up to the end user. This is not a guide to using Mikrotik hardware or RouterOS (which does have a steep learning curve) so please don’t ask me questions on this.

Once logged in ensure you delete all existing configuration in the device and either add an IP address to a port you will not be using, or use Winbox MAC address discovery to log into the Mikrotik.

From the terminal enter the following commands:

/interface vlan
add interface=ether1 l2mtu=1522 name=vlan10 vlan-id=10

/interface bridge
add name=UFB_Bridge
/interface bridge port
add bridge=UFB_Bridge interface=vlan10
add bridge=UFB_Bridge interface=ether2

Or if you want to create this from Winbox via a GUI the following screenshots will help

1) Add a VLAN with a VLAN ID of 10 to the interface you wish to use as your WAN port (in this case I’ve used ether1)

ufb vlan1 

2) Create a Bridge – you can call this whatever you like.

ufb vlan4

3) Add VLAN10 and the Ethernet port you wish to plug your router into to the Bridge

ufb vlan3

You should now connect an Ethernet cable from Ether1 (or the port you selected) of your Mikrotik device to your ONT, and plug your router into Ether2 (or the port you selected). Assuming your router is configured with the correct PPPoE or DHCP settings for your ISP, you should now be connected. Some ISPs may tie DHCP leases to a specific MAC address in which case you’ll need to clone the MAC address of your ISP supplied router into your router.

Other related posts:
How to instantly save up to 34 cents per litre off every litre of fuel in Wellington
GST changes hit imported goods from 1st December 2019
No Newshub and NIWA. Vodafone’s 5G network won’t interfere with your weather satellite images.

comments powered by Disqus

sbiddle's profile

Steve Biddle
New Zealand

I'm an engineer who loves building solutions to solve problems. I'll also a co-founder of the travel site. 

I also love sharing my views and analysis of the tech world on this blog, along with the odd story about aviation and the travel industry.

My interests and skillset include:

*VoIP (Voice over IP). I work with various brands of hardware and PBX's on a daily basis
  -Asterisk (incl PiaF, FreePBX, Elastix)

  -xDSL deployments

*Structured cabling
  -Home/office cabling
  -Phone & Data

*Computer networking
  -Mikrotik hardware
  -WAN/LAN solutions

*Wireless solutions
  -Motel/Hotel hotspot deployments
  -Outdoor wireless deployments, both small and large scale
  -Temporary wireless deployments
*CCTV solutions
  -Analogue and IP

I'm an #avgeek who loves to travel the world (preferably in seat 1A) and stay in nice hotels.

+My views do no represent my employer. I'm sure they'll be happy to give their own if you ask them.

You can contact me here or by email at