VLAN-Trunk not working [SOLVED - incorrect BPDU filtering on hAP ax lite HW offloaded trunk ports]

thn80 · Sat Jun 17, 2023 9:27 am

Hello,

currently I am using a hAP ax lite as my playground (meaning it is not a productive device) for WifiWave2. However, while trying to play with this, I ran into another issue.

The Management VLAN 10 is available as Access Port on Ethernet port 4 which works fine. The same VLAN 10 shall also be avaialble on Ethernet port 3 as a Trunk and this does not work (no network connection to or from this port; no Pings; no WinBox connection).

So far I searched for some hours and stupidly cannot find the problem

. The configuration is - maybe - a little bit messed up or overcomplicated at the moment, because of the fact this MikroTik device is my playground. But I don't want to reset it to the defaults and start over again, instead I would like to understand what the problem is. I assume it is a very small config detail I missed.

So why is VLAN 10 "MGMT" not working on my Ethernet port 3 "ETH3_DOWNSTREAM_TRUNK"?

Thanks a lot in advance,

Thomas

# jun/16/2023 23:11:45 by RouterOS 7.9.2
# model = L41G-2axD
/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ETH1_UPSTREAM_TRUNK
set [ find default-name=ether2 ] name=ETH2
set [ find default-name=ether3 ] name=ETH3_DOWNSTREAM_TRUNK
set [ find default-name=ether4 ] name=ETH4_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_2_LEGACY vlan-id=2
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
add interface=bridge_primary name=VLAN_61_GUESTS vlan-id=61
add interface=bridge_primary name=VLAN_99_DUMMY vlan-id=99
/interface list
add comment="Router management allowed" name=mgmt_allowed_interfaces
add comment="All Downstream Interfaces with DNS Access" name=\
    all_downstream_interfaces_dns
add comment="All Downstream Interfaces with Internet Access" name=\
    all_downstream_interfaces_internet
/interface wifiwave2 channel
add band=2ghz-ax name=channel1 skip-dfs-channels=disabled
/interface wifiwave2 datapath
add bridge=bridge_primary disabled=no name=VLAN10 vlan-id=10
add bridge=bridge_primary disabled=no name=VLAN61 vlan-id=61
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 name=Security passphrase=dummypassword
/interface wifiwave2 configuration
add channel=channel1 country=Germany datapath=VLAN10 disabled=no name=\
    cfg_MGMT security=Security ssid=M
add channel=channel1 country=Germany datapath=VLAN61 disabled=no name=\
    cfg_GUEST security=Security ssid=G
/ip pool
add name=dhcp_pool_vlan_2_legacy ranges=10.0.0.1-10.0.0.199
add name=dhcp_pool_vlan_61_guests ranges=10.0.1.1-10.0.1.199
/ip dhcp-server
add address-pool=dhcp_pool_vlan_2_legacy interface=VLAN_2_LEGACY lease-time=\
    12h name=DHCP_VLAN_2_LEGACY
add address-pool=dhcp_pool_vlan_61_guests interface=VLAN_61_GUESTS \
    lease-time=6h name=DHCP_VLAN_61_GUESTS
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_DOWNSTREAM_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    untagged=ETH4_MGMT vlan-ids=10
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=2
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=80
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=61
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=21
/interface list member
add interface=ETH4_MGMT list=mgmt_allowed_interfaces
add interface=VLAN_10_MGMT list=mgmt_allowed_interfaces
add interface=VLAN_2_LEGACY list=all_downstream_interfaces_dns
add interface=VLAN_10_MGMT list=all_downstream_interfaces_dns
add interface=VLAN_2_LEGACY list=all_downstream_interfaces_internet
add interface=VLAN_10_MGMT list=all_downstream_interfaces_internet
add interface=VLAN_61_GUESTS list=all_downstream_interfaces_dns
add interface=VLAN_61_GUESTS list=all_downstream_interfaces_internet
/interface wifiwave2 capsman
set enabled=yes interfaces=bridge_primary package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_MGMT \
    slave-configurations=cfg_GUEST supported-bands=2ghz-ax
/ip address
add address=10.0.2.254/24 interface=VLAN_10_MGMT network=10.0.2.0
add address=10.0.0.254/24 interface=VLAN_2_LEGACY network=10.0.0.0
add address=10.0.1.254/24 interface=VLAN_61_GUESTS network=10.0.1.0
/ip dhcp-client
add interface=ETH1_UPSTREAM_TRUNK
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.254 gateway=10.0.0.254
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=jump chain=input comment="Management Access to Winbox" dst-port=\
    8291 in-interface-list=mgmt_allowed_interfaces jump-target=\
    input_management_Winbox protocol=tcp
add action=jump chain=input comment="Management Access to Winbox" dst-port=80 \
    in-interface-list=mgmt_allowed_interfaces jump-target=\
    input_management_HTTP protocol=tcp
add action=accept chain=input_management_Winbox comment=\
    "Allow Winbox access from ETH4" disabled=yes in-interface=ETH4_MGMT
add action=accept chain=input_management_Winbox comment=\
    "Allow Winbox access from VLAN MGMT" in-interface=VLAN_10_MGMT
add action=drop chain=input_management_Winbox comment=\
    "Drop all other acces to Winbox" disabled=yes
add action=accept chain=input comment="Allow LAN DNS queries - UDP" \
    connection-state=new dst-port=53 in-interface-list=\
    all_downstream_interfaces_dns protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=\
    all_downstream_interfaces_dns protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment=TEST in-interface=VLAN_10_MGMT
add action=accept chain=input comment=TEST in-interface=VLAN_10_MGMT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ETH1_UPSTREAM_TRUNK
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
/tool romon
set enabled=yes

Buckeye · Sat Jun 17, 2023 9:44 am

what is connected to ether3? Is it vlan aware?

LikeMyFloydPink · Sat Jun 17, 2023 10:04 am

add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
ETH3_DOWNSTREAM_TRUNK pvid=99

Shot in the dark, but is ETH3_DOWNSTREAM_TRUNK pvid=99 causing the problem? The way I'm interpreting OP - if eth4 is picking up the vlan10 off the "access" configured port, you would need to have vlan10 as the native vlan on the trunk. Otherwise you would need to be tagging it from the other end.

@Buckeye: Am I anywhere close on this?

EDIT: spelling

Buckeye · Sat Jun 17, 2023 10:12 am

The following looks suspect to me: ETH4_MGMT is part of the bridge, and should be getting access via VLAN_10_MGMT,
/interface list member
add interface=ETH4_MGMT list=mgmt_allowed_interfaces
add interface=VLAN_10_MGMT list=mgmt_allowed_interfaces

It is hard to follow your firewall rules, I would try moving the
add action=accept chain=input comment=TEST in-interface=VLAN_10_MGMT
rule up to see if it is never being reached where it is at the bottom, at least to see if it changes the behaviour. If it does, then you can fine tune to go where you want with respect to the other input rules.

What does this do? That is not a chain I am familiar with. I see the rule is disabled, but if it was just testing and didn't work as you thought it would, you should delete it.
add action=accept chain=input_management_Winbox comment=\
"Allow Winbox access from ETH4" disabled=yes in-interface=ETH4_MGMT

LikeMyFloydPink · Sat Jun 17, 2023 10:32 am

If you are using VLAN-99 as the "dummy" native vlan on the trunk/uplink, then the device on the other end needs to be aware of VLAN-99 - and configured as a trunk w/ native VLAN-99.

Buckeye · Sat Jun 17, 2023 10:51 am

add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
ETH3_DOWNSTREAM_TRUNK pvid=99
Shot in the dark, but is ETH3_DOWNSTREAM_TRUNK pvid=99 causing the problem? The way I'm interpreting OP - if eth4 is picking up the vlan10 off the "access" configured port, you would need to have vlan10 as the native vlan on the trunk. Otherwise you would need to be tagging it from the other end.

I can only assume he has a vlan aware switch connected to ether3. And the pvid shouldn't make any difference given
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
ETH3_DOWNSTREAM_TRUNK pvid=99[/quote]
Also, given the name he gave to the vlan interface associated with vlan 99
/interface vlan
add interface=bridge_primary name=VLAN_99_DUMMY vlan-id=99

I will assume it is not used, but I wouldn't have even created a vlan interface for 99 if he didn't plan on using it. You don't need a vlan interace to be able to use a vlan at layer 2 only. The vlan interface only needs to exist to allow adding an ip addres and for the "routing engine" to be able to see it.

vlan 99 isn't "configured" between the CPU and the Switch "entity" of the bridge. (/interface bridge vlan doesn't mention 99)

It is possible to configure one port with vlan 10 tagged and another port with vlan 10 untagged. That already happens for most vlans between the CPU and the switch ASIC (only the bridge's pvid is untagged, and pvid is 1 by default). All other vlans are tagged from the CPU side (and need a vlan interface "shim" to tag/untag the vlans for sending to ASIC/receiving from ASIC). But having eth4 with vlan 10 untagged and eth3 with all used vlans tagged (including vlan 10) and specifying a pvid that is ignored is not a problem. This would be similar to configuring an ER-X like:

    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth3 {
                vlan {
                    pvid 99
                    vid 2
                    vid 10
                    vid 21
                    vid 61
                    vid 80
                }
            }
            interface eth4 {
                vlan {
                    pvid 10
                }
            }
            vlan-aware enable
        }
        vif 2 {
            address 10.0.0.254/24
            description "VLAN_2_LEGACY"
            }
            mtu 1500
        }
        vif 10 {
            address 10.0.2.254/24
            description VLAN_10_MGMT
            }
            mtu 1500
        }
        vif 21 {
            description VLAN21
            ip {
            }
            mtu 1500
        }
        vif 61 {
            address 10.0.1.254/24
            description "VLAN_61_GUESTS"
            }
            mtu 1500
        }
    }
}

anav · Sat Jun 17, 2023 2:25 pm

Overall an incomplete and confused config.

You have no pool for two of your VLANs including vlan10
You are also missing IP DHCP-Server for two your VLANs including vlan10.

Besides that..........
Basic misunderstanding on your part..... or one could say you are conflicted
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
ETH3_DOWNSTREAM_TRUNK pvid=99

(1) If its a trunk port then you DONT ADD PVID
(2) If its a hybrid port then you dont limit frame types ( assuming untagged for 99, tagged for 10 )

++++++++++++++++++++++++++++

(3) Based on then looking at what you have for interface vlan settings........
VLAN 99 has nothing to do with ether3, thus you need to get rid of PVID=99

+++++++++++++++++++++++++++++

Other Weirdness.

(4) YOu have two vlans in your interface bridge vlan settings you failed to identify.
VLAN 21 and VLAN 80 ???????

(5) You fail to identify the use of VLAN 99 anywhere............

(6) If ether 3 is truly a trunk port then you could simplify the three rules to.
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
vlan-ids=2,21,80

(7) Fail to mention vlan99 in interface members list..........

Buckeye · Sat Jun 17, 2023 11:53 pm

So far I searched for some hours and stupidly cannot find the problem . The configuration is - maybe - a little bit messed up or overcomplicated at the moment, because of the fact this MikroTik device is my playground. But I don't want to reset it to the defaults and start over again, instead I would like to understand what the problem is. I assume it is a very small config detail I missed.

What you are requesting is similar to the "find the mistake in this picture" type puzzle.

To troubleshoot, simplify the config and verify the the simple case works with vlans, then start adding complexity.

If you make a backup and an export then you should be able to reset and create a simple config with only the parts needed, just to verify that you can get the vlan part working. I still think the most likely problem in your config is the firewall. It's easy to find how to backup if you don't know how, just google backup and restore on mikrotik

On the subject of backups, you should be doing backups frequently when learning, because it is easy to make changes that can make the router inaccessible, and it is much easier to restore a backup than to re-enter manually. And a backup and export are very different. Backup is complete but unreadable by a human. Export is incomplete but readable.

LikeMyFloydPink · Sun Jun 18, 2023 12:14 am

I can only assume... (snipped the quote to avoid repetition)

@Buckeye: I get you with the ER-X example. Appreciate the feedback.

thn80 · Sun Jun 18, 2023 1:10 am

(1) If its a trunk port then you DONT ADD PVID
(2) If its a hybrid port then you dont limit frame types ( assuming untagged for 99, tagged for 10 )

I tried to simply remove the PVID, but without an PVID the error message "Error in PVID - decimal number in range [1;4094] expected!" appears.
So, if RouterOS wants to have a PVID here (even that "Frame Types" is set to "admit only VLAN tagged", shouldn't it be irrelevant whether to use the default 1 or my 99?

@All persons that tried to support me: As I wrote at the beginning, this setup is my playground, therefore, I have some VLANs and other configuration parts there which are not used at the moment.

anav · Sun Jun 18, 2023 3:11 am

:Probably because your config is incomplete. Stop effing around do the config properly or stop bothering us with playground crap.

Buckeye · Sun Jun 18, 2023 3:26 am

I tried to simply remove the PVID, but without an PVID the error message "Error in PVID - decimal number in range [1;4094] expected!" appears.

I don't think you are telling us the whole story. Copy and paste exactly what you typed, and error message as it appeared.

if you entered pvid without specifying a numeric pvid that would generate an error, if you just omitted the pvid=99, then it would have used the default pvid=1.

thn80 · Sun Jun 18, 2023 9:04 am

:Probably because your config is incomplete. Stop effing around do the config properly or stop bothering us with playground crap.

Why are you getting rude? I am not effing around and if something bothers you, then simply ignore the thread, but as I wrote at the very beginning this is a playground setup for learning purposes and not all configurations have to be for productional purposes. You cannot really understand something if you only do perfect example configurations, you also have to understand what exactly is going on if something is not working. But don't start to blame me here! The only mistake I have - maybe - done is to post into the "General" forum instead of "Beginners".

And again, I would like to understand what exactly is going wrong. If I have some unused VLANs in my config or if I have VLANs without a DHCP server, this should not mess-up the other VLAN 10. So, either playing around messed-up something in RouterOS (than it could be a bug) or there is a configuration issue with my VLAN 10 in the configuratrion I posted which was not found here so far (and as already mentioned a not configured DHCP server on another VLAN or an unused VLAN or similar stuff should not prevent the simple forwarding of my VLAN 10 on a Trunk).

I tried to simply remove the PVID, but without an PVID the error message "Error in PVID - decimal number in range [1;4094] expected!" appears.
I don't think you are telling us the whole story. Copy and paste exactly what you typed, and error message as it appeared.

if you entered pvid without specifying a numeric pvid that would generate an error, if you just omitted the pvid=99, then it would have used the default pvid=1.

The configuration I posted is the complete configuration I got via "/export show-sensitive file=myconfig.cfg" (show-sensitive because its only a playground setup).

I tried to clear the PVID not from the console, but from the graphical part in WinBox as you can see in the screenshot attached. But again for my understanding: You said it will use the default PVID=1 in case nothing is configured via console, but what is the difference between the default PVID=1 and my PVID=99 if the Frame Type is set to "admit only VLAN tagged"? In both cases it should simply be a number that is not used, right? (Just for my understanding)

WinBox_PVID.jpg

Buckeye · Sun Jun 18, 2023 10:20 am

You said it will use the default PVID=1 in case nothing is configured via console, but what is the difference between the default PVID=1 and my PVID=99 if the Frame Type is set to "admit only VLAN tagged"? In both cases it should simply be a number that is not used, right? (Just for my understanding)

I agree that having vlan 99 should not cause a problem. That's one of the things I said in this post.

I also said I think the most likely cause of your problem is in the firewall. Or that whatever is connected to ether3 is not expecting tagged frames.

But you haven't provided that information (what is connected to ether3).

I have no problem with you trying things in a sandbox lab environment to try things out and learn. That's the best way to verify that things really work as you think they do.

But I do think you should save a backup and export and then create the simplest case where you can cause it to fail.

The title of your thread is "VLAN-Trunk not working", and I am only questioning your assumption that the problem is the trunk. It may be, but until you show us how things are connected, and the configuration of the device connected to ether3, how can we make any educated guesses as to why it isn't working?

If you are convinced it is the vlan trunk that is the problem, then create another vlan 10 access port and verify that it works. Or better, change the ether3 interface so it have pvid 10 and change the allowed vlan types to frame-types=admit-all in /interface bridge port and the change

/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-all interface=\
ETH3_DOWNSTREAM_TRUNK pvid=10
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary \
untagged=ETH3_DOWNSTREAM_TRUNK,ETH4_MGMT vlan-ids=10
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
vlan-ids=2
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
vlan-ids=80
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
vlan-ids=61
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
vlan-ids=21

At this point the only things changed are that vlan 10 is now untagged on ehter3 instead of being tagged. The other vlans are still tagged. In MikroTik terminology you have configured a hybrid port on ether3. If you connect a PC to ether4, you should have access to vlan 10 (nothing changed there, and you claimed it was working). Verify that still works. Then move the cable from ether4 to ether3 on the hAP ax lite. Does the PC still have access to vlan 10? If so, the problem is in the device that was originally connected to ether3, it isn't expecting tagged traffic. If it does not work from ether4 then there is an issue with the firewall. At least that is my best guess, given the provided info.
Then disconnect what is currently connected to ether3 and move the conn

thn80 · Sun Jun 18, 2023 5:51 pm

But you haven't provided that information (what is connected to ether3).

While trying to locate the problem, I started to clean-up the config and also created a minimal setup showing the issue.

Mikrotik_Diagram.jpg

My hAP ax lite and hAP ax² are directly connected (no switch in between; hAP ax lite Ether 3 <--> hAP ax² Ether 3) via the green connection. This is the connection via the VLAN 10 Trunk that makes problems.

The pink connection is between hAP ax lite Ether 4 (VLAN 10 Access Port) and my computer and is used for the WinBox connection (working without problems).

The orange connection is between hAP ax² Ether 2 and my computer and is used for the WinBox connection (working without problems). This connection has nothing to do with the VLAN 10, I simply added this Ethernet port to my setup to have an independent interface to WinBox.

The problem is, that both device cannot ping each other via the Trunk.
However, if I remove the green connection and try to connect my PC via one of the gray connections directly to one of the Trunk ports on the hAP ax lite or hAP ax² the communication works and I can ping the respective device (the interface on my PC is set to be VLAN 10 aware in this case). For my understanding this means, that the Trunk on both devices should basically work.

But if I connect the device again with each other via the green connection, they cannot ping each other. In my latest setup, the firewall should accept all traffic (see the config exports below).

I also recognized some strange behavior on the green connection between both MikroTik devices. Whenever a ping in the Terminal is running and I disconnect the green connection and reconnect it again, 4-5 pings over the Trunk are successful. You can see this in the following screenshot. The green box shows the successful pings, the red arrow shows roughly the point in time when I disconnected and reconnected the green connection.

MikroTik_Pings.jpg

And here are my cleaned-up configurations of the two devices, extrated via /export file=myconfig.cfg

Configuration of hAP ax lite

# jun/18/2023 00:48:57 by RouterOS 7.9.2
# model = L41G-2axD

/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ETH1
set [ find default-name=ether2 ] disabled=yes name=ETH2
set [ find default-name=ether3 ] comment="Connected to the hAP ax2." name=\
    ETH3_TRUNK
set [ find default-name=ether4 ] comment=\
    "My PC is connected via WinBox here." name=ETH4_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_TRUNK untagged=ETH4_MGMT \
    vlan-ids=10
/interface wifiwave2 capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=10.0.2.254/24 interface=VLAN_10_MGMT network=10.0.2.0
/ip firewall filter
add action=accept chain=forward comment="ALLOW ALL"
add action=accept chain=input comment="ALLOW ALL"
/system note
set show-at-login=no

Configuration of hAP ax²

# jun/13/2023 03:36:13 by RouterOS 7.9.2
# model = C52iG-5HaxD2HaxD

/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ETH1
set [ find default-name=ether2 ] comment=\
    "My PC is connected via WinBox here." name=ETH2
set [ find default-name=ether3 ] comment="Connected to the hAP ax lite" name=\
    ETH3_TRUNK
set [ find default-name=ether4 ] disabled=yes name=ETH4
set [ find default-name=ether5 ] name=ETH5_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH5_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_TRUNK,ETH4 untagged=\
    ETH5_MGMT vlan-ids=10
/ip address
add address=10.0.2.253/24 interface=VLAN_10_MGMT network=10.0.2.0
add address=10.0.3.253/24 interface=ETH2 network=10.0.3.0
/ip firewall filter
add action=accept chain=forward comment="ALLOW ALL"
add action=accept chain=input comment="ALLOW ALL"
/system note
set show-at-login=no

Any ideas what could cause the problem?

Thanks,

Thomas

anav · Sun Jun 18, 2023 5:57 pm

Just to understand the network.
Which Router is connected to the internet aka a modem and gets a public IP?
The secondary device, not connected to internet, is it acting as an access point/switch or a full router with double NAT?

Also why do you need two connections to your PC?? Assuming 2 nic cards. What is the purpose/use case?

thn80 · Sun Jun 18, 2023 8:05 pm

Just to understand the network.
Which Router is connected to the internet aka a modem and gets a public IP?
The secondary device, not connected to internet, is it acting as an access point/switch or a full router with double NAT?

Also why do you need two connections to your PC?? Assuming 2 nic cards. What is the purpose/use case?

As it is a test/playground setup, no device is connected to the Internet, both devices are used only locally.
The reason for the setup is to play around, better understanding RouterOS, and playing around especially with WifiWave2 and CAPsMAN, later.

The two connections to my PC are just because forwarding of my MGMT VLAN via the Trunk does not work, yet. Later the second device will be accessed via the first one (I know, RoMON could be another option).

anav · Sun Jun 18, 2023 10:10 pm

Well when you decide the function of the devices I can help, otherwise just swimming in circles with no purpose.
My advice is to forget capsman if you dont have that many APs.

Buckeye · Mon Jun 19, 2023 2:42 am

@thn80 thanks, that is a much easier config to deal with. What things if any were removed (i.e. not shown in the configs posted, if anything was sanitized out)? You are not setting mac addresses on any of the interfaces are you?

How many interfaces does your PC have? If multiple adapters, are they different physical adapters or virtual adapters on a VM? Are the pink and orange connected simultaneously? Just trying to eliminate a potential loop if there is a switch involved that isn't shown in the diagram.

Which device did you run the ping on that produced the output you displayed? I will assume it was from the hap ax lite (10.0.2.254)

Can you post output of the following from both the hap ax lite and hap ax2? /ip address print, /ip route print, /interface/print detail, /ip/arp/print, /interface/bridge/host/print and /ip/neighbor/print detail Added as code block to make it easier to copy/paste into winbox terminal.

/ip address print
/ip route print
/interface/print detail
/ip/arp/print
/interface/bridge/host/print
/ip/neighbor/print detail

The problem is, that both device cannot ping each other via the Trunk.
However, if I remove the green connection and try to connect my PC via one of the gray connections directly to one of the Trunk ports on the hAP ax lite or hAP ax² the communication works and I can ping the respective device (the interface on my PC is set to be VLAN 10 aware in this case). For my understanding this means, that the Trunk on both devices should basically work.

When you had you the PC set for tagged vlan 10, could you ping the PC from the hap as well as pinging the hap from the PC?

It is odd that it works for a short time after it is plugged in. If there are no loops then rstp shouldn't be responsible for the pings stopping. It's almost as if the bridge thinks the other mac address is on a different port than it is (i.e. a duplicate mac, but I would expect an error message if that was the case). For example, your PC isn't using the same mac as one of the hap devices is it? I am trying to think of a possible explanation, but this one seems pretty unlikely.

And extra weird that when you set your PC adapter to be tagged vlan 10, that you get ping responses from the devices, but not from the "other" hap.

If you torch or sniff do you see traffic?

thn80 · Mon Jun 19, 2023 11:17 pm

What things if any were removed (i.e. not shown in the configs posted, if anything was sanitized out)? You are not setting mac addresses on any of the interfaces are you?

I posted the complete export (only remove the comments in the header about some serial number as I was not sure if this is somehow confidential).
I have not set any MAC address.

How many interfaces does your PC have? If multiple adapters, are they different physical adapters or virtual adapters on a VM?

There are three 3 network connections at the moment:

The interface to my home network/Internet (network 192.168.10.218/24).
An exclusive USB-Ethernet adapter for the pink connection (10.0.2.10/24).
An exclusive USB-Ethernet adapter for the orange connection (10.0.3.10/24).

Are the pink and orange connected simultaneously? Just trying to eliminate a potential loop if there is a switch involved that isn't shown in the diagram.

They are connected simultaneously, each of them to its exclusive USB-Ethernet-Adapter on my PC.
The PC is a Win10 machine with no routing features on it.
The problem also occured without the orange connection, I just added the orange connection to be able to access the second MikroTik device without issues.

Which device did you run the ping on that produced the output you displayed? I will assume it was from the hap ax lite (10.0.2.254)

Correct, the ping was done from the hAP ax lite (10.0.2.254), but I have seen the same problem also in the other direction and checked it again right now.

Can you post output of the following from both the hap ax lite and hap ax2?
Code: Select all
/ip address print
/ip route print
/interface/print detail
/ip/arp/print
/interface/bridge/host/print
/ip/neighbor/print detail

Here is the output from hap ax lite:

[thomas@MikroTik] > /ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS        NETWORK   INTERFACE   
0 10.0.2.254/24  10.0.2.0  VLAN_10_MGMT

[thomas@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS  GATEWAY       DISTANCE
DAc 10.0.2.0/24  VLAN_10_MGMT         0

[thomas@MikroTik] > /interface/print detail
Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 
 0  X   name="ETH1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:1D ifname="eth0" ifindex=9 id=2 link-downs=0 

 1  X   name="ETH2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:1E ifname="eth1" ifindex=10 id=3 link-downs=0 

 2  RS  ;;; Connected to the hAP ax2.
        name="ETH3_TRUNK" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:1F ifname="eth2" ifindex=11 id=4 
        last-link-down-time=jun/18/2023 05:56:20 last-link-up-time=jun/18/2023 05:56:23 link-downs=1 

 3  RS  ;;; My PC is connected via WinBox here.
        name="ETH4_MGMT" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:20 ifname="eth3" ifindex=12 id=5 
        last-link-up-time=jun/18/2023 05:38:31 link-downs=0 

 4  R   name="VLAN_10_MGMT" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 
        mac-address=48:A9:8A:7C:26:1F ifname="vlan8" ifindex=5 id=8 
        last-link-up-time=jun/18/2023 05:38:22 link-downs=0 

 5  R   name="bridge_primary" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 
        mac-address=48:A9:8A:7C:26:1F ifname="br0" ifindex=4 id=6 
        last-link-up-time=jun/18/2023 05:38:22 link-downs=0 

 6  X   name="wifi1" default-name="wifi1" type="wifi" mac-address=48:A9:8A:7C:26:21 id=1 link-downs=0 

[thomas@MikroTik] > /ip/arp/print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS     MAC-ADDRESS        INTERFACE   
0 DC 10.0.2.10   A0:CE:C8:87:84:15  VLAN_10_MGMT
1 D  10.0.2.253  48:A9:8A:6E:7D:7D  VLAN_10_MGMT

[thomas@MikroTik] > /interface/bridge/host/print
Flags: D - DYNAMIC; L - LOCAL; E - EXTERNAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#     MAC-ADDRESS        VID  ON-INTERFACE    BRIDGE        
0 DL  48:A9:8A:7C:26:1F       bridge_primary  bridge_primary
1 DL  48:A9:8A:7C:26:20       ETH4_MGMT       bridge_primary
2 D E 48:A9:8A:6E:7D:7D    1  ETH3_TRUNK      bridge_primary
3 DL  48:A9:8A:7C:26:1F    1  bridge_primary  bridge_primary
4 D E 48:A9:8A:6E:7D:7D   10  ETH3_TRUNK      bridge_primary
5 DL  48:A9:8A:7C:26:1F   10  bridge_primary  bridge_primary
6 DL  48:A9:8A:7C:26:20   10  ETH4_MGMT       bridge_primary
7 D E A0:CE:C8:87:84:15   10  ETH4_MGMT       bridge_primary

[thomas@MikroTik] > /ip/neighbor/print detail
 0 interface=ETH4_MGMT,bridge_primary mac-address=A0:CE:C8:87:84:15 identity="" platform="" version="" 
   unpack=none age=7m14s system-caps=repeater system-caps-enabled=telephone,station-only 
   discovered-by=lldp

Here is the output from hap ax2:

[thomas@MikroTik] > /ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS        NETWORK   INTERFACE   
0 10.0.2.253/24  10.0.2.0  VLAN_10_MGMT
1 10.0.3.253/24  10.0.3.0  ETH2        

[thomas@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS  GATEWAY       DISTANCE
DAc 10.0.2.0/24  VLAN_10_MGMT         0
DAc 10.0.3.0/24  ETH2                 0

[thomas@MikroTik] > /interface/print detail
Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 
 0  X   name="ETH1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7B ifname="eth0" ifindex=7 id=1 link-downs=0 

 1  R   ;;; My PC is connected via WinBox here.
        name="ETH2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7C ifname="eth1" ifindex=8 id=2 
        last-link-up-time=jun/13/2023 08:26:17 link-downs=0 

 2  RS  ;;; Connected to the hAP ax lite
        name="ETH3_TRUNK" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7D ifname="eth2" ifindex=9 id=3 
        last-link-down-time=jun/13/2023 08:44:16 last-link-up-time=jun/13/2023 08:44:17 link-downs=2 

 3  X   name="ETH4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7E ifname="eth3" ifindex=10 id=4 link-downs=0 

 4   S  name="ETH5_MGMT" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7F ifname="eth4" ifindex=11 id=5 link-downs=0 

 5  R   name="VLAN_10_MGMT" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1564 
        mac-address=48:A9:8A:6E:7D:7D ifname="vlan11" ifindex=5 id=11 
        last-link-up-time=jun/13/2023 08:26:08 link-downs=0 

 6  R   name="bridge_primary" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1568 
        mac-address=48:A9:8A:6E:7D:7D ifname="br0" ifindex=4 id=9 
        last-link-up-time=jun/13/2023 08:26:08 link-downs=0 

 7  X   name="wifi1" default-name="wifi1" type="wifi" mac-address=48:A9:8A:6E:7D:80 id=6 link-downs=0 

 8  X   name="wifi2" default-name="wifi2" type="wifi" mac-address=48:A9:8A:6E:7D:81 id=7 link-downs=0 

[thomas@MikroTik] > /ip/arp/print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS     MAC-ADDRESS        INTERFACE   
0 DC 10.0.3.10   A0:CE:C8:89:6A:58  ETH2        
1 DC 10.0.2.254  48:A9:8A:7C:26:1F  VLAN_10_MGMT

[thomas@MikroTik] > /interface/bridge/host/print
Flags: D - DYNAMIC; L - LOCAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#    MAC-ADDRESS        VID  ON-INTERFACE    BRIDGE        
0 DL 48:A9:8A:6E:7D:7D       bridge_primary  bridge_primary
1 DL 48:A9:8A:6E:7D:7D    1  bridge_primary  bridge_primary
2 DL 48:A9:8A:6E:7D:7D   10  bridge_primary  bridge_primary
3 D  A0:CE:C8:87:84:15   10  ETH3_TRUNK      bridge_primary

[thomas@MikroTik] > /ip/neighbor/print detail
 0 interface=ETH3_TRUNK,bridge_primary mac-address=48:A9:8A:7C:26:1F identity="MikroTik" platform="" 
   version="" unpack=none age=40s interface-name="bridge_primary/ETH3_TRUNK" 
   system-description="MikroTik RouterOS 7.9.2 (stable) May/30/2023 13:49:00 L41G-2axD" 
   system-caps=bridge,router system-caps-enabled=bridge,router discovered-by=lldp

When you had you the PC set for tagged vlan 10, could you ping the PC from the hap as well as pinging the hap from the PC?

Tested all combinations:

The PC (10.0.2.10) can ping the hap ax lite (10.0.2.254).
The PC (10.0.3.10) can ping the hap ax2 (10.0.3.253).
The hap ax lite (10.0.2.254) can ping the PC (10.0.2.10).
The hap ax2 (10.0.3.253) can ping the PC (10.0.3.10).

It is odd that it works for a short time after it is plugged in. If there are no loops then rstp shouldn't be responsible for the pings stopping. It's almost as if the bridge thinks the other mac address is on a different port than it is (i.e. a duplicate mac, but I would expect an error message if that was the case). For example, your PC isn't using the same mac as one of the hap devices is it? I am trying to think of a possible explanation, but this one seems pretty unlikely.

hap ax lite
ETH3: 48:A9:8A:7C:26:1F
ETH4: 48:A9:8A:7C:26:20

hap ax2
ETH2: 48:A9:8A:6E:7D:7C
ETH3: 48:A9:8A:6E:7D:7D
ETH5: 48:A9:8A:6E:7D:7F

PC
Pink: A0-CE-C8-87-84-15
Orange: A0-CE-C8-89-6A-58

If you torch or sniff do you see traffic?

hap ax lite

MT_hap_ax_lite_Torch.jpg

MT_hap_ax_lite_Sniffer.jpg

hap ax2

MT_hap_ax2_Torch.jpg

MT_hap_ax2_Sniffer.jpg

The hap ax2 seems to see some traffic from my PC (10.0.2.10), but does not react on pings via the trunk from 10.0.2.10 to 10.0.2.253.

The behavior of the hap ax lite looks a bit strange to me. The sniffer shows only TX packets on the hap ax lite.
My gut feeling tells me that there is no connection between the hap ax lite Switch and its CPU. However, when removing the green Trunk connection and connecting my pink cable to the ETH3_TRUNK and changing the USB-Ethernet-Adapter on my Windows PC to VLAN 10 I get the following on the hap ax lite:

MT_hap_ax_lite_VLAN_PC.jpg

In this case the hap ax lite seems to communicate normal

Buckeye · Tue Jun 20, 2023 12:04 am

One odd observation: The hap ax2 sees the LLDP packets from the hap ax lite, but the hap ax lite isn't seeing the LLDP from the hap ax2

(reference of info for my observation: output of /ip/neighbor/print detail

On hap ax lite:
[thomas@MikroTik] > /ip/neighbor/print detail
0 interface=ETH4_MGMT,bridge_primary mac-address=A0:CE:C8:87:84:15 identity="" platform="" version=""
unpack=none age=7m14s system-caps=repeater system-caps-enabled=telephone,station-only
discovered-by=lldp

This is the mac address of the PC pink adapter and via the ETH4_MGMT (ether4) bridge-port of bridge_primary, and is oddly showing up as "telephone, station-only", but perhaps you have some voice application running on the PC?

But we don't see the hap ax2 advertisements on ETH3_TRUNK (ether3) bridge-port bridge_primary, and I don't see anything in the config that would be preventing them. Had the green cable been connected long enough for the period LLDP announcement to have been received by the hap ax lite?

I have no hap devices, only a hEX S and a RB5009

On hap ax2:

[thomas@MikroTik] > /ip/neighbor/print detail
0 interface=ETH3_TRUNK,bridge_primary mac-address=48:A9:8A:7C:26:1F identity="MikroTik" platform=""
version="" unpack=none age=40s interface-name="bridge_primary/ETH3_TRUNK"
system-description="MikroTik RouterOS 7.9.2 (stable) May/30/2023 13:49:00 L41G-2axD"
system-caps=bridge,router system-caps-enabled=bridge,router discovered-by=lldp

This is more like I expected to see.

To make it easier for you and anyone else looking at terminal output, you may want to change the System->Identity of the devices from "MikroTik" to hAPaxlite and hAPax2.

And to round out the info, can you also add output of the following as well (from both)

/interface/vlan/print detail
/interface/bridge/print detail
/interface/bridge/port/print detail
/interface/bridge/vlan/print detail

Buckeye · Tue Jun 20, 2023 12:09 am

If there is someone else with a hap ax lite that is using vlans with the vlan filtering bridge with one bridge port tagged and another untagged (using same vlan id), can you report that it works?

And also what version of firmware you are using on the hap ax lite with working vlans?

thn80 · Tue Jun 20, 2023 12:29 am

This is the mac address of the PC pink adapter and via the ETH4_MGMT (ether4) bridge-port of bridge_primary, and is oddly showing up as "telephone, station-only", but perhaps you have some voice application running on the PC?

I cannot remember by mind that I installed some voice application or that such an application is running. However, the PC is running for quite some years and - maybe - I don't remember each and every tool I installed in the past

But we don't see the hap ax2 advertisements on ETH3_TRUNK (ether3) bridge-port bridge_primary, and I don't see anything in the config that would be preventing them. Had the green cable been connected long enough for the period LLDP announcement to have been received by the hap ax lite?

I think so, as both devices were running and connected with each other the whole time while I answered your previous port, which quite took a while

To make it easier for you and anyone else looking at terminal output, you may want to change the System->Identity of the devices from "MikroTik" to hAPaxlite and hAPax2.

Done

And to round out the info, can you also add output of the following as well (from both)
Code: Select all
/interface/vlan/print detail
/interface/bridge/print detail
/interface/bridge/port/print detail
/interface/bridge/vlan/print detail

hap ax lite

[thomas@hapaxlite] > /interface/vlan/print detail
Flags: X - disabled, R - running 
 0 R name="VLAN_10_MGMT" mtu=1500 l2mtu=1592 mac-address=48:A9:8A:7C:26:1F arp=enabled arp-timeout=auto 
     loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=10 interface=bridge_primary use-service-tag=no 
[thomas@hapaxlite] > /interface/bridge/print detail
Flags: X - disabled, R - running 
 0 R name="bridge_primary" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto 
     mac-address=48:A9:8A:7C:26:1F protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 
     vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no 
     dhcp-snooping=no 
[thomas@hapaxlite] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload 
 0   H interface=ETH4_MGMT bridge=bridge_primary priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=10 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 1   H interface=ETH3_TRUNK bridge=bridge_primary priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=99 frame-types=admit-only-vlan-tagged 
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes 
       broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query 
       fast-leave=no 
[thomas@hapaxlite] > /interface/bridge/vlan/print detail
Flags: X - disabled, D - dynamic 
 0   bridge=bridge_primary vlan-ids=10 tagged=bridge_primary,ETH3_TRUNK untagged=ETH4_MGMT 
     current-tagged=bridge_primary,ETH3_TRUNK current-untagged=ETH4_MGMT 

 1 D bridge=bridge_primary vlan-ids=1 tagged="" untagged="" current-tagged="" 
     current-untagged=bridge_primary

hap ax2

[thomas@hapax2] > /interface/vlan/print detail
Flags: X - disabled, R - running 
 0 R name="VLAN_10_MGMT" mtu=1500 l2mtu=1564 mac-address=48:A9:8A:6E:7D:7D arp=enabled arp-timeout=auto 
     loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=10 interface=bridge_primary use-service-tag=no 
[thomas@hapax2] > /interface/bridge/print detail
Flags: X - disabled, R - running 
 0 R name="bridge_primary" mtu=auto actual-mtu=1500 l2mtu=1568 arp=enabled arp-timeout=auto 
     mac-address=48:A9:8A:6E:7D:7D protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 
     vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no 
     dhcp-snooping=no 
[thomas@hapax2] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload 
 0 I   interface=ETH5_MGMT bridge=bridge_primary priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=10 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 1     interface=ETH3_TRUNK bridge=bridge_primary priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=99 frame-types=admit-only-vlan-tagged 
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes 
       broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query 
       fast-leave=no 
[thomas@hapax2] > /interface/bridge/vlan/print detail
Flags: X - disabled, D - dynamic 
 0   bridge=bridge_primary vlan-ids=10 tagged=bridge_primary,ETH3_TRUNK,ETH4 untagged=ETH5_MGMT 
     current-tagged=bridge_primary,ETH3_TRUNK current-untagged="" 

 1 D bridge=bridge_primary vlan-ids=1 tagged="" untagged="" current-tagged="" 
     current-untagged=bridge_primary

If there is someone else with a hap ax lite that is using vlans with the vlan filtering bridge with one bridge port tagged and another untagged (using same vlan id), can you report that it works?

And also what version of firmware you are using on the hap ax lite with working vlans?

I don't have another hap ax lite or another working setup.

Buckeye · Tue Jun 20, 2023 1:47 am

@thn80 it appears you have configured ether5 on the hapax2 as a vlan 10 access port. (evidence output of
[thomas@hapax2] > /interface/bridge/port/print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
0 I interface=ETH5_MGMT bridge=bridge_primary priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=10
frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no
bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

1 interface=ETH3_TRUNK bridge=bridge_primary priority=0x80 path-cost=10 internal-path-cost=10
edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no
restricted-role=no restricted-tcn=no pvid=99 frame-types=admit-only-vlan-tagged
ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes
broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query
fast-leave=no

Can you please also upload the lastest export (that corresponds to the output of the print commands)?

Do you have another non-vlan aware ethernet device (it will need to be a different device than the PC with 3 interfaces) you can plug into hapax2 ether5 and then see if it can ping the pc pink adapter via the trunk port. Disconnect the orange link during the test.

Edit: like this:

Testing vlan 10 layer 2 through 2 hap.png

other observations: The hap ax2 switch does not support HW offloading of vlan filtering (evidence, output of
[thomas@hapax2] > /interface/bridge/port/print detail
which does not have "H - hw-offload" flag on the ports. Note that the hap ax lite does.

As a test, can you explicitly turn off hw offloading on the hap ax2 on bridge->ports->(ether ports 2,3 and 5) uncheck hardware offload. (this is just to see if it makes any difference). We have been focusing on the hap ax lite, but the problem may be on the hap ax2 side.

Also, what other devices do have available to test with? Do you have a vlan-aware switch with some available ports (and not currently using vlan 10)? Raspberry pi or second PC with wired ethernet capability?

Buckeye · Tue Jun 20, 2023 1:57 am

@sindy @tdw @mkx @Sob or any others that don't mind getting into the nitty gritty details of vlans and MikroTik vlan-filtering bridge.

Do any of you see any reason why the config should not work? And why it would work for a short time shortly after link status change from down to up, but then stop working?

I am about out of ideas.

thn80 · Tue Jun 20, 2023 9:31 pm

Can you please also upload the lastest export (that corresponds to the output of the print commands)?

Both configurations are (except the comment at the top of the file) the complete output of "/export".
The config of the hapaxlite has already a disabled HW Offloading on ETH3 (see my comment further below).

# hapaxlite
/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ETH1
set [ find default-name=ether2 ] disabled=yes name=ETH2
set [ find default-name=ether3 ] comment="Connected to the hAP ax2." name=\
    ETH3_TRUNK
set [ find default-name=ether4 ] comment=\
    "My PC is connected via WinBox here." name=ETH4_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged hw=no interface=\
    ETH3_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_TRUNK untagged=ETH4_MGMT \
    vlan-ids=10
/interface wifiwave2 capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=10.0.2.254/24 interface=VLAN_10_MGMT network=10.0.2.0
/ip firewall filter
add action=accept chain=forward comment="ALLOW ALL"
add action=accept chain=input comment="ALLOW ALL"
/system identity
set name=hapaxlite
/system note
set show-at-login=no
/tool sniffer
set file-limit=100000KiB filter-interface=ETH3_TRUNK memory-limit=10000KiB

# hapax2
/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ETH1
set [ find default-name=ether2 ] comment=\
    "My PC is connected via WinBox here." name=ETH2
set [ find default-name=ether3 ] comment="Connected to the hAP ax lite" name=\
    ETH3_TRUNK
set [ find default-name=ether4 ] disabled=yes name=ETH4
set [ find default-name=ether5 ] name=ETH5_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH5_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_TRUNK,ETH4 untagged=\
    ETH5_MGMT vlan-ids=10
/ip address
add address=10.0.2.253/24 interface=VLAN_10_MGMT network=10.0.2.0
add address=10.0.3.253/24 interface=ETH2 network=10.0.3.0
/ip firewall filter
add action=accept chain=forward comment="ALLOW ALL"
add action=accept chain=input comment="ALLOW ALL"
/system identity
set name=hapax2
/system note
set show-at-login=no
/tool sniffer
set file-limit=100000KiB filter-interface=ETH3_TRUNK memory-limit=10000KiB

Do you have another non-vlan aware ethernet device (it will need to be a different device than the PC with 3 interfaces) you can plug into hapax2 ether5 and then see if it can ping the pc pink adapter via the trunk port. Disconnect the orange link during the test.

I pinged from a physical Ubuntu machine (10.0.2.11). The hap ax2 was reachable on its 10.0.2.253, but no success with hap ax lite (10.0.2.254) or my PC (10.0.2.10).

As a test, can you explicitly turn off hw offloading on the hap ax2 on bridge->ports->(ether ports 2,3 and 5) uncheck hardware offload. (this is just to see if it makes any difference). We have been focusing on the hap ax lite, but the problem may be on the hap ax2 side.

Done. The behavior has not changed when explicitely disabling the HW Offloading on the hap ax2.

However, I thought about the hap ax lite and that, maybe, the Hw Offloading on this device could make troubles and so I disabled it on ETH3 and ETH4. And as if by a mircale the ping between both devices over the Trunk started working.
As I could not believe this, I tried to enable the HW Offloading again. Enabling it on ETH4 makes no problems, but if I enable the HW Offloading on ETH3, the connection breaks again. This behavior is reproducable, also after multiple reboots and shutdowns of both MikroTik devices.

I recorded the behavior, but as the forum does not allow me to upload a GIF file, I uploaded it here: https://gifyu.com/image/SQmD1

Do you have any idea why the HW Offloading on the hAP ax lite makes troubles on the Trunk?

Also, what other devices do have available to test with? Do you have a vlan-aware switch with some available ports (and not currently using vlan 10)? Raspberry pi or second PC with wired ethernet capability?

I ordered a cheap managed switch today to be a bit more flexible on testing, should arive tomorrow.

Buckeye · Tue Jun 20, 2023 10:53 pm

@thn80 good detective work. The gif "movie" is pretty convincing that you have found the root cause of the problem. BTW, for others if you want to save the .gif after you click on "Play GIF 3.2MB", while it is playing, right click on playing image and same image as.

Turning on/off HW should not change the behavior, that it does is a sign of a bug. You should submit a ticket with Supout.rif (in winbox Make Supout.rif) and also a link to this thread. and include the .gif too (saved in zip with .rif).

Since you have done the hard work of isolating the problem, it is much more likely that MikroTik will be able to fix it.

This is the first MikroTik device to use the IPQ-5010 SoC and the (integrated?) MT7531 switch ASIC. So there is probably a bug in the ROS software driver for vlans. The MT7621 SoC in the hEX has an integrated ASIC similar to the MT7530. If you look at Switch Chip Features, you will see that the MT7531 is placed into the same column as the MT7621, indicating they probably use very similar switch ASICs.

patchwork.kernel.org post: [PATCHv4,0/3] : net: dsa: mt7530: support MT7530 in the MT7621 SoC and Linux mt7530.c switch driver

thn80 · Wed Jun 21, 2023 12:25 am

@thn80 good detective work.

It was not really my work, all grant of honor is going to you. Thanks so much for your support and patience with my person and my limited MikroTik experience

The bug report is now existing as support ticket SUP-119824.

Thanks again so much!!!

Buckeye · Wed Jun 21, 2023 3:44 am

If you still have the "setup", and have not cycled power, are there any hints in the output of log/print ?

Also just to validate that setting the pvid on the trunk port to 99 does not affect the outcome, can you manually change the pvid of ether3 back to vlan 1, because it was questioned in several other responses. I will be surprised if it makes any difference, but I have already been surprised once with this issue. And there is the "unexplained" behavior of disconnecting the trunk link and then reconnecting it cause it to work for a short time (4 pings) see MikroTik_Pings.jpg in this post.

Also can you verify that when HW is disabled, that you do see the hapax2 in output of /ip/neighbor/print detail on the hapaxlite?

And here are things that are still puzzling to me:

The problem is, that both device cannot ping each other via the Trunk.
However, if I remove the green connection and try to connect my PC via one of the gray connections directly to one of the Trunk ports on the hAP ax lite or hAP ax² the communication works and I can ping the respective device (the interface on my PC is set to be VLAN 10 aware in this case). For my understanding this means, that the Trunk on both devices should basically work.

In the above post you said that if you set the adapter to tagged vlan 10, and connected directly to the hapaxlite ether3 port, that you could ping the hapaxlite. (but perhaps you only left it connected long enought to see the first 4 pings, which work even with the hapax2)

Can you try that again, and verify that it continues to work for 1 minute? If it does, it seems that what is causing the different behavior when the hapax2 is plugged in may be related to traffic that the hapax2 is sending, perhaps the Loop Protect packets that get sent every 5 seconds, or something else specific to ROS.

Hopefully MikroTik will be able to reproduce what you saw, it is a simple enough config it should be easy for them to reproduce it. You should probably also attach a Supout.rif from the hapax2 to SUP-119824. If they can't reproduce, few resources will be put into trying to reproduce it, so the easier you can make it for them to reproduce, the more likely the problem will be fixed in a timely manner. How to Report Bugs Effectively

thn80 · Wed Jun 21, 2023 9:31 am

I will try those points later today and provide all requested answers.

thn80 · Wed Jun 21, 2023 9:46 pm

Just to keep you up-to-date.

Question from Support:
Can you enable bridge logs on both devices, and see if something shows up when HW offload is enabled?

/system logging
add topics=bridge

Test result:
On the hAP ax lite after enabling the HW Offload the log only showed:
hardware offloading activated on bridge "bridge_primary" ports: ETH3_TRUNK

And after disabling the HW Offload I only got:
hardware offloading deactivated on bridge "bridge_primary" ports: ETH3_TRUNK

But on the hAP ax2 where I changed nothing the log showed the two messages:
ETH3-TRUNK learning
ETH3-TRUNK discarding
Both messages appeard every 2 seconds as long as the HW Offloading on the hAP ax lite was enabled.
When I disabled the HW Offloading on the hAP ax lite, the hAP ax2 showed:
ETH3-TRUNK learning
ETH3-TRUNK forwarding

Question from Support:
Another quick test, can you disable the RSTP on hAP ax lite and see if HW offloading works?

/interface/bridge set [find] protocol-mode=none

Test result:
When I disable RSTP on the bridge of the hAP ax lite and enable the HW Offloading it works. While having the HW Offloading enabled I tried to enable/disable RSTP a few times and without RSTP it seems to work fine. With RSTP enabled the connection does not work.

thn80 · Wed Jun 21, 2023 10:33 pm

Are there any hints in the output of log/print ?

I don't see any relevant information. However, please have a look on my previous post regarding the MikroTik support.

Also just to validate that setting the pvid on the trunk port to 99 does not affect the outcome, can you manually change the pvid of ether3 back to vlan 1, because it was questioned in several other responses.

Exactly the same behavior after changing the PVID from 99 to 1.

Also can you verify that when HW is disabled, that you do see the hapax2 in output of /ip/neighbor/print detail on the hapaxlite?

While HW Offloading on hapaxlite was ENABLED:

[thomas@hapaxlite] > /ip/neighbor/print detail
 0 interface=ETH4_MGMT,bridge_primary mac-address=A0:CE:C8:87:84:15 identity="" platform="" version="" 
   unpack=none age=1m24s system-caps=other,router,telephone,docsis-cable-device,station-only 
   system-caps-enabled=router,station-only discovered-by=lldp

[thomas@hapax2] > /ip/neighbor/print detail
 0 interface=ETH2 mac-address=A0:CE:C8:89:6A:58 identity="" platform="" version="" unpack=none 
   age=2m58s system-caps=wlan-ap,router,telephone,docsis-cable-device,station-only 
   system-caps-enabled=router,telephone,station-only discovered-by=lldp 

 1 interface=ETH3_TRUNK,bridge_primary mac-address=48:A9:8A:7C:26:1F identity="hapaxlite" platform="" 
   version="" unpack=none age=18s interface-name="bridge_primary/ETH3_TRUNK" 
   system-description="MikroTik RouterOS 7.9.2 (stable) May/30/2023 13:49:00 L41G-2axD" 
   system-caps=bridge,router system-caps-enabled=bridge,router discovered-by=lldp 

 2 interface=VLAN_10_MGMT address=10.0.2.254 address4=10.0.2.254 mac-address=48:A9:8A:7C:26:20 
   identity="hapaxlite" platform="MikroTik" version="7.9.2 (stable) May/30/2023 13:49:00" unpack=none 
   age=18s uptime=50m13s software-id="9HQS-908A" board="L41G-2axD" ipv6=yes 
   interface-name="VLAN_10_MGMT" system-caps="" system-caps-enabled="" discovered-by=cdp,mndp

While HW Offloading on hapaxlite was DISABLED:

[thomas@hapaxlite] > /ip/neighbor/print detail
 0 interface=ETH3_TRUNK,bridge_primary mac-address=48:A9:8A:6E:7D:7D identity="hapax2" platform="" 
   version="" unpack=none age=13s interface-name="bridge_primary/ETH3_TRUNK" 
   system-description="MikroTik RouterOS 7.9.2 (stable) May/30/2023 13:49:00 C52iG-5HaxD2HaxD" 
   system-caps=bridge,router system-caps-enabled=bridge,router discovered-by=lldp 

 1 interface=ETH4_MGMT,bridge_primary mac-address=A0:CE:C8:87:84:15 identity="" platform="" version="" 
   unpack=none age=3m35s system-caps=other,router,telephone,docsis-cable-device,station-only 
   system-caps-enabled=router,station-only discovered-by=lldp 

 2 interface=VLAN_10_MGMT address=10.0.2.253 address4=10.0.2.253 mac-address=48:A9:8A:6E:7D:7D 
   identity="hapax2" platform="MikroTik" version="7.9.2 (stable) May/30/2023 13:49:00" unpack=none 
   age=13s uptime=51m13s software-id="P1XW-5302" board="C52iG-5HaxD2HaxD" ipv6=yes 
   interface-name="VLAN_10_MGMT" system-caps="" system-caps-enabled="" discovered-by=cdp,mndp

[thomas@hapax2] > /ip/neighbor/print detail
 0 interface=ETH2 mac-address=A0:CE:C8:89:6A:58 identity="" platform="" version="" unpack=none age=4m9s 
   system-caps=wlan-ap,router,telephone,docsis-cable-device,station-only 
   system-caps-enabled=router,telephone,station-only discovered-by=lldp 

 1 interface=ETH3_TRUNK,bridge_primary mac-address=48:A9:8A:7C:26:1F identity="hapaxlite" platform="" 
   version="" unpack=none age=28s interface-name="bridge_primary/ETH3_TRUNK" 
   system-description="MikroTik RouterOS 7.9.2 (stable) May/30/2023 13:49:00 L41G-2axD" 
   system-caps=bridge,router system-caps-enabled=bridge,router discovered-by=lldp 

 2 interface=VLAN_10_MGMT address=10.0.2.254 address4=10.0.2.254 mac-address=48:A9:8A:7C:26:20 
   identity="hapaxlite" platform="MikroTik" version="7.9.2 (stable) May/30/2023 13:49:00" unpack=none 
   age=28s uptime=51m13s software-id="9HQS-908A" board="L41G-2axD" ipv6=yes 
   interface-name="VLAN_10_MGMT" system-caps="" system-caps-enabled="" discovered-by=cdp,mndp

In the above post you said that if you set the adapter to tagged vlan 10, and connected directly to the hapaxlite ether3 port, that you could ping the hapaxlite. (but perhaps you only left it connected long enought to see the first 4 pings, which work even with the hapax2)

I know, it sounds completely weird and I would also not believe if not having seen it.
To make you trust me, see the following screenshots.

The first screenshot shows that the only enabled port on the hapaxlite is the ETH3_TRUNK, the HW Offload is enabled and you can see a lot of pings from tha hapaxlite to my PC (10.0.2.10).

MT_Pings_PC-hapaxlite_1.jpg

The second screenshot shows the current VLAN setting of the Network Interface Card and also shows a lot of successful pings to the hapaxlite (10.0.2.254).

MT_Pings_PC-hapaxlite_2.jpg

If you still cannot believe, you are welcome here in Germany for a cup of coffee and some debugging session

By the way, the WinBox session I used for the first screenshot was running from my PC via VLAN 10 to the ETH3_TRUNK on the hapaxlite.

Can you try that again, and verify that it continues to work for 1 minute? If it does, it seems that what is causing the different behavior when the hapax2 is plugged in may be related to traffic that the hapax2 is sending, perhaps the Loop Protect packets that get sent every 5 seconds, or something else specific to ROS.

As you can see in my previosu post, it seems that RSTP plays a role.

You should probably also attach a Supout.rif from the hapax2 to SUP-119824. If they can't reproduce, few resources will be put into trying to reproduce it, so the easier you can make it for them to reproduce, the more likely the problem will be fixed in a timely manner.

Done.

Buckeye · Thu Jun 22, 2023 7:08 am

@thn80 Thanks for your good documentation of the issue.

I haven't seen the issue you saw with my hEX S, but the "trunk" link was a bit different on my setup, and the other end of the trunk link was a Ubiquiti ER-X with the vlan-aware switch0. And the ER-X doesn't support RSTP on the switch0 interface. If you want to use RSTP on an ER-X, then you need to use the br0 device. I just avoid loops in my lab environment.

It seems that something in the hapaxlite is not handling STP/loop protection correctly.

I am a bit surprised that no one else has complained, it seems that it would be a problem for any multi-SSID AP connected to a "trunk" port on the hapaxlite.

Perhaps it only exists in certain versions of firmware, but the hapaxlite is quit new, and I don't even know the "lowest version of ROS" than supports the MT7531 switch ASIC. If you issue the command /system/routerboard/print (and remove the serial-number for output) the factory-firmware: should show the lowest version you can use.

thn80 · Thu Jun 22, 2023 9:14 am

Perhaps it only exists in certain versions of firmware, but the hapaxlite is quit new, and I don't even know the "lowest version of ROS" than supports the MT7531 switch ASIC. If you issue the command /system/routerboard/print (and remove the serial-number for output) the factory-firmware: should show the lowest version you can use.

For my hapaxlite I get:
factory-firmware: 7.7
current-firmware: 7.9.2

But to be honest, i don't want to play with different firmware versions, because the debugging session with the MikroTik support is still ongoing and I do not want to disturb this action. In case MikroTik located the issue or will tell they have no idea. anymore, we can go with different firmware versions

thn80 · Thu Jun 22, 2023 10:03 am

MikroTik reported in my support ticket SUP-119824 that they were able to locate the problem and will fix it.

Comment from MikroTik:

We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions, unfortunately, I cannot provide a release date now.

The problem is related to incorrect BPDU filtering on hAP ax lite HW offloaded trunk ports. Few possible workarounds: disable RSTP, disable HW offloading, or setting trunk ports as "edge=yes".

Buckeye · Fri Jun 23, 2023 2:26 am

Thanks for updating the title to make it easier to find in the future. I have this thread saved in my useful links spreadsheet.

I am trying to think of a way that we could have narrowed this down faster.

Does the Spanning Tree Protocol Monitoring display give any clues when you switch between HW an SW bridging?

Spanning Tree Protocol overview
Spanning Tree Protocol configuration
Bridging and Switching
Bridge Monitoring
Bridge Port Monitoring

thn80 · Fri Jun 23, 2023 11:49 am

Does the Spanning Tree Protocol Monitoring display give any clues when you switch between HW an SW bridging?

HW Offloading disabled

[thomas@hapaxlite] > /interface bridge monitor bridge
                  state: enabled
    current-mac-address: 48:A9:8A:7C:26:1F
            root-bridge: no
         root-bridge-id: 0x8000.48:A9:8A:6E:7D:7D
         root-path-cost: 10
              root-port: ETH3_TRUNK
             port-count: 2
  designated-port-count: 1
           fast-forward: no

HW Offloading enabled

[thomas@hapaxlite] > /interface bridge monitor bridge
                  state: enabled
    current-mac-address: 48:A9:8A:7C:26:1F
            root-bridge: yes
         root-bridge-id: 0x8000.48:A9:8A:7C:26:1F
         root-path-cost: 0
              root-port: none
             port-count: 2
  designated-port-count: 2
           fast-forward: no

HW Offloading disabled

[thomas@hapaxlite] > /interface bridge port monitor 1
               interface: ETH3_TRUNK
                  status: in-bridge
             port-number: 1
                    role: root-port
               edge-port: no
     edge-port-discovery: yes
     point-to-point-port: yes
            external-fdb: no
            sending-rstp: yes
                learning: yes
              forwarding: yes
          root-path-cost: 10
       designated-bridge: 0x8000.48:A9:8A:6E:7D:7D
         designated-cost: 0
  designated-port-number: 1

HW Offloading enabled

[thomas@hapaxlite] > /interface bridge port monitor 1
            interface: ETH3_TRUNK
               status: in-bridge
          port-number: 1
                 role: designated-port
            edge-port: no
  edge-port-discovery: yes
  point-to-point-port: yes
         external-fdb: no
         sending-rstp: yes
             learning: yes
           forwarding: yes
     hw-offload-group: switch1

And that's the current STP configuration of the Bridge and the ETH3_TRUNK.

hapaxlite_STP-Confog.jpg

I think for my playground setup (the originally purpose for the setup was to play with CAPsMAN) the STP will simply be disabled until MikroTik provides a fix.
To understand the STP stuff a bit better, I will go through your links.

Fri Jun 30, 2023 9:39 am

Following since I was banging my head against a wall trying to setup AXLite as additional AP at home using VLANs and multiple SSID ... only to fail each and every time.
Config was copied (sort of, using terminal the parts I needed) from AX2 and AX3 with similar setups where it works just fine.

I already came to the point STP needed to be disabled on the AXLite -bridge (otherwise no access via trunk, only via mgmt port I isolated from bridge) but clients still can not connect.

And then I saw this thread ...

Buckeye · Fri Jun 30, 2023 9:45 am

I already came to the point STP needed to be disabled on the AXLite -bridge (otherwise no access via trunk, only via mgmt port I isolated from bridge) but clients still can not connect.

@skyhawk reported a similar problem (not exactly the same) on a hEX that uses a similar switch ASIC. If interested see this thread Bridge VLAN-Filter Offload broken on hEXr3?

Fri Jun 30, 2023 9:55 am

Yeah, saw that link already as well. Still trying to digest all info

Just got the clients to connect to that device.
Apart from STP=none and manually setting HW offload to no for trunk port, bridge also needed to be added to all VLAN ids.
Which was not needed on AX2 or AX3 ?

Buckeye · Fri Jun 30, 2023 10:22 am

I don't think either the hap ax2 or hap ax3 switch chips are currently supported for HW vlan-filtering, so the bridge vlan-filtering is already done in the CPU, although I am surprised that the behavior would be different in the software implementation (other than the L2 forwarding performance and CPU loading).

If you want the CPU to be able to "connect" to the vlan in the switch ASIC, that's the purpose of including the bridge in the /interface bridge vlan for each vlan you want the CPU to see. When HW offloading to switch, the CPU won't ever even see the traffic that stays within one vlan between two switch ports, but the only way for traffic to get from one vlan to another is via routing, usually by the CPU on low end switch chips, and that requires the "connection" from the vlans involved to the CPU via the "internal trunk link". See @sindy's RouterOS bridge mysteries explained (and this post and the one following it discuss my interpretation about it a bit more).

If you want to discuss this more, we should create a new topic instead of hijacking this one, more than we already have.

Sat Jul 01, 2023 12:04 am

Appreciate the assistance/explanation (and it does make perfect sense, no idea why I missed that part) but I'll leave it here for now (2 threads on the same issue and both confirmed a fix is on the way).
As you say, no need to hijack this thread any further (though it was on topic

).

Buckeye · Mon Jul 31, 2023 10:38 pm

This may be fixed by 7.11rc1 as reported by @skyhawk in this post from the thread Bridge VLAN-Filter Offload broken on hEXr3?

thn80 · Mon Jul 31, 2023 11:02 pm

This may be fixed by 7.11rc1 as reported by @skyhawk in this post from the thread Bridge VLAN-Filter Offload broken on hEXr3?

Thanks for this wonderful information

Buckeye · Wed Aug 02, 2023 8:42 pm

Were you able to verify that the 7.11rc1 "fix" worked for your hAP ax lite? Because @skyhawk reported in a followup post that it did not solve his problem (which was on a hEX (RB750Gr3) using the MT7621)

Sat Aug 05, 2023 5:31 pm

Just tested, for AX Lite it does not seem to be working either.

Simple setup:
trunk on ether1 with vlan id 2 and 30 (tagged).
Connected to AX3 which passes 2 and 30 as well as trunk (only VLAN tagged).
VLAN slave interfaces on AX-L bridge with itf 2 and 30
DHCP client on those VLAN interfaces.

Bridge VLAN filtering on, only tagged traffic.
RSTP selected
Trunk port is HW Offloaded
No DHCP lease.

Only when VLAN filtering is disabled the trunk does what it needs to do and leases are being assigned.
So plus: RSTP and HW offload can be kept active now.
One step forward, to say it positive

Edit: STUPIDO !! Bridge needs to be added to tagged ports since those slave interfaces are connected to bridge.
It DOES work.

Who is online