ethernet port with tagged AND untagged traffic - SOLVED

beb · Tue Jun 24, 2014 7:10 am

I am connecting an access point to an RB2011 with RouterOS 5.22 using VLANs to separate traffic from different SSIDs.

I've started with

/interface bridge port
	add interface=ether1           bridge=bridge-secure

which works fine, but obviously not for VLANs.

Then created VLANs and bridged those:

    /interface vlan
        add interface=ether1 vlan=10 name=vlan-10-unsecure
        add interface=ether1 vlan=20 name=vlan-20-secure
        add interface=ether1 vlan=50 name=vlan-50-guest
    /interface bridge port
	add interface=ether1           bridge=bridge-secure
        add interface=vlan-10-unsecure bridge=bridge-unsecure
        add interface=vlan-20-secure   bridge=bridge-secure
        add interface=vlan-50-guest    bridge=bridge-guest

Problem: once I add the VLANs, untagged traffic is no longer bridged to bridge-secure. The access point is using untagged traffic to get a DHCP address from the router (and who knows what else). Anyway, it's not working if the router ignores untagged traffic. I know since I have a different access point (with other shortcomings) that allows me to set a vlan for management traffic, then all works (after removing the line "add interface=ether1 bridge=bridge-secure").

Summary: how do I bridge both tagged and untagged traffic on ether1?

I've configured a DHCP server for each bridge (works fine).

leonset · Tue Jun 24, 2014 11:15 am

I would suggest you to try an updated ROS version... sometimes they solve issues and do not mention it in the changelog.

beb · Tue Jun 24, 2014 5:21 pm

I would suggest you to try an updated ROS version... sometimes they solve issues and do not mention it in the changelog.

I understand what you are saying. But V6 changed qos, and I rather keep my current qos setup unless I know the change really fixes my problem.

beb · Tue Jun 24, 2014 7:47 pm

To reformulate the problem more concisely: I want a secure and unsecure (guest) wifi on my access point.

For this, I connected the wireless access point to bridge-unsecure on port ether1 without any VLAN traffic. This part works.

In addition, the access point sends tagged traffic (vlan-id=20). How do I "connect" this traffic to bridge-secure?

(I've setup up bridges bridge-unsecure and bridge-secure with dhcp and all, this part works fine).

All help is most gratefully appreciated!

beb · Wed Jun 25, 2014 6:10 am

To reformulate the problem more concisely: I want a secure and unsecure (guest) wifi on my access point.

For this, I connected the wireless access point to bridge-unsecure on port ether1 without any VLAN traffic. This part works.

In addition, the access point sends tagged traffic (vlan-id=20). How do I "connect" this traffic to bridge-secure?

(I've setup up bridges bridge-unsecure and bridge-secure with dhcp and all, this part works fine).

All help is most gratefully appreciated!

I'm adding my configuration. The first part just sets up two bridges with dhcp. The second part bridges ether1 to bridge-usecure, and sets up VLAN 20 on ether1 and bridges that to bridge-secure to route tagged traffic to the secure bridge. Untagged traffic gets to bridge-secure. Torch shows both untagged and tagged traffic, but tagged traffic "gets lost" and clients do not even get an IP address from the DHCP server.

ros code

# Mikrotik Router Configuration RB2011

############################################################################################
# Bridges & DHCP

/interface bridge
    add name=bridge-unsecure disabled=no
    add name=bridge-secure   disabled=no

/ip pool
    add name=pool-unsecure ranges=192.168.10.200-192.168.10.249
    add name=pool-secure   ranges=192.168.20.200-192.168.20.249

/ip address
    add address=192.168.10.1/24 interface=bridge-unsecure
    add address=192.168.20.1/24 interface=bridge-secure

/ip dhcp-server
    add interface=bridge-unsecure name=dhcp-unsecure lease-time=1h disabled=no address-pool=pool-unsecure
    add interface=bridge-secure   name=dhcp-secure   lease-time=1h disabled=no address-pool=pool-secure

/ip dhcp-server network
    add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.1
    add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1

############################################################################################
# Ethernet

/interface ethernet    
    set  0 disabled=yes
    set  1 name=ether1 master-port=none

# SUPPOSED TO ROUTE TAGGED TRAFFIC ON ether1 - APPARENT DOES NOT
/interface vlan
    add interface=ether1 vlan=20 name=vlan-20-secure
	
/interface bridge port
# DOES NOT PASS TRAFFIC
    add interface=vlan-20-secure   bridge=bridge-secure
# PASSES (UNTAGGED) TRAFFIC
    add interface=ether1           bridge=bridge-unsecure

If upgrading to ROS 6 really solves the problem I will try to do that. But I am concerned about what it breaks. At least qos.

I will be eternally grateful for your help!

beb · Thu Jun 26, 2014 4:01 am

I would suggest you to try an updated ROS version... sometimes they solve issues and do not mention it in the changelog.
I understand what you are saying. But V6 changed qos, and I rather keep my current qos setup unless I know the change really fixes my problem.

I bit the bullet and upgraded to V6: now indeed it's working!!! Should have listened right away ...
(but the upgrade did break quite a few things and took me several hours to fix - not sure I'm done yet).

beb · Thu Jun 26, 2014 4:01 am

I would suggest you to try an updated ROS version... sometimes they solve issues and do not mention it in the changelog.
I understand what you are saying. But V6 changed qos, and I rather keep my current qos setup unless I know the change really fixes my problem.

I bit the bullet and upgraded to V6: now indeed it's working!!! Should have listened right away ...
(but the upgrade did break quite a few things and took me several hours to fix - not sure I'm done yet).

jkarras · Thu Jun 26, 2014 6:09 am

You should be able to now move your config away from bridges to just using the switch chip for VLAN tagging. This will speed up any L2 communications on your device.

beb · Thu Jun 26, 2014 7:21 am

You should be able to now move your config away from bridges to just using the switch chip for VLAN tagging. This will speed up any L2 communications on your device.

Not sure how to do this, or if it's even possible: I'm using a firewall to regulate traffic between bridges: traffic can pass between some, not others, and it also depends on the service called.

jkarras · Thu Jun 26, 2014 7:35 am

If your regulating the traffic via L2 bridge firewall rules then that make sense. If you are doing it at L3 which is what I assumed looking at the small config snip then you could move away from the bridges. That said it would probably only benefit you use multiple ports on your RB2011 to connect to upstream devices that may use the VLANs. This way any L2 switching would stay on the switch chip and not need to traverse the CPU thus freeing up CPU time and BW to the CPU.

If you don't need to utilize the switch then removing the bridges will likely only free up CPU time because there would be fewer steps in the packet processing.

See this wiki article on configuring the switch chip.

http://wiki.mikrotik.com/wiki/Manual:Sw ... outerOS_v6