2 ways to associate bridge and VLAN

ocgltd · Mon Feb 28, 2022 10:39 pm

I'm trying to get a hotspot working on an interface with both tagged and untagged traffic. Based on a guide I found online, it said I needed to associate the hotspot with a bridge that is associated with the VLAN.

However, while searching through the interface on WinBox there seem to be do different ways to do this:

Bridge > Ports > Add (set VLAN, set bridge to interface)

Interface > VLAN > Add (set VLAN, set Interface to bridge)

While I suspect they do different things, it's not clear what. Can someone explain the difference?

404Network · Mon Feb 28, 2022 10:44 pm

I am not sure where you get your info but suggest starting here.......
https://help.mikrotik.com/docs/pages/vi ... d=56459266

It seems to indicate you can associate your hotspot with most any interface.
My preference, If I was to try it, would be via vlan.

ocgltd · Mon Feb 28, 2022 10:49 pm

I actually followed that guide and it's not working (as described here viewtopic.php?p=914127#p914127).

That guide did work on 2 other MT's but not this one. Same RoS version, but this is an older model MT and slightly different setup. I have not had any luck getting help through the forum or MT support directly, so I've been looking for help online and found this:

https://fydelia.zendesk.com/hc/en-us/ar ... -on-a-VLAN

Sadly their guide didn't work (same problem)...but I wondered if I have something else is setup wrong. Which is how I discovered those 2 settings that are not clear to me. (Regardless of hotspot situation).

Under Interface > VLAN's should I be specifying which interface the VLAN traffic is coming in/out (ether3) or the bridge (my new hotspot-bridge)
Under Bridge > Ports why do I need to associate a 'port' with the new hotspot-bridge if I already told the interface to send VLAN traffic in/out interface ether3?

mkx · Mon Feb 28, 2022 11:17 pm

Since you have doubts about /interface bridge port VS. /interface vlan, I suggest you to go through VLAN tutorial.

But in short: /interface bridge and sub-branches configure L2 stuff ... the switch-like behaviour. When vlan-filtering=yes is set on bridge, only tagged frames pass the switch-like entity. Which means that member ports either have to pass tagged frames or they have to tag/untag frames (if wire is supposed to carry untagged frames). This is configured under /interface bridge port and /interface bridge vlan.

On the other hand, /interface vlan is entirely about how ROS can interact with (V)LANs. The thing is that IP interfaces (i.e. the ones that have IP address set) can only deal with untagged frames.
So if you're running different VLANs through MT device, a special interface is needed ... the interface that takes tagged frame on one end (tagged end), processes only frames with VLAN ID configured, strips the tag and delivers untagged frame on the other end (untagged end). In the opposite direction it takes untagged frame, adds VLAN header with configured VID and pushes it out on the tagged end. That's the kind of interfaces created under /interface vlan. The tagged end is an existing interface (carrying tagged frames), such as bridge interface or physical interface (e.g. ether2) and is passed as interface=<interface_name> property of the vlan interface. The untagged end is new interface and you "make up" name via name=<vi_name> property. You then use vi_name interface as IP interface ...

ocgltd · Sat Mar 05, 2022 1:11 am

Although I have 4 VLAN's working properly across my MT, somehow all of the reading has left me a bit confused. So let me break my problem into 2 steps. First, here's my high level diagram:

(https://ibb.co/0VZsBbg)

You can see bridge-internal has ports ether2 and ether3, while bridge-hotspot has no ports added.

First, I have an access point connected to my MT on ether3. The access point send/receives traffic to/from the MT as untagged (172.31.234.0/24) for my trusted traffic, and tagged as VLAN 40 (172.31.236.0/24) for my guests.

So I have
1. Created two bridges (bridge-internal and bridge-hotspot)
2. under interfaces I have ether3 defined as "access point"
3. under Bridge > Ports I have added ether3 to bridge-internal
4. Under interfaces > VLAN I created VLAN 40, connected to interface bridge-hotspot, called "vlan40"
5. Under bridge > ports I have NOT added "vlan40" to bridge-hotspot (since I did step 4 above)
6. I have IP > hotspot disabled for now, leave that for a later step

Is the above a correct found to build on for my hotspot? I assume the VLAN40 tagged traffic comes in ether3, is untagged, and placed on bridge-hotspot as untagged traffic. (and vice versa) . Don't worry about firewall rules, other VLAN's etc...I just need to get the ether3 working to carry untagged traffic to my bridge-internal, and ether3/VLAN 40 to show up as an interface to which I can apply firewall rules. Everything else is already working. Something about the ether3 config is making this confusing.

If correct, I should setup my HotSpot to use interface 'bridge-hotspot'?
If correct, do I just setup firewall rules & masquerade to handle getting hotspot traffic in/out the WAN?

404Network · Sat Mar 05, 2022 1:36 am

Try a diagram following your text is like a maze.
You only need one bridge and the rest VLANs.
You didnt state what model of AP you have but will assume it vlan capable and ubiquiti since its set up backwards - like a hybrid setup.
Assuming vlan10 trusted-home 172.31.234.0/24
vlan20 - unk
vlan30 - unk
vlan40 hotspot

Assign all vlans to the bridge THEN..............

/bridge ports
add bridge=bridge interface=ether2 pvid=10 ingress-filtering=yes
add bridge=bridge interface=ether3 (hybrid) pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=20
add bridge=bridge interface=ether6 pvid=30
/bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether 4 pvid=10
add bridge=bridge tagged=bridge untagged=ether5 pvid=20
add bridge=bridge tagged=bridge untagged=ether6 pvid=30
add bridge=bridge tagged=bridge,ether3 pvid=40

Need addresses, dhcp-server, dhcp-server-network, IP pool, and addresses for all vlans

/ip interface
add name=WAN
add name=LAN
add name=Manage

/ip interface members
ether1 list=LAN (unless its a vlan or pppoe and then that name need also to be added to WAN interface)
vlan10 list=LAN
vlan20 list=LAN
vlan30 list=LAN
vlan40 list=LAN
vlan10 list=Manage

/ip neighbours discovery
interface-list=Manage
/ip tools
mac server
win mac server interface-list=Manage

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=Manage {optional to add a source address firewall list of Admin devices)
add action=accept chain=input in-interface-list=LAN dst-port=53
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

Sat Mar 05, 2022 2:16 am

please check this guide

https://help.mikrotik.com/docs/display/ ... figuration

Buckeye · Sat Mar 05, 2022 6:45 am

Getting the most out of this forum

What MT routers do you have that do work?

What firmware is loaded on the routers that work? On the RB850Gx2?

What is the "untagged vlan" on the Cisco? is it the default vlan 1?

What interface and vlan is associated with 172.31.234.0/24 (your home lan)? Is that the port connected to the Cisco switch? Were you expecting vlan 30 on ether4 to have access to vlan 30 on the Cisco trunk on ether2?

Providing this information up front reduces frustration for the people trying to help, and therefore makes it much more likely that you will get a timely and correct answer.
If you don't give enough information, you are expecting us to read your mind.

Also what make/model/software is being used by other things related to your problem is helpful too, as well as information about your experience, i.e. if you know how to do this with pfsense, or openWRT, Cisco, Juniper, or edgeos let us know that, and perhaps even post the config that works with that vendor's kit. Many people here have worked with multiple vendors, and a config is a compact way to transfer a lot of details.

The above information is important because if you want the best performance, you want hardware switching to be used by the bridge.

I don't think you should be using multiple bridges, ROS will allow you to shoot yourself in the foot, there are many fewer rules than other vendors impose; that makes it easy to configure non-optimal configurations.

Review the official documentation. Bridge VLAN Filtering It is technical, but if you have worked with vlans on other equipment, it is understandable. What I don't know is if the new bridge way of configuring things will work well on the RB850Gx2. Hopefully someone that has more ROS experience will let you know.
I found this RouterOS bridge mysteries explained helpful too.

Also, since I am pretty green in ROS, other members with more experience will hopefully correct me, if any of the info I assert here is incorrect. I want to learn too.

Read this MUM presention slide set: Playing with RouterOS's VLANs By Lorenzo Busatti But this is from 2019, and slide 51 states: "currently only CRS3xx series devices are capable of using bridge VLAN filtering and hardware offloading at the same time."

I know that v7.2rc4 supports both vlan filtering and hardware offloading on the RB750gr3 and RB760iGS (hEX) see Very slow intervlan routing but I don't know about the Atheros8327 chip used in the RB850Gx2. I am new to ROS, and only have 1 RB760iGS in a lab environment. I understand more about the way the ER-X works than the hEX S, but I am learning more and more about the ROS way to do things.

Here's another MUM presentaion from 2019 showing how it could be done with the Atheros8327 switch ASIC
RouterOS bridge/switch configuration changes and possibilities in latest RouterOS versions? by Péter Major

I don't know if this is still required or not to get hardware offloading, and you would want hardware offloading if you have two ports on the RB850Gx2 with the same vlan (the port connected to the Cisco switch and the Unifi Access point).

Also, here is the block diagram of the RB850GX2

Since your router has the ability to have a dedicated CPU connection to ether1, you should leave that out of the bridge, and use is only for your internet connection.

You should be able to do everything you want with a single bridge. bridge ports correspond to the physical ports labeled ether2...ether5). You can configure different bridge ports differently; some as hybrid, some as tagged only trunks, some as access ports. But you will need to enable vlan-filtering, which is the setting that makes the switch vlan-aware.

/interface bridge port is where you describe how you want received ethernet frames to be handled (on the ports connected to the switch block). This will associate each received frame with a single vlan, or reject and drop it. If an untagged frame is received, and not specifically rejected by the setting of frame-types by admit-only-vlan-tagged, then the frame will be classified as belonging in the vlan specified by the Port Vlan ID (PVID), otherwise if the frame has an explicit IEEE 802.1Q tag, then that tag will specify the vlan the received frame will be classified as. (your frame filtering frame-type choices are: admit-all | admit-only-untagged-and-priority-tagged | admit-only-vlan-tagged; Default: admit-all).

/interface bridge vlan ties vlan-ids to interfaces, and specifies whether that vlan-id will be tagged or untagged on egress from the port on the switch block. My understanding of the "bridge interface vlan", when specifying the bridge itself as the member, is how the two ports connected to the "internal trunk" between the routing block and the switch block will be configured. When adding a vlan that you want the routing block to have access to, you need to add the bridge to the interface list, and it should be a tagged "vlan" in almost every case, if you don't know why, assume it will be tagged. Note that if the bridge interface is not included for the vlan-id, there will be no connection between the routing block and the switch block for that vlan. This can be a valid configuration, for example if you want L2 switching to occur between multiple bridge ports, but don't want the router/firewall/dhcp/etc to be connected to that vlan in any way. You don't specify pvid here, that is specified in the /interface bridge port section. But if you specified a pvid in the bridge port section, ROS will treat the vlan on that bridge port as untagged for egress, but you can explicitly specify this in the config to make it more obvious.

The /interface vlan is the routing engine's "Layer 3 connection" to the vlan on the router's internal trunk port internally connected to another base interface. That's the interface that the ip address, firewall, dhcp server, etc. will be associated with.

ocgltd · Fri Mar 11, 2022 4:26 pm

@Buckeye - I've been studying the info you sent, but I'll start with answers to your questions:

Cisco default VLAN is set to 1. I *thought* that is different from 'untagged vlan'...which I thought mean no tag, but as I learn more I'm seeing some documentation that seems to treat vlan 1 as untagged. A bit confusin.

On the MT my 172.31.234.0/24 subnet is "untagged". So my cisco switch sends untagged as well as tagged traffic to the MT over a trunk port. I was expecting VLAN 30 on any port to magically bridge to VLAN 30 on any other MT port.

I'm using a RB850Gx2 with latest firmware (7.1.3)

I'm trying to ignore the other aspects of the network for now. I have a Ubiquiti AP with 2 SSIDs which send tagged (VLAN 40) and untagged to my MT port ether3. For now I have just configured VLAN40 to be a simple guest network which routes out Ether1 (to cablemodem). And that actually working great. Completion isolation between networks, tagged & untagged coming in ether3, etc.

My problem is when I turn on hotspot. I have setup hotspot on multiple MT's and it's pretty straight forward. But when I add the hotspot feature (to my VLAN40 interface) then VLAN40 traffic never gets passed the MT. The MT sees the guest connect, gives it an IP from the guest pool, but DNS lookup fails, ping to MT fails, and the guest can't even browse to the MT hotspot login page. Everything times out.

That's where my problem began, and it was suggested that the problem was related to my VLAN config, firewall rules, etc. Yet I've now confirmed all works fine WITHOUT the hotspot....so not sure where to look.

Maybe something is not quite right with my VLAN/ether3 configuration that the MT forgives, but breaks when hotspot is enabled. Happy to most anything you need.

tdw · Fri Mar 11, 2022 5:26 pm

Cisco default VLAN is set to 1. I *thought* that is different from 'untagged vlan'...which I thought mean no tag

Untagged does indeed mean there is no VLAN tag and therefore no VLAN ID.

but as I learn more I'm seeing some documentation that seems to treat vlan 1 as untagged.

It depends on the hardware and the vendor. For example some switch chips have no concept of untagged so on ingress a VLAN tag and ID, most commonly 1 as this is the first valid value, has to be inserted to the packet, and on egress VLAN tags with this ID are removed from the packet.

I was expecting VLAN 30 on any port to magically bridge to VLAN 30 on any other MT port.

No. If the ports are not part of the same layer 2 / ethernet domain, i.e. in a bridge, there is no connection. An /interface vlan is merely a shim which inserts a VLAN tage and ID in one direction and removes them in the other.

My problem is when I turn on hotspot. I have setup hotspot on multiple MT's and it's pretty straight forward. But when I add the hotspot feature (to my VLAN40 interface) then VLAN40 traffic never gets passed the MT. The MT sees the guest connect, gives it an IP from the guest pool, but DNS lookup fails, ping to MT fails, and the guest can't even browse to the MT hotspot login page. Everything times out.
Maybe something is not quite right with my VLAN/ether3 configuration that the MT forgives, but breaks when hotspot is enabled.

Post your configuration. You should have a single VLAN-aware bridge, the port connected to the Ubiquiti AP configured as hybrid, the interface VLAN specified as the hotspot interface. We do this frequently without any issue, it may of course be a bug in RouterOS v7

ocgltd · Fri Mar 11, 2022 6:49 pm

Can I export only certain sections of interest you need to see? (I have lots of firewall rules collected over time that may not be relevant, PPP tunnels, etc)

tdw · Sat Mar 12, 2022 3:55 am

The majority of /interface (you can omit inbound/outbound tunnels) and /ip hotspot. As you have connectivity without the hotspot enabled it is unlikely to be anything in /ip address or /ip dhcp-server, but it could still be something in /ip firewall filter especially if you have many rules.

As suggested previously it could be RouterOS v7, there are certainly others with issues viewtopic.php?t=182805 and viewtopic.php?p=914469 for example.

Buckeye · Sat Mar 12, 2022 5:07 am

My problem is when I turn on hotspot. I have setup hotspot on multiple MT's and it's pretty straight forward. But when I add the hotspot feature (to my VLAN40 interface) then VLAN40 traffic never gets passed the MT. The MT sees the guest connect, gives it an IP from the guest pool, but DNS lookup fails, ping to MT fails, and the guest can't even browse to the MT hotspot login page. Everything times out.

Make sure the problem isn't the firewall.
When I first started playing with the RB760iGS (hEX S) vlans, I created a vlan and dhcp server, and I could connect a PC to the port, and get an ip address, but I couldn't do anything else. Ping didn't work, no access to the hEX S, etc.
The problem was that I had forgotten to add the vlan interface to the LAN list (you may have some other name, but your trusted list used in your firewall). So it is as it the dhcp server can see traffic before it gets filtered by the firewall. At least that's the easiest way for me to explain the behavior I saw.
For example, what do you get from the
/interfaces list member print
command?

ocgltd · Sat Mar 12, 2022 4:27 pm

If I turn hotspot off all traffic routes perfectly, so I *assume* the problem is not firewall rule related.

Your experience (with no traffic through the MT) sounds very similar to mine. I have to admit I dont understand what the /interface>list command really controls. I read the wiki (https://wiki.mikrotik.com/wiki/Manual:Interface/List) and it sounds like this is for Winbox connectivity and neighbour discovery.

However, you may be on to something...my list shows:

Columns: LIST, INTERFACE
 # LIST        INTERFACE            
 0 discover    ether1-external      
 1 discover    bridge-internal      
 2 discover    ether3-internal-slave
 3 discover    ether4-ata           
 4 discover    ether5-unused        
 5 mactel      bridge-internal      
 6 mactel      ether3-internal-slave
 7 mactel      ether4-ata           
 8 mac-winbox  bridge-internal      
 9 mactel      ether5-unused        
10 mac-winbox  ether3-internal-slave
11 mac-winbox  ether4-ata           
12 mac-winbox  ether5-unused

So there are no VLAN interfaces list...should there be? And if I add VLAN40 interface to this list what am I accomplishing from a traffic flow perspective? When I try to add an interface to the list my choices are for Discovery / MacTel / MacWinbox...nothing that sounds traffic flow related.

Buckeye · Sun Mar 13, 2022 8:53 am

Cisco default VLAN is set to 1. I *thought* that is different from 'untagged vlan'...which I thought mean no tag, but as I learn more I'm seeing some documentation that seems to treat vlan 1 as untagged. A bit confusin.

This probably won't clear up the confusion, but reading it can help insomnia.

The Cisco Default VLAN is just the VLAN id that a port's PVID is set to if one is not explicitly set (ether by native vlan when Trunk port, or access vlan when an Access port).
This is an old 2003 version of the IEEE 802.1Q spec in pdf format. Worth the download. It is still reasonably accurate, but not light reading.

Note that the IEEE 802.1Q spec has no mention of a "switch" only "bridge". A switch is a hardware implementation of a bridge.

Here is what it says about vlan 1 under reserved vlans (table 9-2 on page 86). Nothing more other than it is the default PVID. Nothing about "synonymous with untagged".
1 The default PVID value used for classifying frames on ingress through a Bridge Port. The PVID value of a Port can be changed by management.

11.2.1.3 Use of the PVID and VID Set
The initial state of the Permanent Database contains a Static VLAN Registration Entry for the Default
PVID, in which the Port Map indicates Registration Fixed on all Ports. This ensures that in the default state,
where the value of every PVID of each Port is the Default PVID and where the VID Set of each Port is
empty, membership of the Default PVID is propagated across the Bridged LAN to all other GVRP-aware
devices. Subsequent management action may change both the Permanent Database and the Filtering
Database in order to modify or remove this initial setting, and may change the PVID and/or VID Set value(s)
on any Port of the Bridge.
NOTE—In the absence of any modification of these initial settings, this ensures that connectivity is established across
the Bridged LAN for the VLAN corresponding to the Default PVID.

Here's where "default state" is described:
12.10.1.5 Reset VLAN Bridge
12.10.1.5.1 Purpose
To reset all statically configured VLAN-related information in the Bridge to its default state. This operation
a) Deletes all VLAN Configuration managed objects;
b) Resets the PVID associated with each Bridge Port to the Default PVID value (Table 9-2);
c) Removes all entries in the Protocol Group Database and removes all members of the VID Set on
each port, for a Bridge that supports Port-and-Protocol-based VLAN classification;
d) Resets the Acceptable Frame Types parameter value associated with each Port to the default value
(8.4.3).

My summary: In factory reset default condition, all ports of a switch are set to access ports in vlan 1.

Buckeye · Sun Mar 13, 2022 10:55 am

If I turn hotspot off all traffic routes perfectly, so I *assume* the problem is not firewall rule related.

Your experience (with no traffic through the MT) sounds very similar to mine. I have to admit I dont understand what the /interface>list command really controls. I read the wiki (https://wiki.mikrotik.com/wiki/Manual:Interface/List) and it sounds like this is for Winbox connectivity and neighbour discovery.

However, you may be on to something...my list shows:
Code: Select all
Columns: LIST, INTERFACE
 # LIST        INTERFACE            
 0 discover    ether1-external      
 1 discover    bridge-internal      
 2 discover    ether3-internal-slave
 3 discover    ether4-ata           
 4 discover    ether5-unused        
 5 mactel      bridge-internal      
 6 mactel      ether3-internal-slave
 7 mactel      ether4-ata           
 8 mac-winbox  bridge-internal      
 9 mactel      ether5-unused        
10 mac-winbox  ether3-internal-slave
11 mac-winbox  ether4-ata           
12 mac-winbox  ether5-unused   
So there are no VLAN interfaces list...should there be? And if I add VLAN40 interface to this list what am I accomplishing from a traffic flow perspective? When I try to add an interface to the list my choices are for Discovery / MacTel / MacWinbox...nothing that sounds traffic flow related.

One thing I noticed from the names is that it appears you are using interface names that suggest you are using the "switch method" instead of the bridge method. From the "ether3-internal-slave" name. Was your config auto converted from v6.xx

I started with the default config (created by a default script) not from the quick set (maybe they are the same, I don't know enough to say yet). But it created a config with all ports in the bridge, with vlan-filtering disabled. I removed ether5 from the bridge and added an ip address, and created a dhcp server, but I forgot to add ether5 to the LAN list, and the default firewall prevented me from accessing the port, but my PC still obtained an ip address via dhcp. So it seems that dhcp is able to receive requests that are not enabled

I have a dhcp server on a Ubiquiti ER-X lab router hanging out addresses in 192.168.241.0/24 and connected to untagged 241 on ER-X switch-port eth3 connected untagged vlan 241 on hEX S ether3 (part of bridge BR-SW). I am able to get an ip address via dhcp from the ER-X (currently the only connection is via the hEX S ether3 to ER-X eth3 patch cable. I am getting to the hEX S with winbox routing through the ER-X.

Here's my export terse hide-sensitive followed by my lab ER-X config. I am not sure if it is safe to post software id and serial number, so I removed those.

The extra interface list members I added so they would be treated like the BR-SW (the name of my bridge device) interface by the firewall:
/interface list member add interface=ether5-off_bridge_wrk list=LAN
/interface list member add interface=vlan10 list=LAN
/interface list member add interface=vlan241 list=LAN

Note: following config edited: 2022-03-13 20:00 EDT to correct (removed the red part) in the following:
/interface bridge vlan add bridge=BR-SW tagged=BR-SW untagged=ether2-BR-SW-Base-U1,ether4-BR-SW_U10_T241 vlan-ids=10
to
/interface bridge vlan add bridge=BR-SW tagged=BR-SW untagged=ether4-BR-SW_U10_T241 vlan-ids=10
That must have been a copy/paste error when I was adding vlan 10 "connection"

[demo@MikroTik] > export terse hide-sensitive 
# mar/13/2022 03:34:32 by RouterOS 7.2rc4
# software id = 
#
# model = RB760iGS
# serial number = 
/interface bridge add admin-mac=DC:2C:6E:CA:FE:F2 auto-mac=no comment=defconf name=BR-SW vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] name=ether1-WAN
/interface ethernet set [ find default-name=ether2 ] name=ether2-BR-SW-Base-U1
/interface ethernet set [ find default-name=ether3 ] name=ether3-BR-SW-U241
/interface ethernet set [ find default-name=ether4 ] name=ether4-BR-SW_U10_T241
/interface ethernet set [ find default-name=ether5 ] name=ether5-off_bridge_wrk
/interface vlan add interface=BR-SW name=vlan10 vlan-id=10
/interface vlan add interface=BR-SW name=vlan241 vlan-id=241
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp_pool1 ranges=192.168.89.100-192.168.89.199
/ip dhcp-server add address-pool=default-dhcp interface=BR-SW name=defconf
/ip dhcp-server add address-pool=dhcp_pool1 interface=ether5-off_bridge_wrk name=dhcp1
/port set 0 name=serial0
/interface bridge port add bridge=BR-SW comment=defconf interface=ether2-BR-SW-Base-U1
/interface bridge port add bridge=BR-SW comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3-BR-SW-U241 pvid=241
/interface bridge port add bridge=BR-SW comment=defconf interface=ether4-BR-SW_U10_T241 pvid=10
/interface bridge port add bridge=BR-SW comment=defconf interface=sfp1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface bridge vlan add bridge=BR-SW tagged=BR-SW,ether4-BR-SW_U10_T241 untagged=ether3-BR-SW-U241 vlan-ids=241
/interface bridge vlan add bridge=BR-SW tagged=BR-SW untagged=ether4-BR-SW_U10_T241 vlan-ids=10
/interface list member add comment=defconf interface=BR-SW list=LAN
/interface list member add comment=defconf interface=ether1-WAN list=WAN
/interface list member add interface=ether5-off_bridge_wrk list=LAN
/interface list member add interface=vlan10 list=LAN
/interface list member add interface=vlan241 list=LAN
/ip address add address=192.168.88.1/24 comment=defconf interface=BR-SW network=192.168.88.0
/ip address add address=192.168.89.1/24 interface=ether5-off_bridge_wrk network=192.168.89.0
/ip dhcp-client add comment=defconf interface=ether1-WAN
/ip dhcp-client add interface=vlan10
/ip dhcp-client add interface=vlan241
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dhcp-server network add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=America/New_York
/system package update set channel=testing
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
[demo@MikroTik] > ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK        INTERFACE            
;;; defconf
0   192.168.88.1/24    192.168.88.0   BR-SW                
1   192.168.89.1/24    192.168.89.0   ether5-off_bridge_wrk
2 D 192.168.241.94/24  192.168.241.0  vlan241              
[demo@MikroTik] > ip route/print 
Flags: D - DYNAMIC; I, A - ACTIVE; c, d, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS       GATEWAY                DISTANCE
DAd  0.0.0.0/0         192.168.241.1                 1
DAc  192.168.88.0/24   BR-SW                         0
DIcH 192.168.89.0/24   ether5-off_bridge_wrk         0
DAc  192.168.241.0/24  vlan241                       0
[demo@MikroTik] > interface/bridge/print
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="BR-SW" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=DC:2C:6E:7B:10:F2 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=DC:2C:6E:7B:10:F2 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no 
[demo@MikroTik] > interface bridge port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE              BRIDGE  HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
;;; defconf
0 IH ether2-BR-SW-Base-U1   BR-SW   yes     1  0x80             10                  10  none   
;;; defconf
1  H ether3-BR-SW-U241      BR-SW   yes   241  0x80             10                  10  none   
;;; defconf
2 IH ether4-BR-SW_U10_T241  BR-SW   yes    10  0x80             10                  10  none   
;;; defconf
3 I  sfp1                   BR-SW   yes     1  0x80             10                  10  none   


[b]Lab ER-X config[/b]

ubnt@ubnt:~$ show configuration | cat
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group Pingers {
            address 192.168.0.0/16
            description "allow ping echo request from"
        }
        address-group RFC1918 {
            address 192.168.0.0/16
            address 172.16.0.0/12
            address 10.0.0.0/8
            description "private addresses"
        }
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow Pingers to request echo"
            icmp {
                type 8
            }
            log disable
            protocol icmp
            source {
                group {
                    address-group Pingers
                }
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description Internet
        duplex auto
        speed auto
    }
    ethernet eth1 {
        description "Local 2"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
                vlan {
                    pvid 101
                    vid 107
                    vid 241
                }
            }
            interface eth2 {
                vlan {
                    pvid 7
                    vid 10
                }
            }
            interface eth3 {
                vlan {
                    pvid 241
                }
            }
            interface eth4 {
                vlan {
                    pvid 10
                    vid 241
                }
            }
            vlan-aware enable
        }
        vif 7 {
            address 192.168.247.1/24
            description "192.168.247.0/24 vlan"
            mtu 1500
        }
        vif 10 {
            address 192.168.249.1/24
            description VLAN10
            ip {
            }
        }
        vif 101 {
            address dhcp
            description "WAN on Switch0.101 native"
            firewall {
                in {
                    ipv6-name WANv6_IN
                    name WAN_IN
                }
                local {
                    ipv6-name WANv6_LOCAL
                    name WAN_LOCAL
                }
            }
            ipv6 {
                dup-addr-detect-transmits 1
            }
        }
        vif 107 {
            address dhcp
            description IoT
            mtu 1500
        }
        vif 241 {
            address 192.168.241.1/24
            description was_eth1.241
        }
        vif 243 {
            address 192.168.243.1/24
            description was_eth2
            mtu 1500
        }
        vif 245 {
            address 192.168.245.1/24
            description "was switch0"
            mtu 1500
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.243.0/24 {
                default-router 192.168.243.1
                dns-server 192.168.243.1
                lease 86400
                start 192.168.243.38 {
                    stop 192.168.243.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.245.0/24 {
                default-router 192.168.245.1
                dns-server 192.168.245.1
                lease 86400
                start 192.168.245.38 {
                    stop 192.168.245.243
                }
            }
        }
        shared-network-name VLAN7 {
            authoritative enable
            subnet 192.168.247.0/24 {
                default-router 192.168.247.1
                dns-server 192.168.247.1
                lease 86400
                start 192.168.247.10 {
                    stop 192.168.247.199
                }
            }
        }
        shared-network-name VLAN10 {
            authoritative enable
            subnet 192.168.249.0/24 {
                default-router 192.168.249.1
                dns-server 192.168.249.1
                lease 86400
                start 192.168.249.10 {
                    stop 192.168.249.199
                }
            }
        }
        shared-network-name was_eth1.241 {
            authoritative enable
            subnet 192.168.241.0/24 {
                default-router 192.168.241.1
                dns-server 192.168.241.1
                lease 86400
                start 192.168.241.10 {
                    stop 192.168.241.200
                }
            }
        }
        static-arp disable
        use-dnsmasq enable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0.10
            listen-on switch0.7
            listen-on switch0.241
            listen-on switch0.243
            listen-on switch0.245
            listen-on switch0.247
            listen-on switch0.249
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface switch0.101
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    crash-handler {
        send-crash-report false
    }
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
ubnt@ubnt:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info

IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [210/0] via 192.168.107.1, switch0.107
     *>           [210/0] via 192.168.101.1, switch0.101
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 192.168.101.0/24 is directly connected, switch0.101
C    *> 192.168.107.0/24 is directly connected, switch0.107
C    *> 192.168.241.0/24 is directly connected, switch0.241
C    *> 192.168.243.0/24 is directly connected, switch0.243
C    *> 192.168.245.0/24 is directly connected, switch0.245
C    *> 192.168.247.0/24 is directly connected, switch0.7
C    *> 192.168.249.0/24 is directly connected, switch0.10
ubnt@ubnt:~$ show dhcp leases
IP address      Hardware Address   Lease expiration     Pool       Client Name
----------      ----------------   ----------------     ----       -----------
192.168.241.94  dc:2c:6e:ca:fe:f2  2022/03/14 07:23:14  was_eth1.241 MikroTik
192.168.241.95  dc:a6:32:de:ad:39  2022/03/13 22:07:42  was_eth1.241 JonRPi4B4-1
192.168.247.10  8c:ae:4c:be:ef:e8  2022/03/14 07:25:07  VLAN7      OP380
ubnt@ubnt:~$

ocgltd · Sun Mar 13, 2022 5:03 pm

I didn't set this MT up initially, but I suspect it went through at least one major RoS upgrade, that may explain naming.

I don't have a LAN or WAN lists, but it looks like those are used in your firewall rules. I could create a LAN interface list, but I don't think that will help...because my firewall rules are already setup using bridge name and port names.

Zacharias · Sun Mar 13, 2022 7:46 pm

@mkx, reading your post, i tried to visualize the Tagged and Untagged End...
If i understood correctly, you name Tagged end, the Interface used under /Interface VLAN ?
And Untagged End the IP address Interface ?

Buckeye · Mon Mar 14, 2022 5:26 am

@mkx, reading your post, i tried to visualize the Tagged and Untagged End...
If i understood correctly, you name Tagged end, the Interface used under /Interface VLAN ?
And Untagged End the IP address Interface ?

I'm not @mkx, but here's my understanding. If it isn't correct, someone can correct me.

From the Linux point of view, this is what makes an interface "vlan-aware", and the name is the interface representing the vlan, and the vlan interface will be IEEE 802.1Q tagged (tagged when leaving/egressing, untagged when entering/ingressing) the "linux" interface.

But when using an /interface vlan with a bridge interface in vlan-filtering mode, it isn't that simple. What it represents is the CPU routing engine's "connection" to the specified vlan on the bridge(switch). Whether that vlan is tagged or untagged on the bridge-port depends on both the /interface bridge port and /interface bridge vlan settings. The /interface bridge vlan command is quite overloaded. I have included an annotated extract with my current interpretation.

My understanding is that you name the vlan connection to the switch. You don't have direct physical access to either side of the interface, it's the CPU end of the "internal" trunk link going to the switch. It's the same vlan whether it is tagged or untagged when it egresses or ingresses any bridge-port associated with the vlan. My limited understanding is that the linux kernel expects what it receives to be in Ethernet II (DIX) format, i.e. it expects the 2 octet field following the src mac address in the frame to have the ethertype associated with the data, e.g. 0x0800 for ip, not the ethertype 0x8100 that is the Tag protocol identifier (TPID).

Here is my current interpretation:

Here's an extract from my config in this post with my comments in red below the MikroTik commands they refer to.

# mar/13/2022 03:34:32 by RouterOS 7.2rc4
# model = RB760iGS
/interface bridge add admin-mac=DC:2C:6E:CA:FE:F2 auto-mac=no comment=defconf name=BR-SW vlan-filtering=yes
the above creates the vlan-aware bridge and names it BR-SW. PVID 1 is implicit, I assume that is also true for the internal trunk link between the CPU and switch, i.e vlan 1 traverses the CPU-switch internal trunk "untagged"
/interface ethernet set [ find default-name=ether2 ] name=ether2-BR-SW-Base-U1
this names the ether2 port ether2-BR-SW-Base-U1 because I intend this port to be an access port for the base bridge interface (which has default PVID 1)
/interface ethernet set [ find default-name=ether3 ] name=ether3-BR-SW-U241
this names the ether3 port ether3-BR-SW-U241 because I intend this port to be an access port for vlan 241
/interface ethernet set [ find default-name=ether4 ] name=ether4-BR-SW_U10_T241
this names the ether4 port ether4-BR-SW_U10_T241 because I intend this to be a "hybrid" port with native (untagged) vlan 10, and tagged vlan 241
/interface vlan add interface=BR-SW name=vlan10 vlan-id=10
This creates a new vlan "shim" interface for the the CPU's "connection" to vlan 10 on the BR-SW bridge over the "internal" trunk link between the CPU and switch (bridge), and the bridge (switch) facing side will be IEEE 802.1Q tagged with vlan 10
/interface vlan add interface=BR-SW name=vlan241 vlan-id=241
This creates a new vlan "shim" interface for the the CPU's "connection" to vlan 241 on the BR-SW bridge over the "internal" trunk link between the CPU and switch (bridge), and the bridge (switch) facing side will be IEEE 802.1Q tagged with vlan 241
/interface bridge port add bridge=BR-SW comment=defconf interface=ether2-BR-SW-Base-U1
This sets the ingress rules for bridge-port ether2-BR-SW-Base-U1 connected to the base BR-SW (implicitly PVID 1); at least this is my current understanding. Perhaps it should filter frame types to admit-only-untagged-and-priority-tagged, I didn't change this, it was part of the default config.
/interface bridge port add bridge=BR-SW comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3-BR-SW-U241 pvid=241
This sets the "ingress" rules for bridge-port ether3-BR-SW-U241; it only accepts untagged ethernet frames, and classifies them as members of vlan 241 in the bridge
/interface bridge port add bridge=BR-SW comment=defconf interface=ether4-BR-SW_U10_T241 pvid=10
This sets the "ingress" rules for bridge-port ether4-BR-SW_U10_T241; it accepts all ethernet frames, and classifies untagged frames as members of vlan 10 in the bridge
/interface bridge vlan add bridge=BR-SW tagged=BR-SW,ether4-BR-SW_U10_T241 untagged=ether3-BR-SW-U241 vlan-ids=241
This sets the egress tagging status for all ports that are members of vlan 241. the tagged=BR-SW sets the CPU facing internal trunk port link on the bridge side to tagged, so it will match the tagged vlan interface connection from the CPU side of the internal trunk link created by the /interface vlan add interface=BR-SW name=vlan241 vlan-id=241 command above. The tagged=ether4-BR-SW_U10_T241 part is setting the egress rule for vlan 241 when it leaves ether4-BR-SW_U10_T241. The untagged=ether3-BR-SW-U241 tells it to send vlan 241 traffic untagged from ether3-BR-SW-U241. vlan-ids=241 tells it what vlans are involved. Recommendation, put only one vlan-id here*.
/interface bridge vlan add bridge=BR-SW tagged=BR-SW untagged=ether4-BR-SW_U10_T241 vlan-ids=10
This sets the egress tagging status for all ports that are members of vlan 10. The tagged=BR-SW sets the CPU facing internal trunk port link on the bridge side to tagged, so it will match the tagged vlan interface connection from the CPU side of the internal trunk link created by the /interface vlan add interface=BR-SW name=vlan10 vlan-id=10 command above. The untagged=ether4-BR-SW_U10_T241 tells it to send vlan 10 traffic untagged from ether4-BR-SW_U10_T241. vlan-ids=10 tells it what vlans are involved. Recommendation, put only one vlan-id here*.

* It isn't a hard requirement, but if you don't know why you should not put more than one, just use one vlan-id in the vlan-ids list in /interfaces bridge vlan add bridge command. Most configs won't have so many vlans that it will be much extra work adding them, and it can eliminate hard to debug problems. For more details about why see the help article VLAN filtering with simplified bridge VLAN table

Here's a Linux Journal article VLAN Support in Linux that covers what the vlan package "shim" does to allow the linux kernel to deal with a canonical format, but send tagged data on the port/wire that the parent base interface is using for untagged data.

An electrical analogy would be a "voltage level shifter". Older microcontrollers (e.g. AVR/Arduino) used 5VDC as logic level 1 and 0VDC as logic level 0. The current "standard" is 3.3V logic, and connecting a sensor that is designed for 5V with a 3.3V microcontroller requires something to change the voltage from 3.3V on the microcontroller side to 5V on the sensor side, and visa-versa. (similar to a transformer in an AC circuit). So in this analogy, you could think of 5V as tagged, and 3.3V as untagged, but the signal (e.g. TX) is still the same (this signal is like the vlan, it's the same data, just in different format) But analogy's can only go so far...

Zacharias · Mon Mar 14, 2022 3:19 pm

Thanks for answering..,
My question is mostly related to what @mkx names as Tagged end and Untagged end...

As far as i know, when you set an interface with a VID under /interface vlan then looking at the packet flow photo
https://help.mikrotik.com/docs/display/ ... adedPacket

Traffic eggressing from the Routing Engine, Switch-CPU Port, towards the Physical-Out interface gets Tagged with the VID specified in /interface VLAN.
And traffic ingressing through the Physical In-Interface targetting the CPU gets Untagged.

tdw · Mon Mar 14, 2022 5:00 pm

No. Looking at https://help.mikrotik.com/docs/display/ ... lowDiagram and with /interface vlan interface=ether1 name=vlan2-ether1 vlan-id=2 as an example:

When a packet tagged with VLAN ID 2 arrives via ether1 the flow is
In-interface bridge port? No
MPLS traffic? No
IPv4 or IPv6 traffic? No
Decapsulate? Yes
At this point as the packet matches interface=ether1 and vlan-id=2 the tag is removed from the packet and presented on the logical interface vlan2-ether1 at which point the packet flow processing begins again.

mkx · Mon Mar 14, 2022 7:02 pm

My question is mostly related to what @mkx names as Tagged end and Untagged end...

I don't think that diagram you linked in your post has anything to do with vlan interfaces. These are pretty simple without too much logic.

Let's consider a simple scenario: we're looking at router on a stick with single interface (e.g. ether1) connected to VLAN-enabled switch. So RJ45-side of interface will carry multiple tagged VLANs (a trunk port if you wish).

Now, for the router to interact with all of VLANs we need a few vlan interfaces, created like this:

/interface vlan
add interface=ether1 name=e1v13 vlan-id=13
add interface=ether1 name=e1v42 vlan-id=42
...

Yes, what I'm calling tagged end is in example above ether1 and the untagged end are e1v13 and e1v42 and ... And in this particular scenario, we would assign IP address (or bind DHCP client or ...) to those untagged ends.

BTW, the linux parallel is even simpler .... if we have an ethernet interface e.g. enp192 which is used as trunk port connected to VLAN-enabled switch, then we configure virtual interfaces with names enp192.13 and enp192.42 etc. These interfaces are exactly the same as vlan interfaces in ROS, only that the names are pretty much pre-defined.

[edit] corrected linux interface names.

Zacharias · Mon Mar 14, 2022 8:51 pm

Probably, i used a wrong diagram indeed...

Thanks @tdw and @mkx for answering...
I was more confused with the terminology Tagged and Untagged Ends the way they were used, but i think i got it...

2 ways to associate bridge and VLAN

2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Re: 2 ways to associate bridge and VLAN

Who is online