Sofware VLAN/Bridge on RuterOS explained.

Jotne · Mon Aug 20, 2018 11:24 am

Software VLAN/Bridge

NB My first post in this thread uses old software VLAN Bridging. Read whole the thread. I may start over with a new thread

I will with this post try to explain how the VLAN tagging and Bridging works within RouterOS.
This is based on Software and no Hardware switching is used.

Background.
I have for some years tried to see how VLAN works on 750Gv3, and was very confused.
1, Change in RouterOS, use of Master Port removed
2. Hardware Switch on 750Gv3 does not support VLAN or maybe it does? (mixed information)

Disclaimer
I may not have understand all correctly, so if some is wrong or it is a better way to do it, please help out and I will edit the post.
I do not explain the configuration behind, just show the connection needed to make this to work.

Example
5 port switch with integrated Wifi

Example.jpg

Port:
1. WAN
2. Trunkport with VLAN 1 as untagged and VLAN 20 and 30 as tagged
3. Untagged VLAN 20
4. Untagged VLAN 1
5. Q-in-Q VLAN 40 and 50 are transported over tagged VLAN 30

VLAN
1. Default home VLAN
20. Guest VLAN
30. Neighbor VLAN
40. Test VLAN
50. Hotspot VLAN

WLAN
1. Home_Wifi (Home network)
30. Guest_Wifi (Guest network)
50. Hotspot Wifi (Uses MikroTik hotspot function. User can be on Router, or external Radius server)
It does not explain hotspot, just show how its connected.

RuterOS setup

MikroTik Software VLAN.jpg

Explanation:
Orange/Red line, separates the different modules used in RouterOS (configure paged)
Red line helps to identify need of Bridge or not.

Information: What is the use on the drawing:
* Interface:
Physical or Virtual interfaces,
Configured GUI: "Interface->Interface" Cli "/interface"
* Interface/VLAN
This is where VLAN tag is added/removed. Only need this part if you like a port to send/receive tagged VLAN
Configured GUI: "Interface->VLAN" Cli "/interface vlan"
Connects only to interfaces and other Interface/VLAN (VLAN tag)
* Brige/Port
This connects the Interface/VLAN tag to the Bridges
Only needed if Bridge is used.
Configured GUI: "Bridge->Port" Cli "/interface bridge port" (Why this has a different menu structure on GUI vs CLI is some strange. Should be the same)
Connects Interface or Interface/VLAN (VLAN tag) to a Bridge
* Bridge
Used as a hub for connecting multiple stuff togeather
Configured GUI: "Bridge" Cli "/interface bridge" (Why this has a different menu structure on GUI vs CLI is some strange. Should be the same)
Connects to norhing
* Function
These are various Function used to the network (IP/DHCP/Hotspot)
Connects to Bridge or Interface/VLAN (VLAN tag) or Interface (Physical or Virtual)

Text in red is label used in RouterOS

VLAN are not used inside of the RouterOS in the example, it is just added or removed at the port side.
So you can have many different Bridges or network without using VLAN at all. VLAN are only needed when you like to tag a packed (VLAN tagging)

Do I need a Bridge or not?
That depends on the red line.
If you have more than one port physical or virtual that will be using the same network, you need a Bridge.
In the example, you have Homnet (1) on Interface 1,4 and Home-Wifi you need a Bridge.
There are more than one interface connecting lines back through red line using same IP/DHCP etc.
VLAN 40 is only used at port 5 (in a Q-in-Q over VLAN 30) so here is Bridge skipped and IP/DHCP connected to the VLAN tagging of VLAN 40.
If there were a port that do not need VLAN tag, IP/DHCP could be connected all the way to the physical interface.

VLAN tagging
VLAN tag are added to each interface that needs it trough (Interface/VLAN)
If you have several interface that need the same VLAN (example 30), you need one Interface/VLAN tagging for each interface.

Q-in-Q
It done the same way as VLAN tagging, but instead of connecting Interface/VLAN to a port, connect it to a Interface/VLAN tagging function.
VLAN tag 40 and 50 are both connected to VLAN tag 30. VLAN tag 30 is connected to Port 5

PS If you do add IP address to a Bridge or Interface/VLAN (VLAN tag) or Interface (Physical or Virtual), you will get routing between this network and other network you have IP on. To prevent traffic from one net to another use firewall rules.

Hopes this helps some to understand VLAN/Bridges in RouterOS.
Look at this from a graphical point is a much better way to do it.

Jotne · Mon Aug 20, 2018 11:44 am

Same drawing, but separated by different network

VLAN 1

VLAN 1.jpg

.
.
.
VLAN 20

VLAN 20.jpg

.
.
.
VLAN 30

VLAN 30.jpg

.
.
.
VLAN 40

VLAN 40.jpg

.
.
.
VLAN 50

VLAN 50.jpg

sindy · Tue Aug 21, 2018 12:05 am

@Jotne, I am afraid that using one /interface vlan per each physical interface and VLAN ID and bridging them together is a big waste of CPU resources, plus it doesn't work with standard MSTP. What you do is (example for three VLANs on each of three ports)

ascii-art code

                                          bridge-vlan-10 --- (IP configuration)
ether1 ---tagged--- vlan-eth1-10 ---tagless--- |
ether2 ---tagged--- vlan-eth1-10 ---tagless--- |
ether3 ---tagged--- vlan-eth1-10 ---tagless--- |

                                          bridge-vlan-20 --- (IP configuration)
ether1 ---tagged--- vlan-eth1-20 ---tagless--- |
ether2 ---tagged--- vlan-eth1-20 ---tagless--- |
ether3 ---tagged--- vlan-eth1-30 ---tagless--- |

                                          bridge-vlan-30 --- (IP configuration)
ether1 ---tagged--- vlan-eth1-30 ---tagless--- |
ether2 ---tagged--- vlan-eth1-30 ---tagless--- |
ether3 ---tagged--- vlan-eth1-30 ---tagless--- |

So in total you spend 9 /interface vlan and 3 /interface bridge, and you cannot have hybrid ports because if a physical interface is a member port of a bridge, it cannot at the same time serve as a carrier interface for an /interface vlan.

You can get the same effect the 6.41+ way:

ascii-art code

                                        bridge-all-vlans
ether1 ----------------tagged----------------- | ---tagged--- vlan-10 ---tagless--- (IP configuration)
ether2 ----------------tagged----------------- | ---tagged--- vlan-20 ---tagless--- (IP configuration)
ether3 ----------------tagged----------------- | ---tagged--- vlan-30 ---tagless--- (IP configuration)

So you spend just 1 /interface bridge and 3 /interface vlan for the same result, plus you can use MSTP, plus you can specify a pvid (aka default VLAN ID) for each port, so you can use hybrid ports.

Jotne · Tue Aug 21, 2018 9:58 am

Thank you for your feedback. This helps me (and other) to better understand how stuff works

So if I understand your ascii art, it should be some like this:
-

MikroTik Software VLAN Better CPU.jpg

.
.
And if I would like VLAN 1 untagged on Interface 3 and 4, I can not use a Bridge/Port to join Bridge_1 and Bridg_All, so VLAN 1 would need a Bridge/Port to all port where it's needed. Correct? It looks like that Interface/VLAN only add tagged VLAN, so I can not mix Tagged and Untaged VLAN in a Bridge
.

MikroTik Software VLAN Better CPU Vlan1.jpg

sindy · Tue Aug 21, 2018 11:13 am

No. You cannot make a single ether interface a member port of two distinct bridges, so if you want tagless frames from the wire coming from an ether port to get tagged with a particular VID at ingress, you configure that VID as that port's pvid. It matches the switchport trunk native vlan concept of Cisco.

So if my second ascii-art would be modified so that ether1 uses VID 10 in access (tagless on the wire) mode, ether2 uses VID 20 in access mode, and ether3 uses VID 30 in access mode, and the remaining VLANs out of (10, 20, 30) stay tagged (trunk mode) on each port, the whole configuration would be:

/interface bridge
add name=bridge-all-vlans vlan-filtering=yes pvid=1

/interface bridge port
add bridge=bridge-all-vlans interface=ether1 pvid=10
add bridge=bridge-all-vlans interface=ether2 pvid=20
add bridge=bridge-all-vlans interface=ether3 pvid=30

/interface bridge vlan
add bridge=bridge-all-vlans vlan-ids=10 tagged=bridge-all-vlans,ether2,ether3 untagged=ether1
add bridge=bridge-all-vlans vlan-ids=20 tagged=bridge-all-vlans,ether1,ether3 untagged=ether2
add bridge=bridge-all-vlans vlan-ids=30 tagged=bridge-all-vlans,ether1,ether2 untagged=ether3

/interface vlan
add name=vlan-10 interface=bridge-all-vlans vlan-id=10
add name=vlan-20 interface=bridge-all-vlans vlan-id=20
add name=vlan-30 interface=bridge-all-vlans vlan-id=30

What is different as compared to hardware switches from other vendors is that Mikrotik allows you to have tagless frames on the bridge. If the pvid value set in /interface bridge port row matches the pvid of the /interface bridge itself, the tagless packets coming in via that port are not tagged on ingress and make it tagless to the bridge, so you can attach the IP configuration directly to the /interface bridge itself, not to /interface vlan atop that bridge. Which implies that if a frame tagged with VID X arrives to a port with pvid=Y which is a member of bridge with pvid=X, the frame gets untagged on ingress.

Jotne · Tue Aug 21, 2018 11:45 am

I will try to understand you post, but it will take some time

First drawing is correct according to your ascii?
Second one will work? Just better way to do it?

sindy · Tue Aug 21, 2018 12:00 pm

No. My two ASCII-arts were each depicting a different way of implementation. So the lower part of your first drawing is an equivalent of my second one, and the upper part of your first drawing is an augmentation of it by a separate bridge (bridge-1) for a tagless VLAN 1.

Your second drawing contains a conceptual mistake - you cannot make an ethernet port (ether3 and ether4 in your case) simultaneously a member of bridge-all and bridge-1. Each interface can only be a member of a single bridge at a time (unless you put an interface vlan between the interface and the bridge which returns us to my first drawing).

Jotne · Tue Aug 21, 2018 7:58 pm

So if I understand correctly, you need to tell two places that a port uses untagged vlan.
Eks VLAN 20

1. You set PVID 20 for Bridge/Port connecting ether2 and Bridge_all
2. Using Bridge/VLAN add a connection vlan VLAN 20 to Bridge_all and set VLAN 20 as untagged for ether2

Why do you set PVID=1 for Bridge_all when VLAN 1 is not mention anywher in you whole configuration?

Also if I will convert the working config under, how do I add VLAN1 (Interface/Vlan) pointing to the Bridge1 without loosing connection when I do it.

This is the working running config on my 750Gr3.
On port 2 I have a Cisco Switch with units on bot VLAN 1 and 20 all working.
So even if this is not correct, it does work.
.
.

Test1.jpg

sindy · Tue Aug 21, 2018 8:32 pm

So if I understand correctly, you need to tell two places that a port uses untagged vlan.
Eks VLAN 20

1. You set PVID 20 for Bridge/Port connecting ether2 and Bridge_all
2. Using Bridge/VLAN add a connection vlan VLAN 20 to Bridge_all and set VLAN 20 as untagged for ether2

Correct. BTW, I've just noticed today that the name vlan-filtering is a bit misleading (at least to date), because if you want the port to really filter by VLAN ID, you have to set ingress-filtering in both /interface bridge port and /interface bridge to yes, and you cannot actually set filtering on egress. Which has quite surprised me when analyzing whether some other device uses an individual MAC address table for each VLAN or a common one - I've found the Mikrotik to both accept in and foward out an ARP request tagged with a particular VLAN ID through a port on which that VLAN was not permitted. By setting ingress-filtering to yes I could get rid of the loop (STP was intentionally off), but it still means that tagged broadcast frames (e.g. generated internally on /interface vlan) are sent out even via ports on which the VLAN is not permitted.

Why do you set PVID=1 for Bridge_all when VLAN 1 is not mention anywher in you whole configuration?

Mostly to emphasize the interaction between the pvid of the /interface bridge itself and of /interface bridge port. So if you want to avoid surprisingly surprising surprises, make sure that you set the pvid of /interface bridge to a VID which is not used anywhere else

Plus if you don't specify a pvid, the default is 1 at both places, which makes people here (me included) avoid using VLAN 1 in general.

So even if this is not correct, it does work.

What is expressly prohibited is

to make an interface a direct port of two different bridges,
to attach IP configuration to an interface which is a member port of a bridge.

Whether it is OK to make an interface a member port of a bridge and simultaneously an underlying interface of /interface vlan is not clear to me but my feeling is that it may behave funny at some point.

Jotne · Wed Aug 22, 2018 10:15 am

@sindy
Thank you for taking time and help me with this.

I am trying again with an new example.
This is more or less the way you describe it. I do use only one Bridge. Use the Bridge/VLAN to handle the tags. Using PVID to tell what is untagged.
Only exception is VLAN1 that is native all without any tag. I could have use tagging and add a Bridge/VLAN for VLAN1, but that makes a transition from old design to new much more complicated, since it will stop data flowing at one point.

So my question is.
1. Does it look correctly?
2. Why do we have the possibility to use more than one Bridge, when we can do it all with one?
3. MikroTiks example here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN do use multiple Bridges (bridge-vlan200,bridge-vlan300 etc). Its more like my first post Is this the old way to do it? Also video on Youtube use multiple Bridges: https://www.youtube.com/watch?v=sdyWKOXMjwY
4. What is pluss and minus with the two different approach?
5, Why does not MikroTik update their pages so we know what to use? I did a google search for MikroTik and VLAN and this comes up as hit #1
6. How to handle Q-in-Q with the Bridge/VLAN solution?
7. Since I add IP to an VLAN, it will automatically do routing with other VLAN that has IP, correct?
8. I do need to use FW to block if I would like to prevent some data from one VLAN to another VLAN?
.
.
Green lines untag, red lines tag.
Not easy to get it all in a single drawing without using 3d layer

.

Test 22.08.2018.jpg

sindy · Wed Aug 22, 2018 11:23 am

@sindy
...
So my question is:

Just bear in mind that you're asking a fellow forum user, not a Mikrotik insider.

1. Does it look correctly?

Yes, except that, as you've found out yourself, it is not easy to mix together in 2D a network topology diagram with configuration item overview where two configuration items need to be set in accord so that a node in the network topology would operate correctly. I'm talking here about the /interface bridge port (interface, pvid) and /interface bridge vlan (untagged,vlan-ids) tuples which have to match so that the magic would happen.

So in another words, I know how it works (or at least I believe so), and therefore I was able to check whether the picture contains everything and the elements are properly linked together. But I am far from sure whether I would be able to understand how it works from this picture if I didn't know that in advance.

2. Why do we have the possibility to use more than one Bridge, when we can do it all with one?

Because Flexibility is Mikrotik's second name? Basically there is no reason why it should not be possible to use several independent bridges as long as everything is done in software anyway, and in some cases it may prove useful to have several independent bridges with some VLAN IDs existing on more than one bridge without leaking between each other.

3. MikroTiks example here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN do use multiple Bridges (bridge-vlan200,bridge-vlan300 etc). Its more like my first post Is this the old way to do it? Also video on Youtube use multiple Bridges: https://www.youtube.com/watch?v=sdyWKOXMjwY

It is the old way to do it before VLAN-aware bridging was introduced in 6.41, and it is still possible and in some cases necessary to do it that way. Both old and new ways are documented, so it is a matter of choice.
Youtube videos are a separate category. I may be rude here but while some videos are made by knowledgeable people who want to share the knowledge in a form comprehensible to wider public, it seems to me that at least the same amount of videos is made by people who aren't able to read and understand more than a few lines of text and are so excited that they have found some way (sometimes an obscure one) how to achieve their goal by try and fail that they feel an urgent need to share that success with the world. And even the good videos remain on youtube years after they've become outdated.

4. What is pluss and minus with the two different approach?

the old approach is easier to diagram in 2D
the configuration is more compact using the new approach
the frame processing should be more efficient using the new approach (no idea whether it is really the case)
things like several SSIDs with individual VLAN ID each are much easier to configure using the new approach
the new approach allows MSTP to work
the old approach gives you higher flexibility in extreme networking cases (QinQinQinQ)

5. Why does not MikroTik update their pages so we know what to use? I did a google search for MikroTik and VLAN and this comes up as hit #1

I'm afraid it is not a question for me but for Mikrotik and Google. The most clicked search results get offered higher in the list, which makes them most clicked, which makes them... unless someone actively prevents that.

6. How to handle Q-in-Q with the Bridge/VLAN solution?

I'm afraid that this is exactly one of the cases where you have to combine the approaches. Both methods of tagging/untagging (/interface bridge port pvid with /interface bridge vlan on one hand and /interface vlan on the other) handle only one tag at a time (although reportedly, until recently there was a bug removing all tags in a single step).
Here is an example of extreme networking which clearly illustrates where the older approach remains necessary while combining it with the newer one saves some typing and CPU.

7. Since I add IP to an VLAN, it will automatically do routing with other VLAN that has IP, correct?
8. I do need to use FW to block if I would like to prevent some data from one VLAN to another VLAN?

To be precise, you don't add an IP to a VLAN, you add it to an interface whose media layer is incidentally a VLAN. So yes, unless you use firewall rules preventing that, any "connected subnet" (which is any subnet which contains an IP address assigned to a local interface) is included into routing automatically. But here we are getting into the L3 universe, so it is irrelevant whether old or new way of configuring VLANs is used.

Jotne · Wed Aug 22, 2018 12:03 pm

wow, thanks again for your detailed response with welt of knowledge.
You are my man

When posting VLAN etc, it should be clearly shown that its for before 6.41 or after...
I may start a new thread with some good graphical example, since edit this may be complicated with alle the comments.
If you look at the last drawing everything should be self explained.
First line, where its found in GUI/CLI
Tekst in red, name of the config entry (This also messes with my mind, since some have name and other does not have. Eks Bridg/Port vs Interface/Vlan)
Rest is connections + info
Also the different path in GUI and in CLI makes it more complicated to make good documentation.
Eks in GUI you find Interface and Bridges as two different main category. In CLI Bridges are found under Interfaces???

Then the last topic, hardware switching. How does it connects all this together?? (Switch Chip Features)
To make i more complicated some supports it, some does some of it, some not, some may come with support later.
Eks 750Gr3 has switch chip, but does not support VLAN. Some place MT inform that it may come later.
The cheap 942-2nd with Atheros 8227 do support Switch Chip VLAN

Hopefully MikroTik reads these posts and will try to make documentation better and config more equal everywhere

sindy · Wed Aug 22, 2018 1:00 pm

I may start a new thread with some good graphical example, since edit this may be complicated with alle the comments.

You may, but then google will return both and people will get confused again. I'd recommend to edit the original post of this topic with a link to the one which has the most up to date version.

If you look at the last drawing everything should be self explained.

I strongly prefer to split the layers. The first, simpler one should show how it works and how the executive elements are linked together, and another one should add the translation of that information into configuration elements and their parameters. As you cannot post pictures with layers which could be enabled and disabled, I'd post one picture with only the network topology layer and another one with both.

Then the last topic, hardware switching. How does it connects all this together?? (Switch Chip Features)

Start reading from here, there is also something regarding the switch chips.

Jotne · Wed Aug 22, 2018 1:05 pm

As you cannot post pictures with layers which could be enabled and disabled, I'd post one picture with only the network topology layer and another one with both.

Not easy to post a visible drawing, but I think I can convert Visio that I am using to PDF with layer.
I know that PDF do support layers that can be turned on/off.

An animated GIF would drive people crazy when try to look at it

Jotne · Wed Aug 22, 2018 9:39 pm

/interface bridge
add name=bridge-all-vlans vlan-filtering=yes pvid=1

Hi

For some reason I do not get IP on VLAN 20 that I have tagged on port 2.
But when I set vlan-filtering=no everything works.
Any Idea?

sindy · Wed Aug 22, 2018 10:02 pm

None without seeing the configuration export.

Jotne · Wed Aug 22, 2018 10:43 pm

Here is the interface configuration (eth3 is used for test only)

/interface bridge
add admin-mac=6C:3B:6B:AA:34:3F auto-mac=no name=Bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether2 ] name=ether2-Cisco
set [ find default-name=ether4 ] name=ether4-Server1
set [ find default-name=ether5 ] name=ether5-Server2
/interface vlan
add interface=Bridge1 name=Tag20->Bridge1 vlan-id=20
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface bridge port
add bridge=Bridge1 interface=ether3 pvid=20
add bridge=Bridge1 interface=ether4-Server1
add bridge=Bridge1 interface=ether5-Server2
add bridge=Bridge1 interface=ether2-Cisco
/interface bridge vlan
add bridge=Bridge1 tagged=ether2-Cisco untagged=ether3 vlan-ids=20
/interface list member
add interface=Bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4-Server1 list=discover
add interface=ether5-Server2 list=discover
add list=discover
add interface=Bridge1 list=mactel

sindy · Wed Aug 22, 2018 10:55 pm

Got it, in the /interface bridge vlan, the bridge itself must be listed in the tagged list if /interface vlan or anything else on the CPU (like a wireless interface) should have access to the bridge.

Jotne · Thu Aug 23, 2018 8:44 am

So this should be changed from:

/interface bridge vlan
add bridge=Bridge1 tagged=ether2-Cisco untagged=ether3 vlan-ids=20

to:

/interface bridge vlan
add bridge=Bridge1 tagged=ether2-C3560CX,Bridge1 untagged=ether3 vlan-ids=20

.
And this changed from:

/interface bridge
add admin-mac=6C:3B:6B:AA:34:3F auto-mac=no name=Bridge1 protocol-mode=none

to:

/interface bridge
add admin-mac=6C:3B:6B:88:34:3F auto-mac=no name=Bridge1 protocol-mode=none vlan-filtering=yes

sindy · Thu Aug 23, 2018 8:53 am

Jotne · Thu Aug 23, 2018 8:58 am

Thanks again.

It seems to work fine without the last changes, so did I break some with it?

Will try to make a Visio with some layer to handle it:

Test15.jpg

PS, just found another great pluss doing it this way with the new bridge implementation (>=6.41).
If you need more that one VLAN tagged on port with old solution, you need one Bridg/Port pr VLAN.
With Bridge/VLAN you can specify ranges of VLAN like this:

vlan-ids=100-115,120,122,128-130

sindy · Thu Aug 23, 2018 11:14 am

It seems to work fine without the last changes, so did I break some with it?

Are you sure it really does? Without vlan-filtering=yes, the tagging/untagging on interfaces does not work. So in your case:

tagless frames coming to ether2 and ether4 get in and stay tagless on the Bridge_1 - this is what happens with both settings of vlan-filtering
frames tagged with VID 20 coming to ether2 get in and stay tagged, so the tagged side of /interface vlan vlan-id=20 receives them tagged - this is what happens with both settings of vlan-filtering
tagless frames on ether3 get tagless to bridge, but once they are in, I suspect they are handled at L3 anyway - so it works differently than you expect
tagged frames sent from the IP address associated to /interface vlan vlan-id=20 get remain tagged as they leave via ether3, but if a Windows machine is connected to that interface, it untags them on reception because that's how most Windows network interface drivers work - so it works differently than you expect

Sniffing packets on ether3 into files with vlan-filtering=yes and vlan-filtering=no (on the Mikrotik, not on the connected PC because there you would see the VLAN tags already stripped) and opening those files using Wireshark should show you the difference.

With Bridge/VLAN you can specify ranges of VLAN like this:
Code: Select all
vlan-ids=100-115,120,122,128-130

This is an advantage if you care about vlan filtering as such, i.e. when you want to drop ingress frames whose VID is not permitted on the ingress port. If you don't, frames tagged with any VID are forwarded between all member ports of a bridge if vlan-filtering=no.

tippenring · Thu Aug 23, 2018 10:53 pm

I just want to comment to thank you both. I'm thoroughly enjoying this discussion.

I too have been plagued by the variables of interface, bridge, vlan, and switch configurations when implementing VLANs. This discussion is definitely helping me understand it better.

k6ccc · Fri Aug 24, 2018 1:39 am

Yes, thank you both for the education. I didn't really need it, but it was interesting. I have a different solution. I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. Never does any LAN or VLAN appear on more than one physical port. Each port in turn connects to a port of a managed switch (CSS326-24G-2S).

mkx · Fri Aug 24, 2018 7:46 am

I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port.

The same exercise is needed when configuring RB running ROS if that RB is to be used as smart switch. Not that I would recommend that since HW offload is disabled and all traffic is dealt with by CPU.

k6ccc · Fri Aug 24, 2018 8:16 am

I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port.
The same exercise is needed when configuring RB running ROS if that RB is to be used as smart switch. Not that I would recommend that since HW offload is disabled and all traffic is dealt with by CPU.

As I said, the two routers are only used as routers. All switch functions are handled by the CSS326.

With that said, the education in this thread was very interesting. thank you!

huntah · Sat Aug 25, 2018 12:11 pm

Very nice post but one thing is missing,
Final configuration export with your last picture..

mozerd · Sat Aug 25, 2018 3:33 pm

Absolutely great THREAD.-- Thanks to:
@Jotne
@sindy

IMO, @k6ccc approach is the one that I would encourage most to follow -- in that way YOU are maximizing value and performance consistently.

I use routers EXCLUSIVELY as routers and switches as switches.
Each port of my routers is either a single LAN or a VLAN trunk port.
Never does any LAN or VLAN appear on more than one physical port.
Each port in turn connects to a port of a managed switch (CSS326-24G-2S).

IMO, the biggest improvement -- performance wise -- that MikroTik could add to [RouterOS] for the hEX and for hAPac2 is to to incorporate fq_codel and/or WireGuard

ashpri · Wed Oct 17, 2018 4:42 pm

What a great thread. I hope my revival of it is relevant.

I am failing in trying to set the new way of vlan bridging. I have followed your guide and this https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs (v6.41+ way of vlan bridging).

The problem is this code.

/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20

My DHCP Server when assigned to a VLAN interface returns an error "Cannot run DHCP Server on Slave Interface", and disables itself. I am running ROS v6.43.2.

zz1.png

What am I doing wrong?

------

The is the overall code as instructed in the mikrotik wiki, to save you time from loading the link.

/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20

/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20

/ip pool
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254

/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

------

This is my code, I've followed the guide and your posts as closely as I can. There is nothing in my code that is different than the wiki. I find it hard to swallow that the wiki is incorrect. It must be somewhere in my setting.

/interface vlan
add interface="wlan2 - 5g" name="VL 201 Guest" vlan-id=201
add interface="wlan2 - 5g" name="VL 202 Fam" vlan-id=202
add interface="wlan2 - 5g" name="VL 203 Kids" vlan-id=203
add interface="wlan2 - 5g" name="VL 204 Office" vlan-id=204
add interface="wlan2 - 5g" name="VL 205 Staff" vlan-id=205

/ip address
add address=192.168.88.1/24 comment="Default Config" interface=ether2-master network=192.168.88.0
add address=192.168.201.1/24 interface="VL 201 Guest" network=192.168.201.0
add address=192.168.202.1/24 interface="VL 202 Fam" network=192.168.202.0
add address=192.168.203.1/24 interface="VL 203 Kids" network=192.168.203.0
add address=192.168.204.1/24 interface="VL 204 Office" network=192.168.204.0
add address=192.168.205.1/24 interface="VL 205 Staff" network=192.168.205.0

/ip pool
add name="Pool - Default" ranges=192.168.88.100-192.168.88.199
add name="Pool - 201 Guest" ranges=192.168.201.100-192.168.201.199
add name="Pool - 202 Fam" ranges=192.168.202.100-192.168.202.199
add name="Pool - 203 Kids" ranges=192.168.203.100-192.168.203.199
add name="Pool - 204 Office" ranges=192.168.204.100-192.168.204.199
add name="Pool - 205 Staff" ranges=192.168.205.100-192.168.205.199

/ip dhcp-server
add address-pool="Pool - Default" disabled=no interface=bridge1 name="DHCP Server 1 - Default"
add address-pool="Pool - 202 Fam" interface="VL 202 Fam" name="DHCP Server 2 - Fam"
add address-pool="Pool - 201 Guest" interface="VL 201 Guest" name="DHCP Server 3 - Guest"
add address-pool="Pool - 203 Kids" interface="VL 203 Kids" name="DHCP Server 4 - Kids"
add address-pool="Pool - 204 Office" interface="VL 204 Office" name="DHCP Server 5 - Office"
add address-pool="Pool - 205 Staff" interface="VL 205 Staff" name="DHCP Server 7 - Staff"

/ip dhcp-server network
add address=192.168.88.0/24 comment="Default Config" dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
add address=192.168.201.0/24 gateway=192.168.201.1 netmask=24
add address=192.168.202.0/24 gateway=192.168.202.1 netmask=24
add address=192.168.203.0/24 gateway=192.168.203.1 netmask=24
add address=192.168.204.0/24 gateway=192.168.204.1 netmask=24
add address=192.168.205.0/24 gateway=192.168.205.1 netmask=24

/interface bridge port
add bridge=bridge1 comment="Default Config" interface=ether2-master
add bridge=bridge1 comment="Default Config" interface="wlan1 - 2.4g"
add bridge=bridge1 comment="Default Config" interface="wlan2 - 5g"
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface="VL 201 Guest"
add bridge=bridge1 interface="VL 202 Fam"
add bridge=bridge1 interface="VL 203 Kids"
add bridge=bridge1 interface="VL 204 Office"
add bridge=bridge1 interface="VL 205 Staff"

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

----

Update: I found my mistake. The VLAN interface cannot be a member of bridge1. The following code should be deleted.

add bridge=bridge1 interface="VL 201 Guest"
add bridge=bridge1 interface="VL 202 Fam"
add bridge=bridge1 interface="VL 203 Kids"
add bridge=bridge1 interface="VL 204 Office"
add bridge=bridge1 interface="VL 205 Staff"

I won't delete my post to bump this thread. Kudos to a great thread.

I've just locked myself out of my hap-ac2 by tagging the wrong vlan to the wrong interface and I've had to hard reset the unit. Coming from unifi where vlan setup and switch deployment across the enterprise are but a few clicks away, I feel like I'm into some hardcore S&M shit with Mikrotik (I'm perversely enjoying it).

sindy · Wed Oct 17, 2018 5:42 pm

Using the Safe Mode button in Winbox/WebGUI or Ctrl-X in CLI lowers the levels of adrenaline very significantly.

anav · Tue Nov 06, 2018 7:16 pm

Using the Safe Mode button in Winbox/WebGUI or Ctrl-X in CLI lowers the levels of adrenaline very significantly.

Amen to that brother, and keeps the family from tearing strips of ones hide!!

anav · Tue Nov 06, 2018 11:13 pm

Hi asphri........
Regarding your post........
The plan falls apart at the getgo, you only need one bridge.
It appears that you have two bridges, the first named Bridge1 and the second inferred from /Interface Vlan - "wlan2 - 5g"

There I recommend to keep it simple
Use Bridge1 only and this changes your /interface VLAN as follows:

***STOP**** Put your router in SAFE MODE

/interface vlan
add interface="Bridge1" name="VL 201 Guest" vlan-id=201
add interface="Bridge1" name="VL 202 Fam" vlan-id=202
add interface="Bridge1" name="VL 203 Kids" vlan-id=203
add interface="Bridge1" name="VL 204 Office" vlan-id=204
add interface="Bridge1" name="VL 205 Staff" vlan-id=205

Remember here is where we create vlans and associate the VLANs to the bridge.

This problem really rears its ugly head at this step.
/interface bridge port.

To recap when selecting the Bridge Menu, one can ignore the first Bridge Tab, the default tab when selecting Bridge from the left hand menu in WInbox (unless need to create a new bridge or delete one etc.) The order being, hit the ports tab first, the vlan tab second and then come back to the bridge tab on the bridge menu.

Bridge Ports are where you add physical ports to the correct Bridge and you DO NOT associate here VLANs to the bridge (that is what the VLAN tab is for).

Therefore it should look like this
/interface bridge port
add bridge=bridge1 comment="Default Config" interface=ether2-master
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

Note: If you wanted a separate LAN, lets say a DMZ you could put it on ether 4 and not on the bridge and you would eliminate it under bridge ports.
Similarly you should note that no WAN interfaces belong here either (for normal setups).

Next, you need to delineate the VLAN TAB
This feels like to me almost like assigning the Bridge to be like a trunk of sorts.
At least in Winbox you select doubleclick on the name of your bridge and fill out the menu from top to bottom:
Bridge: Correct Bridge (already filled in cause you clicked on it)
VLan IDs: Add a separate line for each VLANID in your case 5 separate entries.
Tagged {Entities}: Add a separate line for each one, meaning any physical port that is carrying at least one VLAN s and the bridge itself in your case Bridge1 and most likely ether2-5
Done!

Now you can go back to the First Bridge Tab, double click on the bridge name again and from that popup menu select a new/different VLAN TAB;

STOP **** Ensure SAFE MODE IS ON!!

SImply check VLAN filtering to apply the rules entered thus far.

You dont mention /interface list and what I do is
lan - bridge (includes the bridge and all ethernet interfaces you have already associated to the bridge)
lan -ether4 (for an example if running a separate lan like a dmz off that port)
lan - vlan1
lan - vlan2
etc.
wan - isp1
wan - isp (if you have two isps for example)

Since the lan interface is useful in firewall rules its good to have the entries here.

I think that covers most of it.

Oh one more thing this setting/text makes no sense to me because I dont see them on my rsc files nor are they visible in winbox.

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

eddieb · Thu Jan 17, 2019 10:46 am

Still trying to figure this out.
Is it possible to post a small working example ?

mkx · Thu Jan 17, 2019 12:32 pm

Still trying to figure this out.
Is it possible to post a small working example ?

We can create one. You have honour of supplying description of a simple scenario.

dohmniq · Tue Jan 22, 2019 2:43 pm

Also checking in as someone who is struggling to get VLANs working.

My use-case is trying to isolate traffic from a virtual wireless interface, with separate box for WAN.
How do people create pretty network diagrams?

box-1:

wireless interface "wlan" for 'normal' non-vlan, untagged, etc. wireless usage
virtual wireless interface "wlan-guest" with vlan-id=50 and vlan-mode=use-tag
ether1 goes to box-2
ether2 and ether3 for 'normal' non-vlan, untagged, etc. wired usage

box-2:

wireless interface "wlan" for 'normal' non-vlan, untagged, etc. wireless usage
ether1 goes to box-1
ether2 and ether3 for 'normal' non-vlan, untagged, etc. wired usage
SFP WAN port for internet

Assumptions:

normal users are all on one big LAN 10.0.1.0/24 and can ping each other, even across box-1/box-2, and can access internet
"guest" users are on 192.168.50.0/24, can't ever talk to normal users, but can access internet
box-2 is DHCP server for 10.0.1.0/24, i.e. normal users
box-2 does NAT from 10.0.1.0/24 and 192.168.50.0/24 to internet
internet traffic is vlan-less/untagged
RouterOS 6.43.8

Questions:

the cable between box-1 and box-2 would have vlan-less, untagged traffic for normal users, and vlan-50-tagged traffic for guest users?
is possible to have box-1 do DHCP for guest users? (seems the intuitive choice to me)
how does box-2 tag and route 192.168.50.0/24 traffic to box-1?

mkx · Tue Jan 22, 2019 2:55 pm

How do people create pretty network diagrams?

@Jotne uses Visio. Others use ASCII art (and lots of imagination)

Questions:

the cable between box-1 and box-2 would have vlan-less, untagged traffic for normal users, and vlan-50-tagged traffic for guest users?

is possible to have box-1 do DHCP for guest users? (seems the intuitive choice to me)

how does box-2 tag and route 192.168.50.0/24 traffic to box-1?

Yes.
Either of boxes could do. I'd keep high-level config to single box (box-2 in this case) just to have configuration in single place.
Plus: if DHCP server for guest VLAN is on box-2, then box-1 (management part of it) is not exposed to guests at all. If box-1 would have IP interface for guest network, you'd have to take care not to route between the both interfaces (I assume you want box-1 to have IP connectivity in normal LAN), so you'd have to maintain two firewalls...
It doesn't route, it uses VLAN tags, switch makes sure packets arrive at desired destination. To make it work, VAP needs to be tagged and the trunk port towards box-2 as well (in addition to untagged). On box-2, trunk port towards box-1 needs same config as trunk port on box-1, then box-1 needs a vlan interface for tagged traffic ... which is where L3 routing/firewalling starts to happen. And DHCP server for guest VLAN (if you kept it on box-1, that one would need a vlan interface as well, with IP address from guest address space, etc.)

jrbenito · Tue Jan 22, 2019 2:57 pm

Hi,

Amazing discussion. Thanks!

BRs,
Benito

anav · Tue Jan 22, 2019 3:07 pm

How do people create pretty network diagrams?

I noted on one thread a person posted this link to a diagram maker.........
https://www.draw.io/

anav · Tue Jan 22, 2019 3:11 pm

Also checking in as someone who is struggling to get VLANs working.

My use-case is trying to isolate traffic from a virtual wireless interface, with separate box for WAN.

I pretty much have a similar setup.
ROUTER - to managed switch to CapAC (accesspoint which can tag traffic))
SAME ROUTER - to unmanaged switch to CapAC

On each cap I run two chains the first 2.4ghz on a VLAN for smart devices
On each cap I run the second chain 5Ghz (no vlan) for house users
On each cap I run a virtual WLAN off the 5Ghz network ON a VLAN for guest users.

dohmniq · Tue Jan 22, 2019 5:40 pm

Thanks for the quick reply!

how does box-2 tag and route 192.168.50.0/24 traffic to box-1?

It doesn't route, it uses VLAN tags, switch makes sure packets arrive at desired destination. To make it work, VAP needs to be tagged and the trunk port towards box-2 as well (in addition to untagged). On box-2, trunk port towards box-1 needs same config as trunk port on box-1, then box-1 needs a vlan interface for tagged traffic ... which is where L3 routing/firewalling starts to happen. And DHCP server for guest VLAN (if you kept it on box-1, that one would need a vlan interface as well, with IP address from guest address space, etc.)

I'm confused about "vlan interfaces" and bridge vlan filtering. I thought "vlan interfaces" are the old-school way of doing things and bridge vlan filtering is what we're supposed to use instead?

So now on box-1:
I don't have any vlan interfaces but simply added all my interfaces (ether1-3, wlan & guest-wlan) as ports to one massive bridge
So I did: /int bridge port add interface=guest-wlan pvid=50 so that untagged packets arriving over the air (ingress) are assigned to vlan 50
And: /int bridge vlan add bridge=massive-bridge vlan-ids=50 untagged=guest-wlan tagged=ether1 so vlan 50 packets are tagged on egress out of ether1 and untagged on egress out of guest-wlan

On box-2:
I seem to need a vlan interface for the DHCP-server's "interface" and somewhere for the bridge vlan filtering to send de-tagged packets to.
So: /int vlan add name=guest-vlan interface=ether1 vlan-id=50
and: /int bridge vlan bridge=bridge1 vlan-ids=50 tagged=ether1 untagged=guest-vlan
and guest-wlan DHCP works fine now!

My last hurdle is that no traffic flows from guest-vlan on box-2 to internet.
Guest-wlan packets seem to be translated by NAT and flow out of the WAN port.
Replies arrive at the WAN port, are translated back to 192.168.50.x but then don't go anywhere?

If I look at packets captured by /tool sniffer then outbound packets flow ether1 -> guest-vlan -> wan(with src-ip changed)
but inbound packets do wan -> wan again (with src-ip now 192.168.50.x) -> nothing else

What do I need to do to get the inbound packets forwarded via box-2's ether1 to box-1?
The guest's MAC address is listed in /int bridge host print on box-1 but not on box-2

I tried add guest-vlan as a bridge port on box-2 (with pvid=50) but that breaks DHCP because the server cannot run on a slave interface.
Can't move DHCP to box-1 (with VAP) because of the same DHCP-on-slave-vlan-interface issue.

So I'm stuck right now - any ideas?

sindy · Tue Jan 22, 2019 6:40 pm

A "vlan interface" can be seen as a virtual switch/bridge port which untags frames as it receives them from the bridge and tags them as it sends them to the bridge. So it is necessary for L3 access to its respective VLAN in both the "old school" and "new school" approach.

However, in the "old school" approach, there was no way to control which ports of a bridge can be used for ingress and egress of particular VLAN, so if you wanted to do that, you needed to use one bridge per VLAN, attach one vlan interface to each Ethernet interface on which that VLAN should be permitted to egress and ingress, and bridge the tagless sides of the vlan interfaces. With the "new school", you only need vlan interface for the L3 access to the VLAN; membership of Ethernet ports of the same bridge in individual VLANs can be controlled using vlan filtering.

dohmniq · Tue Jan 22, 2019 7:35 pm

A "vlan interface" can be seen as a virtual switch/bridge port which untags frames as it receives them from the bridge and tags them as it sends them to the bridge. So it is necessary for L3 access to its respective VLAN in both the "old school" and "new school" approach.

However, in the "old school" approach, there was no way to control which ports of a bridge can be used for ingress and egress of particular VLAN, so if you wanted to do that, you needed to use one bridge per VLAN, attach one vlan interface to each Ethernet interface on which that VLAN should be permitted to egress and ingress, and bridge the tagless sides of the vlan interfaces. With the "new school", you only need vlan interface for the L3 access to the VLAN; membership of Ethernet ports of the same bridge in individual VLANs can be controlled using vlan filtering.

OK, I guess this explains why I need a "vlan interface" and why I don't add it to bridge ports.

Any ideas as to why inbound internet packets are lost after de-NAT?

mkx · Tue Jan 22, 2019 10:30 pm

Config on box-1 seems mostly fine (perhaps set vlan-filtering=yes on massive-bridge). Although the more usual way would be to set vlan-mode=yes vlan-id=50 on guest-wlan and have guest-wlan as tagged member of massive-bridge (along with ether1 as you already have it)...

Config on box-2 is all messed up. The "new school" way would be something like this:

/interface bridge port
add bridge=bridge interface=ether1
#and all other LAN ports
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=50
/interface vlan
add name=guest-vlan interface=bridge vlan-id=50
/interface bridge
set [ find name=bridge ] vlan-filtering=yes

All guest-vlan IP config (router's address, DHCP server, ...) goes on guest-vlan interface.

As to the guest internet access ... some NAT or firewall filter rule might ve misplaced. If you post that part of config we can have a look ...

dohmniq · Wed Jan 23, 2019 10:00 am

With box-1 I went with using bridge vlan filtering. I did start out with vlan-mode=use-tag vlan-id=50 on the virtual wireless interface but with bridge vlan filtering it's 'all in one place'.

On box-2 the configuration has eventually ended up pretty much how you just described! Understanding the "vlan interface" was the key issue for me and I really recommend looking through
Layer2 misconfiguration manual, especially the VLAN entries, as that solved and clarified some behaviours for me.

On the guest-internet issue, after some searching I came across a technique someone posted that used firewall mangle rules to set a 'connection-mark' and 'routing-mark' on the way out, so that the replies could be corrected routed/forwarded matching the same mark on arrival from the internet:

/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=Guest-mark passthrough=yes src-address=192.168.50.0/24
add action=mark-routing chain=prerouting connection-mark=Guest-mark new-routing-mark=Guest-mark passthrough=yes

/ip route
add distance=1 dst-address=192.168.50.0/24 gateway=Guest-vlan routing-mark=Guest-mark

I'm still not sure why the NAT/firewall engine can't do this by itself but it does work!

Thanks for all your help and may other vlan pilgrims seek (quicker) enlightenment from this thread!

mkx · Wed Jan 23, 2019 12:11 pm

On the guest-internet issue, after some searching I came across a technique someone posted that used firewall mangle rules to set a 'connection-mark' and 'routing-mark' on the way out, so that the replies could be corrected routed/forwarded matching the same mark on arrival from the internet:

Generally RB has no problem routing/masquerading several LAN subnets to single WAN interface without any "manual" mangling ... all that without fear that some traffic might get mis-routed. The code you posted seem overly complicated for the task you need to perform.

The only thing to care about, when having several LAN subnets, is proper separation between subnets and that's easy to achieve using a few simple firewall rules.

My real-life example: I've got 3 subnets (LAN, guest and IPTV), all runing over same physical infrastructure but using different VLANs.

/interface vlan
add interface=bridge name=vlan-40 vlan-id=40
add interface=bridge name=vlan-41 vlan-id=41
add interface=bridge name=vlan-42 vlan-id=42
/interface list member
add interface=vlan-40 list=IPTV
add interface=vlan-41 list=guest
add interface=vlan-42 list=LAN
add interface=pppoe1-out list=WAN
/ip firewall filter
# The first one takes care about "return" traffic ... masqueraded on the way out
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow connections from guest to WAN" in-interface-list=guest out-interface-list=WAN
add action=drop chain=forward comment="drop connections from guest to anywhere else" in-interface-list=guest
add action=accept chain=forward comment="allow connections from IPTV to WAN" in-interface-list=IPTV out-interface-list=WAN
add action=drop chain=forward comment="drop connections from IPTV to anywhere else" in-interface-list=IPTV
add action=drop chain=forward comment="drop connections from MGMT to WAN" in-interface-list=MGMT out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

sindy · Wed Jan 23, 2019 12:53 pm

I wonder whether use of routing-marks is not the poison rather than the cure? If you assign routing-marks, you have to take realize that they override even dynamically created routes to connected networks which are always (unless you use vrf!) created in the default routing table (named "main"), so these routes are not used if a different routing-mark is assigned to the packet and any route matching the destination prefix and bearing that other routing mark exists. So you have to either assign routing-marks only to LAN->WAN packets, or to use routing rules to force the routing-mark assigned by mangle rule back to "main" for packets with dst-address of local LANs. If you didn't use routing marks before, and if you have no IPsec policies there, the reason why the response packets get lost must be something else.

anav · Wed Jan 23, 2019 2:12 pm

Mkx,
Why not
allow LAN to WAN
allow VLANX to WAN
drop all else

You seem to have to many separate drop rules LOL.

mkx · Wed Jan 23, 2019 6:05 pm

Why not
allow LAN to WAN
allow VLANX to WAN
drop all else

Was thinking about that but decided to do it like this in case I decide to allow some other cross connectivity. But yes, your suggestion has its merits.

anav · Wed Jan 23, 2019 8:35 pm

Why not
allow LAN to WAN
allow VLANX to WAN
drop all else
Was thinking about that but decided to do it like this in case I decide to allow some other cross connectivity. But yes, your suggestion has its merits.

Ahh yes, to handle that I make up different ip firewall address lists and add those to existing rules with the concept that players and devices may change but the rules are generally more static.
Like access to a shared printer on a different VLAN for example.

user8FJHFKFG8 · Wed Apr 17, 2019 2:39 pm

Yes, thank you both for the education. I didn't really need it, but it was interesting. I have a different solution. I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. Never does any LAN or VLAN appear on more than one physical port. Each port in turn connects to a port of a managed switch (CSS326-24G-2S).

I have only just understood what you actually meant by this. The only point of the new VLAN filtering method is to specifically allow hardware switching on a bridge interface. Only useful when you want to create a layer 2 bridge for VLANS on different hardware ports, as in a managed switch. There is no benefit in this outside of using ports on your router like a switch without involving the CPU. i.e. doing the job of a managed switch. So I might as well revert to having my VLANS as slaves to my hardware port, where I can firewall them by interface rather than just IP, let my router be a router...

jvak · Fri Jun 07, 2019 9:41 am

Hello,

am new in VLAN solution on mikrotik and i have some problem with it

if someone could help me it will awsome
that solution kind of works....i can get to cameras but i cannot reach that mikrotik am working at, i cant connect there by winbox or even ping doesnt work
there is my setup

# model = 960PGS
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=ether4 ] poe-out=forced-on
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=sfp1 pvid=247
add bridge=bridge1 interface=ether2 pvid=81
add bridge=bridge1 interface=ether3 pvid=81
add bridge=bridge1 interface=ether4 pvid=81
add bridge=bridge1 interface=ether5 pvid=249
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=sfp1 untagged=ether2,ether3,ether4 vlan-ids=81
add bridge=bridge1 tagged=sfp1,ether5 vlan-ids=249
add bridge=bridge1 tagged=sfp1 untagged=ether5 vlan-ids=247
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.22.247.3/24 interface=sfp1 network=10.22.247.0
/ip route
add distance=1 gateway=10.22.247.254

Bez názvu-1.jpg

thank you

sindy · Sat Jun 08, 2019 4:13 pm

There is a conceptual mistake in what you do. You can either have the tagged end of /interface vlan vlan-id=247 attached to the bridge, and in that case sfp1 can be a member port of that bridge, or you can attach the tagged end of /interface vlan vlan-id=247 directly to sfp1, but in that case sfp1 cannot be a member port of a bridge. The same applies if you attach an IP configuration - if you attach it directly to an interface, that interface cannot be a member port of any bridge. RouterOS will not eject a hand and slap you in the face but it won't work properly.

Plus on the picture you declare VLAN 247 to be tagged on sfp1 but your configuration attempts to have it tagless there and also to have it tagless at ether5 (in another way) whereas the picture does't show it at all.

So first review one more time the actual requirements and maybe fix the picture to express them, and then we can suggest a setup to fulfil those requirements.

anav · Sat Jun 08, 2019 7:47 pm

Suggest you have a good read (at least twice through this thread and examples to get a good understanding).
viewtopic.php?f=13&t=143620

Once you understand then the wiki here will be more useful and if
you have a special case need for a hybrid port, then look at the fourth diagram on this post:
viewtopic.php?f=13&t=143620

wtfover · Sun Aug 11, 2019 9:19 pm

Amazing thread. Hopefully I'll be successful today. I'm surprised my router has not caught fire due to all of the configuration resets I've done in the last 24 hours.

rex2005 · Sat Sep 07, 2019 12:03 pm

Hi

I tryed for a few days now and ute not that simple like än D-Link smart switch have reseted my routers so the reset button is soon used up

Try to do config like this

Router 1 hAP Main router "WAN to lan on vlan 100"
-------
Eth1 <- WAN in
Eth2 -> LAN out "untag vlan 100"
Eth3 -> IPTV "untag vlan 200"
Eth4 -> IPTV "untag vlan 200"
Ett5 <-> vlan trunk 100,200

SXTsq bridge 1
-----
Eth1 <-> vlan trunk 100,200
Wlan1 <-> vlan trunk 100,200
VEth -> LAN out "untag vlan 100"

SXTsq bridge 2
-----
Eth1 <-> vlan trunk 100,200
Wlan1 <-> vlan trunk 100,200
VEth -> LAN out "untag vlan 100"

Router 2 hAP as switch
Eth1 -> LAN out "untag vlan 100"
Eth2 -> LAN out "untag vlan 100"
Eth3 -> LAN out "untag vlan 100"
Eth4 -> IPTV "untag vlan 200"
Eth5 <-> vlan trunk 100,200

I want IPTV and LAN to be isolated and virtual Ethernet in bridges to get reachable from LAN vlan 100.

I tryed everything i could get from this thread but locked me out every time some way.

Mvh Tim

mkx · Sat Sep 07, 2019 2:56 pm

When you start to mess with L2 (e.g. VLANs), you really have to be careful not to break your current management connection to device. Always be sure to leave one device with old configuration so you can use one of ports to re-gain connection. And use winbox with MAC connectivity ... it won't help if you cut the L2 (MAC) connectivity, but will help while L3 setup (IP address) doesn't match L2 config.

If you're configuring VLANs using bridge vlan-filtering, it does help if you set things up with vlan-filtering=no. When you think everything is set as it should be, enter safe mode (it's available both in winbox and CLI) and enable vlan-filtering. If you loose connection, setup will revrert to the state before entering safe mode. If connection survives (might take a few seconds to re-establish), exit safe mode and you're done.

rex2005 · Sun Sep 08, 2019 10:16 am

# model = 960PGS
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=ether4 ] poe-out=forced-on
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=sfp1 pvid=247
add bridge=bridge1 interface=ether2 pvid=81
add bridge=bridge1 interface=ether3 pvid=81
add bridge=bridge1 interface=ether4 pvid=81
add bridge=bridge1 interface=ether5 pvid=249
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=sfp1 untagged=ether2,ether3,ether4 vlan-ids=81
add bridge=bridge1 tagged=sfp1,ether5 vlan-ids=249
add bridge=bridge1 tagged=sfp1 untagged=ether5 vlan-ids=247
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.22.247.3/24 interface=sfp1 network=10.22.247.0
/ip route
add distance=1 gateway=10.22.247.254

Bez názvu-1.jpg
thank you

I tryed this but i cant even get connection between ether3 and ether4 thats are on same vlan on same router.
Only port i can reach management is ether5 with MAC style.
To get firewall to work i can add an Virtual Ethernet and make it member of bridge1 pvid 100? Then i could use that way to reach management too?

/interface bridge
add name=bridge1 protocol-mode=RTSP vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=100
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether4 pvid=200
add bridge=bridge1 interface=ether5 pvid=1
/interface bridge vlan
add bridge=bridge1 tagged=ether5 untagged=ether2 vlan-ids=100
add bridge=bridge1 tagged=ether5 untagged=ether3,ether4 vlan-ids=200

//Tim

rex2005 · Sun Sep 08, 2019 11:57 am

Or its it easyer to do the simple VLAN under Switch?

sindy · Sun Sep 08, 2019 12:29 pm

Don't mess with VLANs using /interface ethernet switch until you grasp them under /interface bridge.

First, you cannot attach IP configuration (address, DHCP servers, DHCP clients) to a member port of a bridge. The IP configuration must be attached to the bridge itself or to /interface vlan using that bridge as its underlying interface.

So to fix your configuration, you need
/interface vlan add name=bridge1.247 interface=bridge1 vlan-id=247
/ip address set [find interface=sfp1] interface=bridge1.247

But the above configuration requires vlan-filtering=yes because until you activate it, no tagging and untagging takes place on interfaces. So if connected via sfp1 while vlan-filtering=no, to stay connected, you have to use CLI to do the change: first create the /interface vlan as above, then switch safe mode on, and then place two commands on the same line:
/ip address set [find interface=sfp1] interface=bridge1.247 ; interface bridge set bridge1 vlan-filtering=yes

Next, you have another IP address attached to ether1, but at the same time ether1 is also a member port of bridge1, however it is not stated as a member port of any VLAN.

So if you want to stay connected using that IP subnet and ether1, first move the IP configuration from ether1 to bridge1, still with vlan-filtering=no:
/ip address set [find interface=ether1] interface=bridge1

Then, define the egress handling for ether1:
add /interface bridge vlan add bridge=bridge1 vlan-ids=1 untagged=bridge1,ether1

And after that, you may set vlan-filtering on bridge1 to yes.

andye2004 · Tue Nov 12, 2019 9:58 am

EDIT: Please see my follow-up before spending time on this.

Hi Guys, I'm new around here and hoping for sage advice. Yesterday I took delivery of a RB4011iGS+RM as replacement for a Ubiquiti ERPOE5 and have been slowly working my way through set-up and have run into a VLAN issue. I've read through this whole thread and a number of others (this and this), with this one probably being closest to what I'm trying to do, but I'm still having trouble.

My set-up is pretty simple really, I have the RB4011 eth1 hooked up to WAN, eth9 and eth10 to a pair of Unifi APs, eth7 and eth8 to a pair of dumb switches. The Unifi APs have SSIDs enabled, essentially home and guest with guest using VLAN ID 67. Everything is working as I think it should except the guest wifi has no internet access. Also, when I hook up to the guest wifi I can't ping the DHCP server even though I am getting an IP in the valid range served up.

I'm hoping that whatever is wrong in the config is obvious to someone, even if not to me and I can be pointed in the right direction.

Config:

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=XXXXXX

/interface vlan
add interface=bridge name=vlan67 vlan-id=67

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="All VLAN interfaces" name=all_vlan

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.66.50-192.168.66.254
add name=dhcp_vlan67_pool ranges=192.168.67.2-192.168.67.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_vlan67_pool disabled=no interface=vlan67 name=dhcp_vlan67

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add interface=*E

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=1
add bridge=bridge tagged=bridge,ether9,ether10 vlan-ids=67

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add comment="Include VLAN 67 in all_vlan" interface=vlan67 list=all_vlan

/ip address
add address=192.168.66.1/24 comment=defconf interface=ether2 network=192.168.66.0
add address=192.168.67.1 interface=vlan67 network=192.168.67.1

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
add comment=defconf dhcp-options=hostname,clientid interface=ether1

/ip dhcp-server lease
add address=192.168.66.10 address-lists=CleanBrowsing comment="Frasers Laptop" mac-address=4C:BB:58:A1:21:DD server=defconf use-src-mac=yes
add address=192.168.66.2 client-id=1:80:2a:a8:c9:8:ff comment="Unifi ACAP Laundry" mac-address=80:2A:A8:C9:08:FF server=defconf
add address=192.168.66.3 client-id=1:78:8a:20:80:47:35 comment="Unifi ACAP Activity" mac-address=78:8A:20:80:47:35 server=defconf

/ip dhcp-server network
add address=192.168.66.0/24 comment=defconf gateway=192.168.66.1 netmask=24
add address=192.168.67.0/24 dns-server=8.8.8.8 gateway=192.168.67.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.66.1 comment=defconf name=router.lan

/ip firewall address-list
add address=192.168.66.10 list=CleanBrowsing

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DHCP requests on VLAN interfaces" dst-port=67 in-interface-list=all_vlan protocol=udp src-port=68
add action=accept chain=input comment="Accept DNS requests (UDP) from VLAN interfaces" dst-port=53 in-interface-list=all_vlan protocol=udp
add action=accept chain=input comment="Accept DNS requests (TCP) from VLAN interfaces" dst-port=53 in-interface-list=all_vlan protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Clean Browsing DNS" dst-port=53 log=yes protocol=udp src-address-list=CleanBrowsing to-addresses=185.228.168.168 to-ports=53
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Clean Browsing DNS" dst-port=53 log=yes protocol=udp src-address-list=CleanBrowsing to-addresses=185.228.168.168 to-ports=53

/system clock
set time-zone-name=Australia/Sydney

/system identity
set name=Mikrotik

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

My config is pretty much out-of-the-box with only the additional things added that I think I need over the next few days as I play and get used to it. The intention is try to get to a place where I have a completely custom config, or at least ready to attempt it on the coming weekend - wish me luck!

Thanks for taking the time to look, I really appreciate any help / advice anyone can offer.

andye2004 · Tue Nov 12, 2019 4:46 pm

Hi Guys, I'm new around here and hoping for sage advice.

Not exactly sage advice, but I managed to work it out. I actually had a couple of issues with one of the addresses, this:

add address=192.168.67.1 interface=vlan67 network=192.168.67.1

should have been:

add address=192.168.67.1/24 interface=vlan67 network=192.168.67.0

I actually thought I'd fixed that about an hour before but I guess I didn't actually save it somehow. Thanks to anyone who might have spent time on this before I posted back but I had to wait until the post was visible before I could respond sensibly.

Gombeen666 · Tue Nov 12, 2019 6:55 pm

My question - Is there a best of both worlds in a mixed L2 bridged with VLAN's and OSPF network, OSPF used for management for now at least until OSPF on our network is more resilient ?
and should the VLAN's be using quote "new school rather than old school approach"

chatravin · Sat Jun 06, 2020 5:10 pm

I want to thank both guys who contributed to progress this forum topic. You saved me (at least) an extra 3 days of searching (i.e. wasting time) and struggling to find my answers from weak, unreliable and incomplete sources. thank you men

LukyCZ · Wed Dec 15, 2021 4:47 pm

Hello I would like to as about Bridge VLAN filtering. Is problem when you change Bridge setting(add new member port) when VLAN filtering is enabled?

sindy · Wed Jan 05, 2022 11:37 am

Is problem when you change Bridge setting(add new member port) when VLAN filtering is enabled?

Adding new member port is normally not a dangerous operation. The only dangerous thing is enabling and disabling vlan-filtering in terms that you may lose management access to the device if said access depends on presence or absence of vlan-filtering.

Dizzydude · Thu Feb 10, 2022 6:51 am

Hi asphri........
Regarding your post........
The plan falls apart at the getgo, you only need one bridge.
It appears that you have two bridges, the first named Bridge1 and the second inferred from /Interface Vlan - "wlan2 - 5g"

Hi anav or anyone else that can kindly help,

Network noob here but I have been doing a ton of research and learning about my MikroTik RB5009 for the past week and have setup my network, but now I'd like to segment it with VLANs. I've leaned on a bunch of resources to learn about them conceptually, including the Wiki Manual, threads on this forum including: viewtopic.php?f=13&t=143620, and videos such as this one https://youtu.be/1ZJ-pM89N7o (which the comments on it subsequently brought me here) but as you know there's a gap between knowledge and understanding, especially when it gets put into practice! Sorry if this is a faux pas to resurrect this thread, but everyone has been explaining things in ways that I understand so I wanted to hitch my wagon to it haha.

I ended up following the steps in the video I shared above to get a VLAN working (some differences such as using LAN since the 5009 doesn't have WiFi) and was happy, until I read the comments in that video and then your comment saying that setting up multiple bridges for each VLAN is not good practice, and everything should go through one bridge. I've been trying to do this but have hit a wall, like asphri, in that I'm not sure where to implement my DHCP server. When I have it set to the Guest-VLAN interface, it is invalid, and if I set it to the bridge it won't let me because I already have a DHCP server there. I'm trying to do everything via WinBox/GUI with no terminal just because it helps me understand concepts and how to do things better with this router, so I'm hoping I can get this working without diving into it. I'm not allergic to code or terminals or anything, I was a front end dev in a past life.

Attached is my basic topology. I'm currently practicing by making a Guest-VLAN, so that's not included in the picture, and there are more devices connected to the router but this gives an idea. I will have a main SSID with no VLAN tagging (basically using default config), a Guest SSID with VLAN tagging, and an IOT SSID with VLAN tagging. Currently I'm just working on Guest and then will copy the steps to do the same for the IOT VLAN.

I've also attached my Interface and DHCP to see where I'm running into issues. If you need any more info, please let me know.

Thanks for your time!

sindy · Mon Feb 14, 2022 3:33 pm

Feel free to use GUI to configure, but show the current configuration in the form of a text export, not as screenshots. The information density per pixel is much worse with screenshots, text search cannot be done, etc.

The "best current practice" is to host each IP subnet in its own VLAN. So if you link a guest SSID to a guest VLAN on the AP, you have to attach the IP address of the router in the guest subnet, as well as the DHCP server for that subnet, to an /interface vlan which is itself linked to the bridge - except if the guest VLAN was the default one of the bridge, which is not your case. Both the bridge (the router-facing port of the virtual switch) and the ethernet interface to which the dumb switch is connected must be tagged members of that VLAN, i.e. they must be on the tagged list of the /interface bridge vlan row for that VLAN.

Just a woe - to me, the GUI actually doesn't help imagine the logical topology any better than the command line interface.

Dizzydude · Mon Feb 14, 2022 4:10 pm

Feel free to use GUI to configure, but show the current configuration in the form of a text export, not as screenshots. The information density per pixel is much worse with screenshots, text search cannot be done, etc.

The "best current practice" is to host each IP subnet in its own VLAN. So if you link a guest SSID to a guest VLAN on the AP, you have to attach the IP address of the router in the guest subnet, as well as the DHCP server for that subnet, to an /interface vlan which is itself linked to the bridge - except if the guest VLAN was the default one of the bridge, which is not your case. Both the bridge (the router-facing port of the virtual switch) and the ethernet interface to which the dumb switch is connected must be tagged members of that VLAN, i.e. they must be on the tagged list of the /interface bridge vlan row for that VLAN.

Just a woe - to me, the GUI actually doesn't help imagine the logical topology any better than the command line interface.

Thank you sindy that clicked with me and I got it working! Makes total sense to me, appreciate the writeup and explanation.

I can definitely see that. I like using the GUI right now because it helps me understand how it fits together visually but have found myself going to the CLI to adjust things since it can be quicker. Thanks again!

ascii-art code

ascii-art code

Who is online