MikroTik

Posted: **Wed Aug 22, 2018 5:51 pm**

Hi,

I have an RB3011 with VLANs on the Switch Chips. I use trunk ports and access ports. The issue I have is with the access ports. When I torch the port, I see some traffic has a vlan tag and other traffic doesn't. All coming from the same client.

Is this a bug, or have I incorrectly configured the access ports?

/interface ethernet switch port
set 1 vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 9 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether2-uplink,ether5 switch=switch1 vlan-id=30
add independent-learning=no ports=switch2-cpu,ether10 switch=switch2 vlan-id=30
add independent-learning=no ports=switch1-cpu,ether3,ether2-uplink switch=switch1 vlan-id=10
add independent-learning=no ports=switch2-cpu,ether10 switch=switch2 vlan-id=10
add independent-learning=no ports=switch1-cpu,ether2-uplink,ether4 switch=switch1 vlan-id=20
add independent-learning=no ports=switch2-cpu,ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=20
add independent-learning=no ports=switch2-cpu,ether10 switch=switch2 vlan-id=666

Traffic without the VLAN tag is being dropped by the firewall as its being seen as on the bridge interface, not the vlan interface.

I'm running 6.42.7

Thanks
Chris

Posted: **Fri Aug 24, 2018 8:38 pm**

Chris,

You mention bridge but you don't show your /interface export. Could you please add a full export?

Thanks, Alex

Posted: **Wed Oct 17, 2018 11:08 am**

Looks like I have the same or related issue with RB3011: some packets are seemingly coming untagged from an access port, this results in input from the master bridge instead of configured VLAN.

I have switch and interface setup as described in https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip.
ISP is connected to ether2, all internal clients on access switch connected to ether10.
The issue is not observed if ISP is connected thru an access switch on trunk port (ether1).

The config (related part) is:

/interface bridge
add name=bridge-master protocol-mode=none
/interface bridge port
add bridge=bridge-master interface=ether1
add bridge=bridge-master interface=ether10
add bridge=bridge-master interface=ether2
add bridge=bridge-master interface=ether3
add bridge=bridge-master interface=ether4
add bridge=bridge-master interface=ether5
add bridge=bridge-master interface=ether6
add bridge=bridge-master interface=ether7
add bridge=bridge-master interface=ether8
add bridge=bridge-master interface=ether9
/interface vlan
add interface=bridge-master loop-protect=off name=vlan-isp vlan-id=10
add interface=bridge-master name=vlan-private vlan-id=20
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 9 vlan-header=add-if-missing vlan-mode=secure
set 10 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether2 switch=switch1 \
    vlan-id=10
add independent-learning=yes ports=\
    switch1-cpu,ether1,ether3,ether4,ether5 switch=switch1 vlan-id=20
add independent-learning=yes ports=\
    switch2-cpu,ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=20
/ip address
add address=<internal IP>/24 interface=vlan-private network=<internal net>
add address=<external IP>/24 interface=vlan-isp network=<ISP net>
/ip firewall filter
add action=drop chain=input comment="master bridge leakage" in-interface=\
    bridge-master log=yes

HW offload is on all ports:

 #     INTERFACE     BRIDGE        HW  PVID PR  PATH-COST INTERNA...    HORIZON
 0 I H ether1        bridge-master yes    1 0x         10         10       none
 1   H ether10       bridge-master yes    1 0x         10         10       none
 2   H ether2        bridge-master yes    1 0x         10         10       none
 3 I H ether3        bridge-master yes    1 0x         10         10       none
 4 I H ether4        bridge-master yes    1 0x         10         10       none
 5 I H ether5        bridge-master yes    1 0x         10         10       none
 6 I H ether6        bridge-master yes    1 0x         10         10       none
 7 I H ether7        bridge-master yes    1 0x         10         10       none
 8 I H ether8        bridge-master yes    1 0x         10         10       none
 9 I H ether9        bridge-master yes    1 0x         10         10       none

All packets from ISP should go to vlan-isp (and there's no IP addresses on master bridge), still some packets are seeping through:

08:31:22 firewall,info input: in:bridge-master out:(unknown 0), src-mac <ISP gw MAC>, proto TCP (SYN), 79.167.15.240:13670-><my ext IP>:88, len 40 
09:07:12 firewall,info input: in:bridge-master out:(unknown 0), src-mac <ISP gw MAC>, proto TCP (SYN), 221.213.237.97:25555-><my ext IP>:23, len 40 
09:15:16 firewall,info input: in:bridge-master out:(unknown 0), src-mac <ISP gw MAC>, proto TCP (RST), 13.33.241.79:443-><my ext IP>:52236, len 40 
09:28:24 firewall,info input: in:bridge-master out:(unknown 0), src-mac <ISP gw MAC>, proto TCP (ACK), 66.211.182.222:443-><my ext IP>:4782, len 52 
10:03:16 firewall,info input: in:bridge-master out:(unknown 0), src-mac <ISP gw MAC>, proto TCP (RST), 173.194.73.99:443-><my ext IP>:53142, len 40 
10:03:16 firewall,info input: in:bridge-master out:(unknown 0), src-mac <ISP gw MAC>, proto TCP (RST), 173.194.73.99:443-><my ext IP>:53142, len 40

Posted: **Thu Oct 18, 2018 9:27 am**

I've done some further testing - modified firewall rules to catch all packets fallen off the VLAN to the master bridge.
Total seepage is about 0.1% of all packets.

The good news - I've been unable to reproduce the issue in a controlled environment like this:

The testbed:
[MT, 10.50.0.2>] <-Ether-> [<VLAN 50 access port <10.50.0.1 on VLAN interface - Device being tested - 10.60.0.1 on VLAN interface> VLAN 60 access port>] <-Ether-> [MT, 10.60.0.2>]

BTest between 10.50.0.2 and 10.60.0.2 as a test load.

Config of the device being tested (relevant part):

/interface bridge
add name=bridge-master protocol-mode=none
/interface bridge port
add bridge=bridge-master interface=ether1
add bridge=bridge-master interface=ether5
/interface vlan
add interface=bridge-master name=vlan-50 vlan-id=50
add interface=bridge-master name=vlan-60 vlan-id=60
/interface ethernet switch port
set 0 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=60 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1 switch=switch1 vlan-id=\
    50
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=\
    60
/ip address
add address=10.50.0.1/24 interface=vlan-50 network=10.50.0.0
add address=10.60.0.1/24 interface=vlan-60 network=10.60.0.0

(The config is for hAP ac (switch1-cpu is port 4) - I've tried it first as I have a spare one, and it has the same switch chip.)

6.43.2 on all devices.

On this testbed config I see zero packet seepage.

I've tried this config of the same switch of the same RB3011 that seeps ISP packets. Zero packet seepage.
Seepage from real-world VLAN seems unaffected - no noticeable change in rate when the test is running.

So it must be some specifics in some packets coming from ISP, that causing VLAN to seep packets.

I'll dig deeper (try to add another device between ISP and RB3011, capture the packets and look closer at offending ones) and get back.

Posted: **Fri Mar 01, 2019 6:19 pm**

Sorry for the late reply.

The issue is with the switch not the bridge. I've spoken with mikrotik support regarding this and they have been able to reproduce the issue.

Confirmed it will be passed onto the devs but no idea when it will be fix.

Chris

Posted: **Fri Mar 01, 2019 9:23 pm**

A good reason to stick with VLANS on a single bridge approach. Slower but no leakage or errors is better. Tortoise wins the race!!!

Posted: **Wed Aug 19, 2020 7:55 pm**

over a year on and i still have this issue with access ports having traffic fall onto the bridge. I run a single bridge and you can clearly see when touching the port that some traffic just doesnt have a vlan tag.

Fix it mikrotik. You had my supout files for some time now.

Posted: **Wed Aug 19, 2020 8:55 pm**

over a year on and i still have this issue with access ports having traffic fall onto the bridge. I run a single bridge and you can clearly see when touching the port that some traffic just doesnt have a vlan tag.

Fix it mikrotik. You had my supout files for some time now.

Your config as per OP is not as suggested by the Mikrotik Wiki articles so I would review this first, make necessary changes and revisit testing

Just so you don't have to do a Google search, see below links

https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip

https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples

MikroTik

RB3011 Switch VLAN Access Port Issue

RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue

Re: RB3011 Switch VLAN Access Port Issue