Vlan in "new bridge" configuration

petterg · Fri Mar 20, 2020 12:38 pm

Last time I did vlan setup was with ros 6.39. Now with ros 6.46 I though it would be simplified by the new way of bridge implementation. But I run into trouble.

The goal is to make a RB3011 have the following setup:
eth1: wan-interface (no vlan)
eth2,eth3: tagged vlans 40,41,42,43,44,45,46
eth4: untagged vlan 40
eth5: untagged vlan 41
eth6: untagged vlan 42
eth7: untagged vlan 43
eth8: untagged vlan 44
eth9: untagged vlan 45
eth10: untagged vlan 46

After setting up like I though it should be, I got all the tagged vlans on eth2 and eth3. But none of the untagged ports are just as if they were members of a regular bridge without any vlans defined. And if I connect a device with no vlan defined, even eth2 and eth3 seems to be members of that bridge. I don't know how to explain this behaviour any better, so I'll show the config.

/interface bridge
add admin-mac=B8:69:F4:BB:84:71 arp=proxy-arp auto-mac=no comment=defconf name=bridge

/interface vlan
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan41 vlan-id=41
add interface=bridge name=vlan42 vlan-id=42
add interface=bridge name=vlan43 vlan-id=43
add interface=bridge name=vlan44 vlan-id=44
add interface=bridge name=vlan45 vlan-id=45
add interface=bridge name=vlan46 vlan-id=46

/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master pvid=42
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=40
add bridge=bridge interface=ether5 pvid=41
add bridge=bridge interface=ether7 pvid=43
add bridge=bridge interface=ether8 pvid=44
add bridge=bridge interface=ether9 pvid=45
add bridge=bridge interface=ether10 pvid=46

/interface bridge vlan
add bridge=bridge tagged=ether2-master,ether3 untagged=ether4 vlan-ids=40
add bridge=bridge tagged=ether2-master,ether3 untagged=ether5 vlan-ids=41
add bridge=bridge tagged=ether2-master,ether3 untagged=ether6-master vlan-ids=42
add bridge=bridge tagged=ether2-master,ether3 untagged=ether7 vlan-ids=43
add bridge=bridge tagged=ether2-master,ether3 untagged=ether8 vlan-ids=44
add bridge=bridge tagged=ether2-master,ether3 untagged=ether9 vlan-ids=45
add bridge=bridge tagged=ether2-master,ether3 untagged=ether10 vlan-ids=46

/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=80.232.36.70/30 interface=ether1 network=80.232.36.68
add address=172.27.40.1/24 interface=vlan40 network=172.27.40.0
add address=172.27.41.1/24 interface=vlan41 network=172.27.41.0
add address=172.27.42.1/24 interface=vlan42 network=172.27.42.0
add address=172.27.43.1/24 interface=vlan43 network=172.27.43.0
add address=172.27.44.1/24 interface=vlan44 network=172.27.44.0
add address=172.27.45.1/24 interface=vlan45 network=172.27.45.0
add address=172.27.46.1/24 interface=vlan46 network=172.27.46.0

Note the 192.168.88.1 address is disabled

With this setup I expected that if I put a pc on eth10 with the ip 172.27.46.2, it would be able to communicate with 172.27.46.1 (routers ip on vlan46). This is not the case. However if I give the pc the address 192.168.88.2 and enable the 192.168.88.1 address, the pc communicates with the router on that address.
Same goes for eth2 and eth3 - if I put the pc with address 192.168.88.2 on eth2 or eth3 - where there should be tagged packets only - it is able to communicate with the router at 192.168.88.1.
What does work is the tagged vlans. Any device connected to eth2 or eth3 using tagged vlan 40-46 communicates with the router on the addresses set on those vlans.

I tried to put ingress-filtering=yes on the bridge, but then the router stopped communicating tagged vlans on eth2 and eth3.
What am I missing for this config?

Sob · Fri Mar 20, 2020 3:51 pm

You're almost there:

1) If you have vlan interfaces on bridge, bridge itself must be listed as tagged member for given vlan id:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2-master,ether3 untagged=ether4 vlan-ids=40
...

2) Bridge needs vlan-filtering=yes.

petterg · Fri Mar 20, 2020 10:28 pm

Thanks!
That was one thing I had missed. It makes sense just like in the old bridge one had to remember to include cpu-port in the switch config. But there must be one more thing I've missed:
Adding bridge as tagged interface on all vlans helped for the loss of communication on tagged packages when setting vlan-filtering=yes.
But the communication on the untagged ports are still not working - I suspect they get tagged with vlanid=1 on ingress.

Sob · Fri Mar 20, 2020 11:38 pm

Untagged ports use what they have as pvid. Each vlan is separate interface with different IP subnet, so access to anywhere else would be through routing. I'm not sure what was happening before. But check your firewall, make sure you have correct routes, etc.

petterg · Sat Mar 21, 2020 12:50 am

This is not firewall related. It is within the bridge/vlan config. (There are no firewall output rule defined, and my test is from the router)

Ports pvid are as show in the config in first post.
Bridge pvid=1. Thats why I suspect packages get vlanid=1 on ingress. (Is there a way to see if that's actually whats happening?)
So, if the bridge pvid overrules the ports pvid, how should a setup with untagged ports from several vlans look?

Sob · Sat Mar 21, 2020 1:28 am

What exactly are you trying? Share more details. For example this:

With this setup I expected that if I put a pc on eth10 with the ip 172.27.46.2, it would be able to communicate with 172.27.46.1 (routers ip on vlan46).

? It should work. Ping 172.27.46.2 from router or 172.27.46.1 from PC, use Tools->Torch on vlan46 and ether10 and check what's there.

petterg · Sat Mar 21, 2020 1:56 am

A pc with static ip192.168.88.2 is connected to eth9.
If I put ip 192.168.88.1 on vlan45 (which should be untagged on eth9) and ping 192.168.88.2, I get no reply.
If I put the same ip on bridge interface, I get reply.
According to the config the result should have been the other way around. To me it seems like it's no vlan45 that is untagged at eth9. I have not changed anything in the switch menu. Maybe I should? (I though the idea of the new way to do config was to avoid dealing with vlan in the switch menu)

What is also worth noting is that this configuration disables switch hardware offloading. This setup is very similar to a rb3011 that is running ros 6.39.2. That box show that the hardware is capable of doing this in hw. (This setup has 6vlans doing untagged at 6 ports, the old box has 12 vlans, doing untagged at 4 ports) So it seems like this upgraded ros will increase cpu load.

anav · Sat Mar 21, 2020 8:08 pm

Please post your entire config,, otherwise we cannot provide accurate feedback.

Not sure what proxy settings will do,,,,,,,, but since I dont have a clue about them, I dont use them.
/interface bridge
add admin-mac=B8:69:F4:BB:84:71 arp=proxy-arp auto-mac=no comment=defconf name=bridge

/interface vlan settings - no issues

/interface bridge port settings - no issues (trunk ports 2,3, and spf1, rest are access ports with assigned pvids)
(you dont have spf1 assigned to any vlan setting however,,,, future use?)

/interface bridge vlan - as sob says, you need to add bridge in the taggings for all your bridge vlan lines.

/ip address - okay I recommend you get rid of any address on the bridge and just create a new vlan if you need one.
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0

(lots of stuff missing needed to ensure your setup is actually useful)

reverged · Sat Mar 21, 2020 9:08 pm

Ensure you have bridge vlan-filtering enabled:

/int bridge set bridge vlan-filtering=yes

Otherwise bridge vlans have no effect.

I have forgotten to do this many times......

Sob · Sat Mar 21, 2020 10:41 pm

Based on description, there's something wrong. But I don't know what. Sharing config could help.

Bridge vlan filtering is (I guess) long-term plan for switch configuration. But on most devices it's not there yet. It works for basic switching when you bridge all ports together, but add anything "advanced" like vlans and it's only software.

mada3k · Sun Mar 22, 2020 12:07 pm

This was my solution
viewtopic.php?f=13&t=158748&p=780079#p780079

petterg · Sun Mar 22, 2020 3:08 pm

What I've just realized is that setting bridge ingress-filtering=yes | no makes the difference if the router is communicating with pc on eth9 using ip on bridge interface (ingress-filtering=no) or not at all (ingress-filtering=yes). It doesn't under any circumstances communicate with the pc on eth9 using ip on vlan45. However the pc on vlan45 does show up on network discovery.

Here is the full config after the changes suggested by Sob in first reply of this thread.

# mar/22/2020 12:25:51 by RouterOS 6.46.4
# software id = XN86-6S9B
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE095D4441
/interface bridge
add admin-mac=B8:69:F4:BB:84:71 auto-mac=no comment=defconf ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] name=ether6-master speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan41 vlan-id=41
add interface=bridge name=vlan42 vlan-id=42
add interface=bridge name=vlan43 vlan-id=43
add interface=bridge name=vlan44 vlan-id=44
add interface=bridge name=vlan45 vlan-id=45
add interface=bridge name=vlan46 vlan-id=46
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master pvid=42
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=40
add bridge=bridge interface=ether5 pvid=41
add bridge=bridge interface=ether7 pvid=43
add bridge=bridge interface=ether8 pvid=44
add bridge=bridge interface=ether9 pvid=45
add bridge=bridge interface=ether10 pvid=46
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether4 vlan-ids=40
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether5 vlan-ids=41
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether6-master vlan-ids=42
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether7 vlan-ids=43
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether8 vlan-ids=44
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether9 vlan-ids=45
add bridge=bridge tagged=ether2-master,ether3,bridge untagged=ether10 vlan-ids=46
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=vlan40 list=discover
add interface=vlan45 list=discover
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan45 network=192.168.88.0
add address=x.x.x.x/30 interface=ether1 network=x.x.x.x
add address=172.27.40.1/24 interface=vlan40 network=172.27.40.0
add address=172.27.41.1/24 interface=vlan41 network=172.27.41.0
add address=172.27.42.1/24 interface=vlan42 network=172.27.42.0
add address=172.27.43.1/24 interface=vlan43 network=172.27.43.0
add address=172.27.44.1/24 interface=vlan44 network=172.27.44.0
add address=172.27.45.1/24 interface=vlan45 network=172.27.45.0
add address=172.27.46.1/24 interface=vlan46 network=172.27.46.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface=vlan40
add action=accept chain=input in-interface=vlan45
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=x.x.x.x
/system identity
set name=AL3011
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
{/code]

mkx · Sun Mar 22, 2020 5:52 pm

You have two addresses now bound to same interface (vlan45) ... which address are you using when testing connectivity from the PC?

anav · Sun Mar 22, 2020 6:17 pm

(1) What purpose do these server and especially the ones highlighted??
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=vlan40 list=discover
add interface=vlan45 list=discover

(2) ask Mkx already noted
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan45 network=192.168.88.0
add address=172.27.45.1/24 interface=vlan45 network=172.27.45.0

(3) These are pretty wide open..... (can you narrow them down)
add action=accept chain=input in-interface=vlan40
add action=accept chain=input in-interface=vlan45

(4) Missing the dhcp settings, dhcp-server and dhcp-server network. Without a full config we cannot properly assess!!!

petterg · Mon Mar 23, 2020 9:34 am

The interfaces in routeros default lists are there just for being there in the default config. I don't think they block anything.

The 192.168.88.1-address I move between the vlan45- and bridge-interfaces for testing. Just a way for testing ping to the pc with address 192.168.88.2 without putting hands on the pc.

Firewall rules are maxed open to make sure firewall is not stopping any packages when I try to figure why there is no communication to devices that doesn't have vlan configured.

DHCP is not in use. (Do you guys really set dhcp-server on networks where there are not regular users and no devices running dhcp-clients?)

Please focus on why the vlan config is not working, and not why you would not connect an enduser to this setup.

anav · Mon Mar 23, 2020 3:20 pm

HAHA if you are so smart to let us know that the full config is not needed you figure it out. Im off to help more cooperative and open minded folks.

mkx · Mon Mar 23, 2020 7:19 pm

How about a test where you don't move the address 192.168.88.1 between different interfaces, but rather configure PC (connected to ether9) with 172.27.45.x ?

Another action (not necessarily out of despair) would be to reset config to factory default and redo config (the parts needed to be done), but taking new default config philosophy into account... your device is running modern ROS but config seems to inherit from a pretty old default. New defaults make much more sense ...

Sob · Tue Mar 24, 2020 3:29 am

I did a test with RB450 and this simple config (basically a subset of yours):

/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan45 vlan-id=45
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether5 pvid=45
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether5 vlan-ids=45
/ip address
add address=172.27.45.1/24 interface=vlan45 network=172.27.45.0

Notebook with 192.168.88.2/24 is connected to ether5. This works (as expected):

/ip address
add address=192.168.88.1/24 interface=vlan45 network=192.168.88.0

And this doesn't (also expected):

/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0

It's the opposite of what you're seeing. But I just don't see any difference in config. So for the lack of better ideas, it's maybe time for variant of magic "turn it off and on again", i.e. system reset and start from scratch. There's no reason why it should help, but it wouldn't be the first time...

petterg · Tue Mar 24, 2020 10:31 am

I noticed this note in the doc. https://wiki.mikrotik.com/wiki/Manual:B ... _switching

Note: This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices.

That note was under an example of old-way vlan config. I didn't look at that part before, as I though it was for ros pre 6.41.

So maybe that is my issue, that the RB3011 needs the config to be old style? (only difference from old style is that master-port is managed by putting all ports in a bridge)

anav · Tue Mar 24, 2020 3:15 pm

Use the latest firmware and forget old styles.....

Sob · Tue Mar 24, 2020 6:31 pm

It depends how much you need HW offload. New bridge VLAN filtering works with all devices, difference is only whether it will use HW switch or do everything in software.

So if you have VLANs only to separate some networks, but you don't need much throughput, because e.g. all their traffic through router will be only to access slow internet, new way is ok on any device. But if you need more, device may not be able to handle it in software and you need the old style switch menu.

petterg · Wed Mar 25, 2020 8:26 pm

I resat config and started blank. Even copy/pasted the config into the box, and it works. Why this didn't work in the first place reminds a mystery.

anav · Wed Mar 25, 2020 9:21 pm

Glad to hear its resolved!

petterg · Tue Mar 31, 2020 11:07 pm

Why is there a note in documentation telling to use the old style vlan config "on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices"?
I see that doing vlan "the new way" ends up doing this setup in software. While in the old way of doing this, it would do this in hardware. Is that the reason for the note?

mkx · Tue Mar 31, 2020 11:10 pm

Vlan in "new bridge" configuration

Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Re: Vlan in "new bridge" configuration

Who is online