Weird warning with bridge config regarding VLANs

kobuki · Wed Jun 30, 2021 12:17 am

I have a weird warning on my cAP AC, I think it's best to post my config, it's pretty simple (see at the end). Very close to default empty, just a trunk port with 3 VLANs and a CAPs config for the wifi. What I'm puzzled about is the following line:

# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry

But I have no untagged ports, only a single trunk port on the bridge. Even the dynamically added wlan ports become tagged on the bridge because of CAPs. This is very confusing.Can someone shed some light on what's wrong? The configuration is working as intended but the warning bugs me.

The full config:

# jun/29/2021 23:14:56 by RouterOS 6.47.9
# software id = x
#
# model = RBcAPGi-5acD2nD
# serial number = x
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=br-trunk \
    protocol-mode=none pvid=2 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(18dBm), SSID: benedict, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-5CB1F0 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5640/20-eeCe/ac/DP(24dBm), SSID: benedict, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-5CB1F1 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface vlan
add interface=br-trunk name=vlan2-mgmt vlan-id=2
add interface=br-trunk name=vlan10-lan vlan-id=10
add interface=br-trunk name=vlan20-guest vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=br-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=2,10,20
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
set bridge=br-trunk certificate=request discovery-interfaces=vlan2-mgmt \
    enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.12/24 interface=vlan2-mgmt network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no
/ip dns
set servers=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip route
add distance=1 gateway=192.168.88.1
/system clock
set time-zone-name=Europe/x
/system identity
set name=ap2.bnh.hu
/system ntp client
set enabled=yes primary-ntp=192.168.88.1
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Wed Jun 30, 2021 3:09 am

Well, not surprized as you have an overly complex non-standard vlan bridge configuration.
Read through this link to fix............
viewtopic.php?f=23&t=143620

For starters the only thing that needs to be done for the bridge itself is enable it, keep default pvid=1 and dont add anything such as admit only vlan tagged frames etc........

This particular rule demonstrates you dont have a clue about trunk ports, access ports etc........
Not that its a bad thing but time to learn properly vice configuring using some horrible youtube advice.
/interface bridge port
add bridge=br-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1 pvid=2

Thus read through the link, and look for the similar AP example.
THen post your new config if you hare having issues.

kobuki · Wed Jun 30, 2021 12:14 pm

What the hell, man. Since my 10 years and near 150 posts here I haven't received such a rude and condescending answer to a reasonable post for help. From an old forum guru, at that! Please consider a calmer tone. It's unnecessary to accuse people of said behavior and assume things about people you have no clue about. One thing about MT vlan setup is, though, that while offering a lot of settings and features, it's unnecessarily convoluted to set up right, and it leads to many small, but fatal mistakes I see mentioned/fixed even on this forum many times.

That aside, I've looked at the AP example on the page mentioned. It does essentially the same, without vlan filtering. As I mentioned, my config does work, and I need ingress/egress vlan filtering as well. The warning, though, still hints that something's wrong, but I don't understand what. I'm using basically the same config on the CAPsMAN router, and there are no warnings there at all. Also using similar configs on other MT routers, without warnings.

Do you have some concrete suggestions to change my config, considering the above requirements?

kobuki · Wed Jun 30, 2021 1:16 pm

OK, additional info: the warning only appears when there are active CAP wlan interfaces dynamically added to the bridge. If I disable CAP and thus the dynamic ports, the warning disappears. I admit that I'm not very experienced with CAP, so the issue might lie somewhere in that config. Although I only made a basic config that I plan to refine if needed, I can post it if it seems relevant.

tdw · Wed Jun 30, 2021 1:30 pm

It isn't the CAP configuration, it relates to having untagged= entries under /interface bridge vlan on rows which specify more than a single value for vlan-ids=. See the warning regarding this here https://help.mikrotik.com/docs/display/ ... eVLANtable

Separating the bridge VLANs out should resolve it:
/interface bridge vlan
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=2
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=10
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=20

kobuki · Wed Jun 30, 2021 6:05 pm

As I stated tdw, its not a simple matter its the fact that the OP does not understand Bridge vlan filtering and thus giving him the config answer is actually not helpful as he will now not read the link nor really learn anything.

I do understand the purpose of bridge vlan filtering and for the 3rd time, the configuration works as intended. Giving me the answer to my actual question would have been helpful, but you resorted to arrogance instead. However, I do listen to advice given and have read the thread you posted, and as I've mentioned, I have looked at the relevant example, too. I have also read the relevant info on the page tdw posted (but haven't yet implemented it). So far, I haven't been able to conclude what my mistake is, yet.

There is no MT advice that points to the sorry state of his config so either he made it up or as stated took advice from youtube which is a minefield of issues.

You shouldn't talk about things you have no clue about. I do use YT - for entertainment, nothing more. I've no clue why you're adamant about YT. Maybe you learned the basics from there - I think it's fine. Also, you claim my config is in a sorry state, but you neglect to point out or explain what the actual issue is and why. From that, I must assume you're just trolling. Please do that elsewhere. Or, point out actual errors to gain some degree of credibility for your post. That is, if you have the wish to help.

for the OP. I can give you rude, my post was no nonsense, if you cant hack it then your skin is too thin, you are allergic to being held accountable or are arrogant, take your pick!
Clearly you have wasted 6 years, thats four freebie years to get up to speed, see how generous I am. :-)

I'd be forced to break general internet standards of contact pretty hard so I'll just won't comment on this. Get the hint.

kobuki · Wed Jun 30, 2021 6:26 pm

It isn't the CAP configuration, it relates to having untagged= entries under /interface bridge vlan on rows which specify more than a single value for vlan-ids=. See the warning regarding this here https://help.mikrotik.com/docs/display/ ... eVLANtable

Separating the bridge VLANs out should resolve it:
/interface bridge vlan
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=2
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=10
add bridge=br-trunk tagged=ether1,br-trunk vlan-ids=20

Thanks. I'll try this after work hours, though I don't understand why it's necessary. I do not have untagged ports set up (so I didn't add untagged= entries under /interface bridge vlan). The dynamically added (by CAP) wlanX ports also appear as tagged.

tdw · Wed Jun 30, 2021 6:47 pm

If /interface bridge vlan print does not show any ports in the CURRENT-UNTAGGED column when that error is displayed it could be a bug. wlan interfaces themselves have options for VLAN tagging so it may be a historic artefact.

kobuki · Wed Jun 30, 2021 7:35 pm

If /interface bridge vlan print does not show any ports in the CURRENT-UNTAGGED column when that error is displayed it could be a bug. wlan interfaces themselves have options for VLAN tagging so it may be a historic artefact.

Indeed, the untagged list is empty:

/interface bridge vlan print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                   VLAN-IDS  CURRENT-TAGGED                                 CURRENT-UNTAGGED                                
 0   ;;; port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
     br-trunk                                 2         br-trunk                                      
                                              10        ether1                                        
                                              20        wlan1                                         
                                                        wlan7                                         
                                                        wlan2                                         
                                                        wlan9

This is the relevant part of the capsman config on the router:

/caps-man datapath
add local-forwarding=yes name=LAN vlan-id=10 vlan-mode=use-tag
add local-forwarding=yes name=guest vlan-id=20 vlan-mode=use-tag

So this looks like I might've found a bug. Let's see if someone from MT appears to confirm or set it straight, if not, I'll file a bug report.

kobuki · Tue Jul 06, 2021 11:22 pm

Mikrotik support has a response to this issue:

The warning will appear when you have some untagged port automatically added to the VLAN group. This happens when the port has set "pvid" and then in "/interface bridge vlan" table you create an entry with multiple VLANs, which include the "pvid".

However, at the time when you created the supout.rif file, I see that configuration is correctly applied (using the "frame-types" setting) and this warning should disappear, but it did not. We will fix this in upcoming RouterOS versions. You can fix the warning by deleting VLAN entry and creating a new one.

kozistan · Sun Aug 04, 2024 11:20 am

Hi, I'd like to ask if you managed to solve this problem. I know it's been a while and many things have changed, but I am now in the exact same situation with identical symptoms, except for the problematic message in the log.

sindy · Sun Aug 04, 2024 12:09 pm

As usually, post the export of your actual config (without any sensitive information like serial numbers, public IP addresses, and usernames for external services). Same symptoms do not necessarily mean the same root cause.

kozistan · Sun Aug 04, 2024 4:18 pm

hi sindy, I have opened a thread here, all the details are included

viewtopic.php?p=1089400#p1089400

sindy · Sun Aug 04, 2024 5:11 pm

I have opened a thread here

So not even the symptoms are the same

Alright, I took on there.

Weird warning with bridge config regarding VLANs [SOLVED]

Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs [SOLVED]

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs

Re: Weird warning with bridge config regarding VLANs