Can't get untagged ports from hEX PoE (switch)

pierfrancescoelia · Sat Feb 12, 2022 9:57 pm

Hi all, I have an RB4011iGS+RM, and everything is working fine.

I have a bridge and 4 VLANS (with 4 subnets, and so 4 DHCP servers), and I can easily tag/untag for set the device's ports to access/trunk capabilities.

Here is the configuration of my router, based on instructions provided on this thread, and everything is working.

/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan-elia vlan-id=20
add interface=bridge name=vlan-guest vlan-id=50
add interface=bridge name=vlan-mgmt vlan-id=250

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface list
add name=WAN
add comment="All VLANs" name=ALL_VLANs
add comment="Internal VLANs" name=INT_VLANs

/ip pool
add name=pool-elia ranges=192.168.20.10-192.168.20.254
add name=pool-guest ranges=192.168.50.10-192.168.50.254
add name=pool-mgmt ranges=192.168.250.100-192.168.250.150

/ip dhcp-server
add address-pool=pool-elia disabled=no interface=vlan-elia name=dhcp-elia
add address-pool=pool-guest disabled=no interface=vlan-guest name=dhcp-guest
add address-pool=pool-mgmt disabled=no interface=vlan-mgmt name=dhcp-mgmt

/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge ingress-filtering=yes interface=ether2
add bridge=bridge ingress-filtering=yes interface=ether3
add bridge=bridge ingress-filtering=yes interface=ether4
add bridge=bridge ingress-filtering=yes interface=ether5
add bridge=bridge ingress-filtering=yes interface=ether6 pvid=20
add bridge=bridge ingress-filtering=yes interface=ether7 pvid=20
add bridge=bridge ingress-filtering=yes interface=ether8 pvid=20
add bridge=bridge ingress-filtering=yes interface=ether9 pvid=50
add bridge=bridge ingress-filtering=yes interface=ether10 pvid=250

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 untagged=ether6,ether7,ether8 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 untagged=ether9 vlan-ids=50
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 untagged=ether10 vlan-ids=250

/interface list member
add interface=vlan-elia list=ALL_VLANs
add interface=vlan-guest list=ALL_VLANs
add interface=vlan-elia list=INT_VLANs
add interface=vlan-mgmt list=ALL_VLANs
add interface=vlan-mgmt list=INT_VLANs

/ip address
add address=192.168.20.1/24 interface=vlan-elia network=192.168.20.0
add address=192.168.50.1/24 interface=vlan-guest network=192.168.50.0
add address=192.168.250.1/24 interface=vlan-mgmt network=192.168.250.0

/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.20.1
add address=192.168.50.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.50.1
add address=192.168.250.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.250.1

/ip dns
set servers=1.1.1.1,1.0.0.1

/ip firewall filter
add action=accept chain=input comment="Allow Estab. & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=INT_VLANs
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab. & Related" connection-state=established,related
add action=accept chain=forward comment="Allow Internet Access" connection-state=new in-interface-list=ALL_VLANs out-interface-list=WAN
add action=accept chain=forward comment="Allow Internal VLANs traffic" connection-state=new in-interface-list=INT_VLANs out-interface-list=INT_VLANs
add action=drop chain=forward comment=Drop

I recently bought an hEX PoE and I want to link an Ubiquiti U6-Lite on top of the hEX that is installed far from the router.

The configuration of the hEX is the following, based also on the same post about VLANS linked above.

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan-mgmt vlan-id=250

/interface bridge port
add bridge=bridge comment=Ingresso frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=20

/interface bridge vlan
add bridge=bridge comment=Elia tagged=ether1 vlan-ids=20
add bridge=bridge comment=Guest tagged=ether1 vlan-ids=50
add bridge=bridge comment=Management tagged=bridge,ether1 vlan-ids=250

/ip address
add address=192.168.250.2/24 interface=vlan-mgmt network=192.168.250.0

/ip dns
set servers=1.1.1.1,8.8.8.8

/ip route
add distance=1 gateway=192.168.250.1

I can have untagged ports for VLANs different than the mgmt-vlan (so VLAN 20 and 50), but I can't sort out why I can't have untagged VLAN 250 ports.

When I connect a laptop to an untagged MGMT port, I can see the DHCP server working on the router, but the DHCP lease never get accepted by the client, always remains in offered state.

This is what I want to achieve, I tried to replicate the steps but I couldn't manage to get this working.

I would really appreciate some help, I know that it is a stupid mistake, thanks in advance to anyone who will help me!

mkx · Sat Feb 12, 2022 10:32 pm

/interface vlan
add interface=ether1bridge name=vlan-mgmt vlan-id=250

Since ether1 is member port of bridge, you should anchor the vlan interface on bridge interface.

pierfrancescoelia · Sun Feb 13, 2022 3:11 pm

/interface vlan
add interface=ether1bridge name=vlan-mgmt vlan-id=250

Since ether1 is member port of bridge, you should anchor the vlan interface on bridge interface.

Thank you very much @mkx! That did the trick!

But right now I can't get how to tag the interface for the Unifi AP, I'm confused as I did another installation and it went perfectly smooth. Today the AP is not giving me the correct IP address (I assume same problem of before). So how can I tag the correct interface (ether2) with other VLANs in order to make it an hybrid VLAN port? Thanks in advance!

sindy · Sun Feb 13, 2022 4:00 pm

Under /interface bridge port, change frame-types from admit-only-untagged-and-priority-tagged to admit-all for ether2, doing so will make it a hybrid port.

anav · Sun Feb 13, 2022 4:06 pm

Sindy has pointed out the correct settings.
The reasons are more important. If not clear in the recommended change itself, one should realize that by setting the bridge port ONLY to access untagged frames, that will block the tagged frames you are trying to push through the port to the unifi. Hybrid ports are a bit weird as you are telling the router in the bridge port settings, please treat this port as an access port with pvidX, but then in interface bridge vlan settings you state however I want to push tagged vlans x,y,z through that port as well. Since you know there will be tagged vlans, one can and should still apply ingress filtering on the port but leave frame types alone. (default is all).

Can't get untagged ports from hEX PoE (switch)

Can't get untagged ports from hEX PoE (switch)

Re: Can't get untagged ports from hEX PoE (switch)

Re: Can't get untagged ports from hEX PoE (switch)

Re: Can't get untagged ports from hEX PoE (switch)

Re: Can't get untagged ports from hEX PoE (switch)