Community discussions

MikroTik App
  4. RouterOS
  5. General

Help setting up hybrid tagged + untagged port on own bridge

Post Reply
 
User avatar
ocgltd
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Sun Sep 02, 2012 12:53 am
Location: Ontario, Canada

Help setting up hybrid tagged + untagged port on own bridge

Sun Mar 06, 2022 9:44 pm

I am struggling to setup a port (ether3) to allow untagged and VLAN40 tagged packets. I am working on an RB850Gx2. And I have a ubiquiti AP connected to ether3 sending tagged (40) and untagged traffic for my two SSID's.

I have two bridges configured, one for internal traffic (with ether2, ether3). The other for my eventual hotspot traffic (VLAN40 on ether3). I have added an IP to the vlan40-guestwifi interface, and started a DHCP server listening on the vlan40-guestwifi interface. For now I just want to be able to issue an IP address and let the vlan40-guestwifi guests ping the MT.

Can someone tell me what is wrong with the config below? Anyone connecting to ether3 with VLAN40 tagged traffic is not reaching the MT's DHCP server. (Though traffic reaching ether3 untagged is correctly routing out my WAN as designed).
Code: Select all
# mar/06/2022 16:06:45 by RouterOS 7.1.2
# software id = FD0I-C393
#
# model = 850Gx2
# serial number = 71DC06A73D6A
/interface pptp-client
add allow=mschap1,mschap2 comment="PPTP tunnel to site2" connect-to=secure.mydomain.com disabled=no max-mru=1460 max-mtu=1460 name=pptp-tunnel-to-site2 \
    profile="PPTP Tunnel Profile" user=pptp-tunnel-from-site3
/interface bridge
add comment="Bridge for hotspot" name=bridge-hotspot
add admin-mac=6C:3B:6B:74:82:0E arp=proxy-arp auto-mac=no comment="Bridge for internal traffic (exc hotspot vlan)" name=bridge-internal \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="External Interface" name=ether1-external speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp comment="Internal Interface" name=ether2-internal-slave speed=100Mbps
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full comment="Ubiquiti UAP AC PRO access point" name=\
    ether3-internal-slave speed=100Mbps
set [ find default-name=ether4 ] comment="ATA on Voice subnet (no vlan)" name=ether4-ata speed=100Mbps
set [ find default-name=ether5 ] bandwidth=unlimited/2M comment="Unused - speed limit to 2MBbps" disabled=yes name=ether5-unused speed=100Mbps
/interface l2tp-client
add allow=mschap1,mschap2 comment="L2TP tunnel to site2" connect-to=secure.mydomain.com disabled=no name=l2tp-tunnel-to-site2 profile=\
    "L2TP Tunnel Profile" use-ipsec=yes user=l2tp-tunnel-from-site3
/interface vlan
add arp=proxy-arp comment="Voice traffic to PBX (172.31.233.0/24)" interface=bridge-internal mtu=1516 name=vlan10-Voice vlan-id=10
add arp=proxy-arp comment="Camera traffic from VLAN 20(172.31.231.0/24)" interface=bridge-internal mtu=1516 name=vlan20-cameras vlan-id=20
add arp=proxy-arp comment="Entertainment traffic to VLAN Entertainment (172.31.232.0/24)" interface=bridge-internal mtu=1516 name=\
    vlan30-entertainment vlan-id=30
add comment="Guest network VLAN 40" interface=bridge-hotspot name=vlan40-guestwifi vlan-id=40
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=firewall-k
/interface bridge port
add bridge=bridge-internal frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether3-internal-slave
add bridge=bridge-internal ingress-filtering=no interface=ether2-internal-slave
add bridge=bridge-hotspot ingress-filtering=no interface=vlan40-guestwifi
/interface bridge settings
set use-ip-firewall=yes
/interface bridge vlan
add bridge=bridge-hotspot tagged=vlan40-guestwifi vlan-ids=40
add bridge=bridge-internal tagged=ether2-internal-slave vlan-ids=10,30,20
/interface l2tp-server server
set authentication=mschap1,mschap2 max-mru=1460 max-mtu=1460
/interface list member
add interface=ether1-external list=discover
add interface=bridge-internal list=discover
add interface=ether3-internal-slave list=discover
add interface=ether4-ata list=discover
add interface=ether5-unused list=discover
add interface=bridge-internal list=mactel
add interface=ether3-internal-slave list=mactel
add interface=ether4-ata list=mactel
add interface=bridge-internal list=mac-winbox
add interface=ether5-unused list=mactel
add interface=ether3-internal-slave list=mac-winbox
add interface=ether4-ata list=mac-winbox
add interface=ether5-unused list=mac-winbox
/interface ovpn-server server
set cipher=blowfish128,aes128,aes192,aes256 enabled=yes keepalive-timeout=disabled
/interface pptp-server server
set default-profile=default max-mru=1460 max-mtu=1460
[admin@firewall-k] >
Last edited by ocgltd on Sun Mar 06, 2022 11:10 pm, edited 2 times in total.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13026
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help setting up hybrid tagged + untagged port on own bridge

Sun Mar 06, 2022 10:43 pm

Print-outs are messy. Execute /interface export hide-sensitive and post output.

But generally you should be running single bridge with vlan-filtering enabled. Read this tutorial to see how it should be done.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Help setting up hybrid tagged + untagged port on own bridge

Sun Mar 06, 2022 10:46 pm

Why dont you stick to one thread,
I gave you a perfectly reasonable example here.................

viewtopic.php?p=917057#p917058
Top
 
User avatar
ocgltd
Member Candidate
Member Candidate
Topic Author
Posts: 112
Joined: Sun Sep 02, 2012 12:53 am
Location: Ontario, Canada

Re: Help setting up hybrid tagged + untagged port on own bridge

Sun Mar 06, 2022 10:54 pm

404Network: I'm trying to break my problem into smaller pieces, and will return to other thread (about Hotspot) in the future. At this point I've narrowed the problem down to my understanding of how to handle the tagged + untagged on a single port. I appreciate the full config you posted, but I'm having trouble identifying what's wrong with my config from that (just blowing it away and replacing with yours doesn't teach me much). I need to understand where I'm going wrong.

mkx: I read that tutorial before but as none of the scenarios matched what I'm doing - hybrid (tagged and untagged on one port) I didn't get anywhere. I've replaced the output in my question with the /interface print as you requested. Hopefully that's easier to read. The reason I created 2 bridges is because another posting said that is necessary for using hotspot with VLAN (but I can ignore that for now). If I can just created an isolated network on VLAN40 on ether3 (just serving DHCP to guests) I feel I can add firewall rules to allow traffic in/out safely. I'm curious why only 1 bridge - wouldn't that allow my guest traffic to reach other ports?

I took over the Mikrotik config responsibility and can get 90% of the setup done easily. But the last 10% are killing me. I've read so many conflicting/vague statements about what the settings mean/do. Some tutorials even say ignore the others because they are wrong, etc. If I could just get my head around the interface - bridge - port - VLAN config relationship this will click for me.
Top
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Help setting up hybrid tagged + untagged port on own bridge

Sun Mar 06, 2022 11:59 pm

The example provided and text told you how to handle the port if the ubiquiti expects the trusted vlan to be untagged. Its called a hybrid port.
The other option is to treat the AP like other normal smart APs, not that bastardized piece of equipment calling itself an AP.
simply remove the parts in red and add the bit in blue..............normal setup as per the vlan reference link by pcunite.

/bridge ports
add bridge=bridge interface=ether2 pvid=10 ingress-filtering=yes
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=20
add bridge=bridge interface=ether6 pvid=30
/bridge vlans
add bridge=bridge tagged=bridge,ether3 untagged=ether2,ether3, ether 4 pvid=10
add bridge=bridge tagged=bridge untagged=ether5 pvid=20
add bridge=bridge tagged=bridge untagged=ether6 pvid=30
add bridge=bridge tagged=bridge,ether3 pvid=40

I didnt read in the Mikrotik documentation that you needed a separate bridge for the hotspot ???
I also pointed out in the MT documentation that indicated otherwise.
Quote
"I am not sure where you get your info but suggest starting here.......
https://help.mikrotik.com/docs/pages/vi ... d=56459266

It seems to indicate you can associated your hotspot with most any interface.
My preference, If I was to try it, would be via vlan."

Since you seem incapable of reading.....
Here is the germane part of the link above........

/ip/hotspot
The menu is designed to manage the HotSpot servers of the router. It is possible to run HotSpot on Ethernet, wireless, VLAN, and bridge interfaces. One HotSpot server is allowed per interface. When HotSpot is configured on the bridge interface, set HotSpot interface as bridge interface, not as bridge port, do not add public interfaces to bridge ports. You can add HotSpot servers manually to the /ip/hotspot menu, but it is advised to run /ip/hotspot/setup, which adds all necessary settings.
Top
Post Reply

Who is online

Users browsing this forum: CGGXANNX, szizo and 69 guests
  4. RouterOS
  5. General