Page 1 of 1

RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 4:23 am
by shivansps
This is likely a switch configuration issue, but i wanted to ask here as maybe i have a bad configuracion on the router.

The setup i have a is actually a very simple one, VLAN 1 is untagged on the bridge, this is the router native vlan, and then i added a bunch of different vlans with different networks to the bridge, i enable vlan filtering and added them to the bridge vlans.

Image
I didnt have the correct vlans ids when i did make the diagram, it is 110 and 130

In short, the router sends VLAN 1 as untagged, and VLANS 110, 130 and 140 as tagged on all LAN ports. All PCS are connected to a TP-Link Smart switch that is connected on the port labeled as "switch". This switch is a L2 switch with some L3 features.
The configuration on the switch is also very simple, ports 1 to 4 are trunk ports, where VLAN1 is untagged and the other VLANS are tagged, then the rest of the ports are access ports, top row is VLAN 110 as untagged and nothing else, they get 192.168.81.x/24 ips, botton row is vlan 130 as untagged and nothing else, they get 192.168.80.x/24 ips.
All the pcs on the access ports of the same vlan/network can send traffic to each other whiout going to the router, as they should, but any any device that is connected to the trunk port and is set to use lets say VLAN 110 with a 192.168.81.x ip should be able to send traffic to the others pcs of the same vlan and network that are connected to the access port whiout going to the router, but it does not, it goes tot he router, it does not shows on tracert, but cpu usage fires up and i can see the traffic on the vlan interface. Proxmox VMs do this and if i connect any windows pc to the trunk port and i set Windows to use VLAN 110 on the NIC, it gets the correct ip but it also have the same problem, traffic instead of going dirrectly to the pc on the access port, it goes to the router, then it returns to the switch.

I have no idea of what could be the issue, as this should work.
/interface bridge
add admin-mac= auto-mac=no ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Modem
set [ find default-name=ether2 ] name=ether2-DVR
set [ find default-name=ether3 ] name=ether3-Switch
set [ find default-name=ether4 ] name=ether4-CPE
set [ find default-name=ether5 ] name=ether5-EAP
set [ find default-name=sfp1 ] disabled=yes name=sfp1-Switch
/interface vlan
add interface=bridge name=vlan1-Empleados vlan-id=110
add interface=bridge name=vlan3-Ventas vlan-id=130
add interface=bridge name=vlan4-Servicio vlan-id=140
/ip pool
add name=admin ranges=192.168.90.50-192.168.90.254
add name=ventas-pool ranges=192.168.80.30-192.168.80.254
add name=empleados-pool ranges=192.168.81.10-192.168.81.254
add name=servicio-pool ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=admin interface=bridge name=Admin
add address-pool=empleados-pool interface=vlan1-Empleados name=Empleados
add address-pool=ventas-pool interface=vlan3-Ventas name=Ventas
add address-pool=servicio-pool interface=vlan4-Servicio name=Servicio
/ip address
add address=192.168.90.1/24 comment=Admin interface=bridge network=192.168.90.0
add address=192.168.88.1/24 comment=Servicio interface=vlan4-Servicio network=192.168.88.0
add address=192.168.80.1/24 comment=Ventas interface=vlan3-Ventas network=192.168.80.0
add address=192.168.81.1/24 comment=Empleados interface=vlan1-Empleados network=192.168.81.0
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2-DVR
add bridge=bridge ingress-filtering=no interface=ether3-Switch
add bridge=bridge ingress-filtering=no interface=ether4-CPE
add bridge=bridge ingress-filtering=no interface=ether5-EAP
add bridge=bridge ingress-filtering=no interface=sfp1-Switch
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4-CPE,ether5-EAP,ether3-Switch vlan-ids=\
    110,130,140
/interface list member
add interface=bridge list=LAN
add interface=ether1-Modem list=WAN
add interface=vlan1-Empleados list=LAN
add interface=vlan3-Ventas list=LAN
add interface=vlan4-Servicio list=LAN
/ip address
add address=192.168.90.1/24 comment=Admin interface=bridge network=192.168.90.0
add address=192.168.88.1/24 comment=Servicio interface=vlan4-Servicio network=192.168.88.0
add address=192.168.80.1/24 comment=Ventas interface=vlan3-Ventas network=192.168.80.0
add address=192.168.81.1/24 comment=Empleados interface=vlan1-Empleados network=192.168.81.0
/ip dhcp-server network
add address=192.168.80.0/24 boot-file-name=efi/snponly.efi comment=Ventas gateway=192.168.80.1 next-server=\
    192.168.88.2
add address=192.168.81.0/24 comment=Empleados gateway=192.168.81.1
add address=192.168.87.0/27 comment="Ventas Gaming" gateway=192.168.87.1 netmask=24
add address=192.168.88.0/24 boot-file-name=efi/snponly.efi comment=Servicio gateway=192.168.88.1 next-server=\
    192.168.88.2
add address=192.168.90.0/24 comment=Admin gateway=192.168.90.1 next-server=192.168.88.2

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 2:10 pm
by anav
Dont mix apples and oranges which means keep all subnets off the bridge and use vlans and more specifcally do NOT use vlan1 for data. As stated its the default vlan working in the background so leave it alone to do that work and let the bridge do bridging and not anything else and it works smooth.

You need to ensure all smart devices that can read vlan tags, CPE, both switches and EAP get their ip address (manually set is usually better) on the same subnet as the management or base or Trusted Subnet. If you post the complete config, the rest can be completed..........
[size=85]/interface bridge
add admin-mac= auto-mac=no ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Modem
set [ find default-name=ether2 ] name=ether2-DVR
set [ find default-name=ether3 ] name=ether3-Switch
set [ find default-name=ether4 ] name=ether4-CPE
set [ find default-name=ether5 ] name=ether5-EAP
set [ find default-name=sfp1 ] disabled=yes name=sfp1-Switch
/interface vlan[/size]
[b]add interface=bridge name=vlan-home  vlan-id=20[/b]
[size=85]add interface=bridge name=vlan1-Empleados vlan-id=110
add interface=bridge name=vlan3-Ventas vlan-id=130
add interface=bridge name=vlan4-Servicio vlan-id=140
/ip pool[/size]
[b]add name=admin ranges=192.168.90.50-192.168.90.254[/b]
[size=85]add name=ventas-pool ranges=192.168.80.30-192.168.80.254
add name=empleados-pool ranges=192.168.81.10-192.168.81.254
add name=servicio-pool ranges=192.168.88.10-192.168.88.254
/ip dhcp-server[/size]
[b]add address-pool=admin interface=vlan-home name=Admin[/b]
[size=85]add address-pool=empleados-pool interface=vlan1-Empleados name=Empleados
add address-pool=ventas-pool interface=vlan3-Ventas name=Ventas
add address-pool=servicio-pool interface=vlan4-Servicio name=Servicio
/ip address[/size]
[b]add address=192.168.90.1/24 comment=Admin interface=vlan-home network=192.168.90.0[/b]
[size=85]add address=192.168.88.1/24 comment=Servicio interface=vlan4-Servicio network=192.168.88.0
add address=192.168.80.1/24 comment=Ventas interface=vlan3-Ventas network=192.168.80.0
add address=192.168.81.1/24 comment=Empleados interface=vlan1-Empleados network=192.168.81.0
/interface bridge port[/size]
[b]add bridge=bridge ingress-filtering=yes interface=ether2-DVR  pvid=20  frame-types=admit-priority-and-untagged
add bridge=bridge ingress-filtering=yes interface=ether3-Switch  frame-types=admit-only-vlan-tagged
add bridge=bridge ingress-filtering=yes interface=ether4-CPE  frame-types=admit-only-vlan-tagged
add bridge=bridge ingress-filtering=yes interface=ether5-EAP  frame-types=admit-only-vlan-tagged
add bridge=bridge ingress-filtering=yes interface=sfp1-Switch frame-types=admit-only-vlan-tagged[/b]
[size=85]/interface bridge vlan[/size]
[b]add bridge=bridge  tagged=bridge,ether3-switch,ether4-CPE,ether5-EAP,sfp1-Switch  vlan-ids=110,130,40
add bridge=bridge tagged=bridge,ether3-switch,ether4-CPE,ether5-EAP,sfp1-Switch  untagged=ether2  vlan-ids=20[/b]
[size=85]/interface list member
add interface=ether1-Modem list=WAN
add interface=vlan1-Empleados list=LAN
add interface=vlan3-Ventas list=LAN
add interface=vlan4-Servicio list=LAN[/size]
[b]add interface=vlan-home list=LAN
add interface=vlan-home list=TRUSTED[/b]
/ip address
add address=192.168.90.1/24 comment=Admin interface=vlan-home network=192.168.90.0
add address=192.168.88.1/24 comment=Servicio interface=vlan4-Servicio network=192.168.88.0
add address=192.168.80.1/24 comment=Ventas interface=vlan3-Ventas network=192.168.80.0
add address=192.168.81.1/24 comment=Empleados interface=vlan1-Empleados network=192.168.81.0
[size=85]/ip dhcp-server network
add address=192.168.80.0/24 boot-file-name=efi/snponly.efi comment=Ventas gateway=192.168.80.1 next-server=\
    192.168.88.2
add address=192.168.81.0/24 comment=Empleados gateway=192.168.81.1
add address=192.168.87.0/27 comment="Ventas Gaming" gateway=192.168.87.1 netmask=24
add address=192.168.88.0/24 boot-file-name=efi/snponly.efi comment=Servicio gateway=192.168.88.1 next-server=\
    192.168.88.2
add address=192.168.90.0/24 comment=Admin gateway=192.168.90.1 next-server=192.168.88.2[/size]

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 6:23 pm
by shivansps
I didnt posted the complete config because it is quite complicated as i have hotspot and a l2tp server, wan failover lots of firewall rules for port forwarding as well... But here it is.
The sfp1 is not used, i realised that on the RB760 the sfp port is half speed, so using a regular ethernet port is faster.
/interface bridge
add admin-mac=C4:AD:34:F2:8C:C6 auto-mac=no ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Modem
set [ find default-name=ether2 ] name=ether2-DVR
set [ find default-name=ether3 ] name=ether3-Switch
set [ find default-name=ether4 ] name=ether4-CPE
set [ find default-name=ether5 ] name=ether5-EAP
set [ find default-name=sfp1 ] disabled=yes name=sfp1-Switch
/interface vlan
add interface=bridge name=vlan1-Empleados vlan-id=110
add interface=bridge name=vlan2-Clientes vlan-id=120
add interface=bridge name=vlan3-Ventas vlan-id=130
add interface=bridge name=vlan4-Servicio vlan-id=140
add interface=bridge name=vlan5-GamingVentas vlan-id=200
add interface=bridge name=vlan6-RMA vlan-id=150
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=CPE_VLANS
add name=BloqueoRMAWIFI
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=10.5.50.1 html-directory=flash/hotspot login-by=http-chap name=Clientes rate-limit=5M/50M
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip pool
add name=admin ranges=192.168.90.50-192.168.90.254
add name=clientes-pool ranges=10.5.50.2-10.5.50.254
add name=ventas-pool ranges=192.168.80.30-192.168.80.254
add name=empleados-pool ranges=192.168.81.10-192.168.81.254
add name=servicio-pool ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.82.2-192.168.82.254
add name=rma-pool ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=admin interface=bridge name=Admin
add address-pool=clientes-pool interface=vlan2-Clientes lease-time=1h name=Clientes
add address-pool=empleados-pool interface=vlan1-Empleados name=Empleados
add address-pool=ventas-pool interface=vlan3-Ventas name=Ventas
add address-pool=servicio-pool interface=vlan4-Servicio name=Servicio
add address-pool=rma-pool interface=vlan6-RMA name=Rma-Wifi
/ip hotspot
add address-pool=clientes-pool disabled=no interface=vlan2-Clientes name=Clientes profile=Clientes
/ip hotspot user profile
set [ find default=yes ] address-pool=clientes-pool name=vip rate-limit=10M/100M shared-users=30 transparent-proxy=\
    yes
add address-pool=clientes-pool idle-timeout=1h mac-cookie-timeout=6h name=clientes rate-limit=256k/2M shared-users=\
    200 transparent-proxy=yes
/ipv6 dhcp-server
add address-pool=pool1 interface=vlan4-Servicio lease-time=1d name=server1
/ipv6 pool
add name=pool1 prefix-length=16
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.82.1 name=VPN remote-address=vpn-pool use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2-DVR
add bridge=bridge ingress-filtering=no interface=ether3-Switch
add bridge=bridge ingress-filtering=no interface=ether4-CPE
add bridge=bridge ingress-filtering=no interface=ether5-EAP
add bridge=bridge ingress-filtering=no interface=sfp1-Switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLANS DEPOSITO" tagged=bridge,ether4-CPE,ether5-EAP,ether3-Switch vlan-ids=\
    110,120,130,140,150
add bridge=bridge comment="VLANS GAMING" tagged=bridge,ether4-CPE vlan-ids=200
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=VPN enabled=yes use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1-Modem list=WAN
add interface=vlan1-Empleados list=LAN
add interface=vlan2-Clientes list=LAN
add interface=vlan3-Ventas list=LAN
add interface=vlan4-Servicio list=LAN
add interface=vlan5-GamingVentas list=LAN
add interface=vlan5-GamingVentas list=CPE_VLANS
add interface=vlan6-RMA list=LAN
add interface=vlan1-Empleados list=BloqueoRMAWIFI
add interface=vlan2-Clientes list=BloqueoRMAWIFI
add interface=vlan3-Ventas list=BloqueoRMAWIFI
add interface=vlan4-Servicio list=BloqueoRMAWIFI
add interface=vlan5-GamingVentas list=BloqueoRMAWIFI
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.90.1/24 comment=Admin interface=bridge network=192.168.90.0
add address=192.168.88.1/24 comment=Servicio interface=vlan4-Servicio network=192.168.88.0
add address=192.168.80.1/24 comment=Ventas interface=vlan3-Ventas network=192.168.80.0
add address=192.168.81.1/24 comment=Empleados interface=vlan1-Empleados network=192.168.81.0
add address=10.5.50.1/24 comment=Clientes interface=vlan2-Clientes network=10.5.50.0
add address=192.168.83.1/24 comment="Control de Puerta" interface=vlan1-Empleados network=192.168.83.0
add address=192.168.89.1/24 comment=RMA interface=vlan6-RMA network=192.168.89.0
/ip dhcp-client
add add-default-route=no comment=CLARO interface=ether1-Modem script=":local newgw [ip dhcp-client get [find interface\
    =\"ether1-Modem\"] gateway];\r\
    \n:local routegw [/ip route get [find comment=\"FAILOVER WAN0\"] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"FAILOVER WAN0\"] gateway=\$newgw;\r\
    \n}"
add add-default-route=no comment="BACKUP POR CPE" interface=vlan5-GamingVentas
/ip dhcp-server lease
add address=192.168.90.2 client-id=1:b0:95:75:e6:f3:fa comment="Switch TP-LINK" mac-address=B0:95:75:E6:F3:FA server=\
    Admin
add address=192.168.90.3 client-id=1:d8:47:32:3f:74:76 comment=EAP mac-address=D8:47:32:3F:74:76 server=Admin
add address=192.168.90.4 client-id=1:b0:95:75:1:16:bc comment=CPE_DEPOSITO mac-address=B0:95:75:01:16:BC server=Admin
add address=192.168.90.5 client-id=1:3c:84:6a:7f:35:ae comment=CPE_Gaming mac-address=3C:84:6A:7F:35:AE server=Admin
/ip dhcp-server network
add address=10.5.50.0/24 comment=Clientes gateway=10.5.50.1
add address=192.168.80.0/24 boot-file-name=efi/snponly.efi comment=Ventas gateway=192.168.80.1 next-server=\
    192.168.88.2
add address=192.168.81.0/24 comment=Empleados gateway=192.168.81.1
add address=192.168.83.0/24 comment="Control de Puerta" gateway=192.168.83.1 netmask=24
add address=192.168.84.0/24 comment="Empleados Gaming" gateway=192.168.84.1 netmask=24
add address=192.168.87.0/27 comment="Ventas Gaming" gateway=192.168.87.1 netmask=24
add address=192.168.88.0/24 boot-file-name=efi/snponly.efi comment=Servicio gateway=192.168.88.1 next-server=\
    192.168.88.2
add address=192.168.89.0/24 comment="RMA WIFI" gateway=192.168.89.1 netmask=24 next-server=192.168.80.2
add address=192.168.90.0/24 comment=Admin gateway=192.168.90.1 next-server=192.168.88.2
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.90.1 comment=defconf name=router.lan
add address=192.168.88.2 disabled=yes name=server
add address=192.168.88.3 disabled=yes name=server
/ip firewall filter
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp src-address=!186.12.155.255
add action=drop chain=forward comment="Bloqueo RMA-WIFI" in-interface=vlan6-RMA out-interface-list=BloqueoRMAWIFI
add action=accept chain=input comment=VPN dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes in-interface=!vlan2-Clientes in-interface-list=!CPE_VLANS out-interface=!vlan2-Clientes \
    out-interface-list=!CPE_VLANS
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid in-interface-list=!CPE_VLANS \
    out-interface-list=!CPE_VLANS
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=passthrough chain=prerouting in-interface-list=CPE_VLANS
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=WAN ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add name=vip
add name=gaming-city profile=clientes
/ip hotspot walled-garden
*snip*
/ip proxy
set anonymous=yes enabled=yes port=9300
/ip proxy access
add src-address=192.168.82.1
add src-address=192.168.88.193
add src-address=192.168.82.10
/ip route
add comment="FAILOVER WAN0" disabled=no distance=1 dst-address=8.8.4.4/32 gateway=181.239.136.1 pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="FAILOVER WAN1" disabled=no distance=1 dst-address=1.1.1.1/32 gateway=192.168.87.1 pref-src=0.0.0.0 \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=11
add comment="VPN SALVADOR" disabled=no distance=1 dst-address=192.168.85.0/24 gateway=192.168.82.2 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=11
add comment="VPN SAN ISIDRO" disabled=no dst-address=192.168.75.0/24 gateway=192.168.82.15 routing-table=main \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.84.0/24 gateway=192.168.90.9 pref-src=0.0.0.0 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=30
add disabled=no distance=50 dst-address=192.168.87.0/24 gateway=192.168.82.9 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=30
add disabled=no distance=1 dst-address=192.168.87.0/24 gateway=192.168.90.9 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=30
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=186.12.155.255/32,192.168.90.0/24,181.47.81.212/32,192.168.88.0/24,192.168.82.2/32
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=vlan4-Servicio type=internal
add interface=ether1-Modem type=external
/ppp secret
*snip*
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate=*0
So what you are saying is that i should change vlan 1 for vlan 20 and tag everything, even the admin vlan network (192.168.90.0). The reason why i didnt do that initially is that i have some consumer hardware on it that does not support admin vlan. Im looking forward to fix that and do it properly.
But that really changes funcionality of all vlans? i thought it was a best practice due to security. Im not really using vlan1 for anything but too access configuration on switches, access points, cpe, there is no other devices on it and i only use vlan 1 for administration, all the devices on it connect to a vlan to transfer data..

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 7:55 pm
by sindy
Please ignore the advice to avoid VLAN 1. The rationale behind that advice is that rumor has it that some equipment uses it in a special way. I'd love to see an example of such an equipment, where this "special treatment of VLAN 1" would not be just a result of a misconfiguration/misunderstanding.

To your actual issue, let me rephrase what you wrote to check if I understood it properly: if you send a frame tagged with VLAN 110, carrying an IP packet with destination address of a device connected to an access port of VLAN 110 on the TP-link switch, through a trunk port of the TP-link, it somehow reaches the Mikrotik router rather than being switched to the destination access port directly by the TP-link.

I could admit something to be wrong in the router configuration - namely, the router would have to respond with its own MAC address to ARP requests for any IP addresses within 192.168.81.0/24 (which lives in VLAN 110). But nothing in the configuration suggests this and, more important, this would have to have the same effect on frames sent from one access port to another.

I could also imagine the server to actually send the packets for 192.168.81.0/24 from another VLAN interface (and thus source address) than expected, i.e. via the gateway (the Mikrotik) rather than directly to the destination MAC address. But if it was the case, traceroute should show a routing hop, and you say it doesn't.

The possibility that the TP-link configuration has some port-horizon configured, causing frames that ingress via the trunk port to be only allowed to egress to the Mikrotik, is also unlikely as if it was like that, in order that they could reach their destination, the Mikrotik would have to forward such frames through the same port through which it has received them, which is not how bridges normally work.

So the first step should be to open a command line window as wide as your screen allows, sniff the traffic on the Mikrotik interface using /tool sniffer quick interface=ether3-switch ip-address=ip.of.destination.host ip-protocol=icmp, and ping the ip.of.destination.host from the VM running on the proxmox. Before doing that, you have to disable "hardware accelerated forwarding" on ether3-switch: /interface bridge port set [find interface=ether3-switch] hw=no.

What makes me cautious is that the diagram says "VM in VLAN 110: 192.168.88.2 whereas the configuration export says that 192.168.81.0/24 lives in VLAN 110. So maybe the request makes it to the PC at 192.168.81.x, but since the PC responds to 192.168.88.2, it sends the response via the Mikrotik?

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 10:37 pm
by anav
In terms of vlan1, that was to the fact that he named the vlan vlan1 but is not actually using vlan-id=1, so all is good.
He is fact using the default vlan1 transparent as the bridge vlan and I dont mix vlans, on and off the bridge, and put them all of the bridge and just let the bridge do bridging......... personal preference.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 10:59 pm
by Buckeye
This is likely a switch configuration issue, but i wanted to ask here as maybe i have a bad configuracion on the router.
You should be able to determine if the problem is the switch configuration by disconnecting the trunk link from the switch to ether3 (and sfp1 but your configuration shows this as disabled). In other words, disconnect the TP-Link switch from the hEX S, and verify that the switch configuration is correct.

With the hEX disconnected, standard PC's using untagged ethernet traffic that are connected to access ports in the same vlan and in the same ip subnet should be able to communicate with each other. This assumes that the windows firewall isn't blocking traffic from other devices on the same subnet, and that the PC's are configured with static ip addresses, or still have valid dhcp leases since you won't have connection to a dhcp server; although if the pc's still have active dhcp leases, and haven't lost connetion to the switch, they will continue to use the ip address they already have)

If that works, specifically for devices in vlan 110 (subnet 192.168.88.0/24), then if the proxmox server is on tagged vlan 110, then these same PCs should be able to communicate with the proxmox server as well, without any involvement of a router. If that does not work, then you need to troubleshoot the switching problem first.

Once that's done, then come back if you can't get this to work. But I would recommend using v7.4 on the hEX S if you are using vlan-filtering, since hardware support was added in v7.1rc5 for the MediaTek MT7621A's integrated switch ASIC. And there have been other bridge related fixes since v7.1rc5.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sat Aug 06, 2022 11:07 pm
by Buckeye
In terms of vlan1, that was to the fact that he named the vlan vlan1 but is not actually using vlan-id=1, so all is good.
I concur that the naming leads to confusion. I generally try to use vlan names that correspond to the vlan id, and also I like to use the third octet to correspond to the vlan id (if possible).

For example for subnet 192.168.88.0/24, I would use vlan id 88, and vlan name vlan88-Empleados. That doesn't affect the way things work in any way, but it makes it much easier to understand (especially for other people coming in after the fact). And the easier it is to understand, the less likely someone will make a wrong assumption.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sun Aug 07, 2022 7:47 pm
by shivansps
Please ignore the advice to avoid VLAN 1. The rationale behind that advice is that rumor has it that some equipment uses it in a special way. I'd love to see an example of such an equipment, where this "special treatment of VLAN 1" would not be just a result of a misconfiguration/misunderstanding.

To your actual issue, let me rephrase what you wrote to check if I understood it properly: if you send a frame tagged with VLAN 110, carrying an IP packet with destination address of a device connected to an access port of VLAN 110 on the TP-link switch, through a trunk port of the TP-link, it somehow reaches the Mikrotik router rather than being switched to the destination access port directly by the TP-link.

I could admit something to be wrong in the router configuration - namely, the router would have to respond with its own MAC address to ARP requests for any IP addresses within 192.168.81.0/24 (which lives in VLAN 110). But nothing in the configuration suggests this and, more important, this would have to have the same effect on frames sent from one access port to another.

I could also imagine the server to actually send the packets for 192.168.81.0/24 from another VLAN interface (and thus source address) than expected, i.e. via the gateway (the Mikrotik) rather than directly to the destination MAC address. But if it was the case, traceroute should show a routing hop, and you say it doesn't.

The possibility that the TP-link configuration has some port-horizon configured, causing frames that ingress via the trunk port to be only allowed to egress to the Mikrotik, is also unlikely as if it was like that, in order that they could reach their destination, the Mikrotik would have to forward such frames through the same port through which it has received them, which is not how bridges normally work.

So the first step should be to open a command line window as wide as your screen allows, sniff the traffic on the Mikrotik interface using /tool sniffer quick interface=ether3-switch ip-address=ip.of.destination.host ip-protocol=icmp, and ping the ip.of.destination.host from the VM running on the proxmox. Before doing that, you have to disable "hardware accelerated forwarding" on ether3-switch: /interface bridge port set [find interface=ether3-switch] hw=no.

What makes me cautious is that the diagram says "VM in VLAN 110: 192.168.88.2 whereas the configuration export says that 192.168.81.0/24 lives in VLAN 110. So maybe the request makes it to the PC at 192.168.81.x, but since the PC responds to 192.168.88.2, it sends the response via the Mikrotik?
When i made the diagram i didnt have the VLAN IDs at hand for the correct networks. As it was already said here, i should have named them with the ID to avoid confusion. Note that i didnt listed all of them either, i as trying to make it more simple and clear. He is the correct information along with the router and switch configuration.
In short, it is as you say, PCs on access ports of the same network/vlan can send traffic directly to each other directly, but anything going form the switch trunk port with that vlan as tagged, to the switch access port for that vlan goes to the router first for no aparent reason.
Image
Image
Image
Image
VLAN140
Image
Image

I suspect it has to do with this, since i dont know how to use L3 features.
Image

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sun Aug 07, 2022 8:20 pm
by sindy
1. no point in quoting the complete post.
2. please use the sniffer as I've suggested in my previous post. There must be something special about the packets that go via the Mikrotik.
3. L3 routing on the TP-link can only work if you set up an IP interface a with an attached IP address and subnet on it in every VLAN in which you want L3 to be handled by the TP-link, and configure these addresses as the gateways in the respective subnets/VLANs. I.e. the TP-link will act as a router itself and handle the inter-VLAN traffic locally, which means you will not be able to use firewall rules etc. on the Mikrotik for it.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Sun Aug 07, 2022 11:55 pm
by Buckeye
ssh into your TP-Link switch, log in, type enable (to enable prived EXEC mode) which will change prompt to "#" , then make sure your running and startup config are the same (use command #copy running-config startup-config) then use the command show startup-config and continue pressing the space bar until you get to the # prompt, then copy the config from your scroll back buffer to clipboard, and paste into an editor (like notepad), remove the lines that start with user name and see if there is any other "sensitive info", then after satisfied, copy into a code block in a follow-up post. Then we can see if there are any obvious configuration errors.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 12:03 am
by Buckeye
Also make 100% sure that the ports are in the same arrangement as they show up in the GUI. I have a TP-SG2008v3 8 port "jetsteam" and the display in the GUI shows ports 1..8 but looking at the actual RJ45 ports, they are 8..1 (poor UI design).

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 12:14 am
by Buckeye
It appears you have 12 things connected to the switch. (from the yellow and blue dots) next to the ports in the GUI.

When you post the startup-config, can you also let us know what port(s) are connected to the RB760iGS (are you using the SFP still or not)? Why does it appear that there is a connection to port 28 of the switch?

Did you configure the pvid of the ports on the switch? (the startup-config will tell us).

Is this your first time using vlans? or at least the first time using vlans with the TP-Link switch?

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 2:15 am
by anav
I have a mutliwan hookup on an MT router with connections to dlink and tplink switches and other mT devices using all vlans works great.
If i get some time and patience will look at your scenario.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 5:34 pm
by shivansps
Ill be away for the week, so ill be doing the sniff when i get back, thanks for your reply.
It appears you have 12 things connected to the switch. (from the yellow and green dots) next to the ports in the GUI.

When you post the startup-config, can you also let us know what port(s) are connected to the RB760iGS (are you using the SFP still or not)? Why does it appear that there is a connection to port 28 of the switch?

Did you configure the pvid of the ports on the switch? (the startup-config will tell us).

Is this your first time using vlans? or at least the first time using vlans with the TP-Link switch?
The configuration i pasted on viewtopic.php?t=188213#p950289 is petty much complete, i only removed the L2TP users, some firewall port forwarding rules and some of the hotspot config.

There are more than 12 things connected, it just that some of them were power off at the moment i took the screen.
Im not using SPF from the router the SFP you see at the switch GUI is connected to a old broken 3Com smart switch that does not load the configuration after reboot, so it is working as a unmanagged switch, so port 28 is just configured as a access port for vlan 110, all the VOIP stuff is connected there.
And yeah i checked the port configuration as well.

I started learning VLANs when i started to use Mikrotik routers a few years ago. And i never noticed issues until now, for example i know that is best practice not to use untagged outside of access ports, right now the router is configured to have 4 trunks ports where all the VLANs are tagged but VLAN1 is still there as untagged, i know it should not be VLAN1 and everything should be tagged on the trunk port but as far as i know that is just a security thing, as im using vlan 1 for admin vlan, what is considered a bad thing to do.
Then i have one EAP with diferent wifi networks for each vlan that is connected directly to the router for two reasons, one the use is primary internet and two i wanted to block wifi access to some internal ips/ports of the same network. The CPE is also connected to the router for the same reason.
So i was not using the four ports on the switch that are configured as trunk (with the same configuration as the router) for anything else than conecting to the router and the router was just giving access ports for the vlans, pcs on the same vlan were able to send data to each other directly and everything i wanted to go to the router for firewall rules is connected to the router directly.

I was not until now that i connected something else on another trunk port on the switch that i noticed this weird behaviour. And its not the proxmox server, for example if i connect any pc there i first get the 192.168.90.x ip because thats the untagged vlan of the trunk port on id 1, then i go to the nic driver and set for example vlan id 140, then i get the correct 192.168.88.x ip i expect to be able to send data directly to pcs on access ports for vlan 140 directly whiout going outside the switch, but no, it goes to the router whiout giving me a tracert hop, its really wierd. Its almost as if the switch is sending all tagged trafic to its gateway or something.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 5:55 pm
by sindy
The configuration i pasted on viewtopic.php?t=188213#p950289 is petty much complete
It is, but it is a configuration of the Mikrotik, and @Buckeye asked for a configuration of the TP-link :) (and explained how to obtain it in the concise text form).

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 10:59 pm
by anav
EDIT why do you have the bridge handing out dhcp etc..................... keep it to bridging only and use a separate management vlan........

Just looking at the Hex for now........
Once I have a handle on how CPE fits in and where, then I can tackle the tp link switch.

(1) Missing IP pool for this vlan5-GamingVentas vlan-id=200
/ip pool
add name=admin ranges=192.168.90.50-192.168.90.254
add name=clientes-pool ranges=10.5.50.2-10.5.50.254
add name=ventas-pool ranges=192.168.80.30-192.168.80.254
add name=empleados-pool ranges=192.168.81.10-192.168.81.254
add name=servicio-pool ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.82.2-192.168.82.254
add name=rma-pool ranges=192.168.89.2-192.168.89.254

add name=gv-pool ranges=192.168.87.10-192.168.87.254

(2) Same Missing issue with dhcp server, [/b]and ip address.
Spoiling the broth is the fact that you do have an entry for dhcp-server-network LOL

(3) Remove the bridge as a member of the interface list LAN, what is key is that all the vlans are identified as being members of the LAN.
/interface list member
add interface=bridge list=LAN


(4) I should go back and read what is this CPE??????, I thought it was some device attached to the 24 port TP link switch ???
Very confused as to what the role of the RB760? I thought it was the public facing device getting WAN?
/ip dhcp-client
add add-default-route=no comment=CLARO interface=ether1-Modem script=":local newgw [ip dhcp-client get [find interface\
=\"ether1-Modem\"] gateway];\r\
\n:local routegw [/ip route get [find comment=\"FAILOVER WAN0\"] gateway ];\r\
\n:if (\$newgw != \$routegw) do={\r\
\n /ip route set [find comment=\"FAILOVER WAN0\"] gateway=\$newgw;\r\
\n}"
add add-default
-route=no comment="BACKUP POR CPE" interface=vlan5-GamingVentas

(5) This rule I find a bit disconcerting security wise and so needless complex its almost funny
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp src-address=!186.12.155.255

A round about way of simply saying I want traffic from 186.12.155.255 to be able to reach my winbox from the WAN side.
This is a security no no!
Access to winbox should be from the LAN side and if you want to remotely config the router then VPN into the router and then access winbox.
Typically what one will see is an input chain rule allowing a management vlan or admin access to the destination port (be it winbox or perhaps ssh), while the rest of the users VLAN,
only get access to required services, normally DNS and sometimes some smart devices also use NTP.

(6) Overall the rules are in decent shape and some minor tweaking and organization will help. Put all the input chain rules together and then all the forward chain rules together and the obvious will fall out.

Recommend something like.....
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=VPN dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input in-interface-list=Manage dst-port=winboxport protocol=tcp   
add action=accept chain=input in-interface-list=LAN  dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN  dst-port=53 protocol=udp
add action=drop chain=input comment="Drop all else"
{Forward Chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes in-interface=!vlan2-Clientes in-interface-list=!CPE_VLANS out-interface=!vlan2-Clientes \
    out-interface-list=!CPE_VLANS
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Bloqueo RMA-WIFI" in-interface=vlan6-RMA out-interface-list=BloqueoRMAWIFI
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"

Note:1
I left this rule as is because I have never seen one like it and not sure one cannot have separate in-interfaces and interface lists selected, neat arrangment though if possible. I also am not really mangle savvy and the relationship between that and fastrack rule etc...........
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes in-interface=!vlan2-Clientes in-interface-list=!CPE_VLANS out-interface=!vlan2-Clientes \
out-interface-list=!CPE_VLANS


Note:2 For the management vlan and access on input chain need to create Manage Interface list entry and
add interface=vlan90-Admin list=Manage { after you create vlan90 which is very fast to do }


(7) I personally never put my Winbox info on the config for public consumption well especially if its a public IP you are giving access to!!!!!
, same with winbox port number and I do change if from defaults.
/ip service
set winbox address=
..................

(8) Mac Alone, is not secure and thus the following should be in the form
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Manage

neighbours discovery should also be sent to interface-list= Manage

Can you confirm all Managed Devices (switches etc,) have an IP address on vlan1-subnet ?? EDIT................... I see its NOT Vlan1 but the bridge subnet which I would change to vlan10-admin.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Mon Aug 08, 2022 11:07 pm
by anav
Okay you do have a management subnet .90.x and you attached it to the bridge, WHY.
Create vlan 90 and then you can correct my error by thinking it was vlan-1 as the trusted subnet.......
And replace vlan1 with vlan-admin ................... on the previous page.............

This is not an issue if you have devices that are on the hex that need vlan 90
then you untag those ports............. simple.
The rest of the trunk ports include vlan-admin (id= 90) like to the frigging TP link switch!

As stated previously, I have my multiwan MT router hooked up to various vendors switches NO BRIDGE DHCP, all vlans, included a trusted vlan.

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Wed Aug 10, 2022 3:05 am
by Buckeye
The diagram is ambiguous.
There are some lines going to the RB760iGS (the light blue ones) that I assume are supposed to be indicating how you think the traffic is flowing? You show black lines that I assumed were the physical links, but you then stated that you also have things connected to the ports in the RB760iGS, and that you evidently want the RB760iGS to do some type of firewalling (at layer 2).
If you are not using a version of ROS > 7.1rc5 (and probably in reality something higher, since there have been other bridge vlan-related fixes), then since you have vlan-filtering turned on, and multiple ports on the RB760iGS that are members of the vlan, if you are running any version of 6, then all the layer 2 bridging/switching is being done by software in the CPU. So until you tell us what version of ROS is in use, trying to troubleshoot is all guessing. But if using v7.4 (for example), and the vlan-filtering bridge, then the CPU will not be able to do any filtering, because the CPU won't see those packets. I see that there are switch features available on some switch chips that can provide port isolation, and that may be able to do what you want. In fact your TP-Link switch may have port isolation capability.

Then in post #14 you state:
Then i have one EAP with diferent wifi networks for each vlan that is connected directly to the router for two reasons, one the use is primary internet and two i wanted to block wifi access to some internal ips/ports of the same network. The CPE is also connected to the router for the same reason.
So i was not using the four ports on the switch that are configured as trunk (with the same configuration as the router) for anything else than conecting to the router and the router was just giving access ports for the vlans, pcs on the same vlan were able to send data to each other directly and everything i wanted to go to the router for firewall rules is connected to the router directly.
So you are wanting to use the firewall to block things on the same layer 2 network?

Perhaps you should follow @anav's general suggestion to start by stating what your requirements are. Otherwise, we will be playing 20 questions and whack-a-mole for the next two weeks (or more likely, people trying to help will move on to other threads that have a more organized problem description).

Re: RB760iGS + TP-Link Smart Switch, traffic from VLANs on trunk port to access port go the router first

Posted: Wed Aug 17, 2022 8:38 pm
by shivansps
In a few months will be moving out to a new place and im going to build the network from zero, incluiding configuration so im going to do it properly this time. Thanks for your recomendations.

As for my problem, this is silly, but i figured out what the problem was, it was not the router or switch, it was Windows. I did a test on Linux and i realised this wasnt happening, the reason is SMB multichannel, the fileserver i was trying to read from actually has two nics and two ips 192.168.88.x and 192.168.80.x. And i completely forgot about that, i was copying from 192.168.88.x but SMB was transfering from both IPs at the same time. The traffic i was seeing in the router was from the nic on the other network.

I had firewall rules in place to stop this, the 88 network pcs should not be able to access the fileserver using the 80 network, this also stops SMB multichannel from working like this, but it seems that i removed the rules at some point and completely forgot about it.