Community discussions

MikroTik App
 
zlowred
just joined
Topic Author
Posts: 7
Joined: Sat May 11, 2024 2:47 pm

VLANs leaking behind a switch?

Thu Nov 28, 2024 6:33 pm

Posting in the beginner area, as I am a newbie, so hopefully the fix is easy. Please ignore missing firewalls etc, this is an experimental setup and I want to make sure the current part works before I continue.
So I got RouterOS 17.16.1 installed on x86 hardware acting as a router, plus CRS309-1G-8S+ switch.
Router config:
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=12
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether4
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether1,ether2,ether3 vlan-ids=10-12
/ip service
set ssh disabled=no
set www disabled=no
set winbox disabled=no
/ipv6 address
add address=2a02:aaaa:bbbb:10:: interface=vlan10
add address=2a02:aaaa:bbbb:11:: interface=vlan11
add address=2a02:aaaa:bbbb:12:: interface=vlan12
/ipv6 dhcp-client
add add-default-route=yes interface=ether5 request=address 
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes hop-limit=64 interface=bridge managed-address-configuration=yes mtu=1500 other-configuration=yes
add advertise-dns=no hop-limit=64 interface=ether1 other-configuration=yes
add advertise-dns=no hop-limit=64 interface=ether2 other-configuration=yes
add advertise-dns=no hop-limit=64 interface=ether3 other-configuration=yes
/ipv6 nd prefix
add interface=ether1 prefix=2a02:aaaa:bbbb:10::/64
add interface=ether2 prefix=2a02:aaaa:bbbb:11::/64
add interface=ether3 prefix=2a02:aaaa:bbbb:12::/64
/tool romon
set enabled=yes
Switch config:
/interface bridge
add bridge protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=12
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether4
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether1,ether2,ether3 vlan-ids=10-12
/tool romon
set enabled=yes
Router and Switch are connected via ether4 port on both devices that act as a trunk.

My ISP have allocated a static /48 IPv6 prefix, and I want each of 10, 11 and 12 VLANs to have their own /64 IPv6 subnet.
I have tried to plug several different devices (Linux and MacOS) into respective ports in my router, and everything works exactly as I expect (e.g. a device plugged into ether2 port would get a 2a02:aaaa:bbbb:11:ab:cd:ef/64 IPv6).
But plugging the same device into any port in my switch would result in a device getting 3 IPv6 addresses (not counting link local ones), one from each range I defined, e.g. 2a02:aaaa:bbbb:10:aa:bb:cc/64, 2a02:aaaa:bbbb:11:dd:ee:ff/64 and 2a02:aaaa:bbbb:12:ii:jj:kk/64.

How can I make devices connected to the switch to only get IPv6 addresses they are supposed to?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs leaking behind a switch?  [SOLVED]

Thu Nov 28, 2024 6:47 pm

ASSUMING VLAN10 is the trusted VLAN where all managed devices should get their IP address from!!

On Router

1. MINOR
From:
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=12
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether4


TO:
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=12
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4 comment="trunk to switch"


2. Major.....
From:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether1,ether2,ether3 vlan-ids=10-12
TO:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 untagged=ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether4 untagged=ether3 vlan-ids=12


On Switch

3. From
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=12
add bridge=bridge comment=trunk frame-types=admit-only-vlan-tagged interface=ether4


TO:
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=12
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4 comment="trunk to router"


4. From:
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge untagged=ether1,ether2,ether3 vlan-ids=10-12


TO: ( only trusted vlan is tagged for bridge )
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 untagged=ether1 vlan-ids=10
add bridge=bridge tagged=ether4 untagged=ether2 vlan-ids=11
add bridge=bridge tagged=ether4 untagged=ether3 vlan-ids=12
 
zlowred
just joined
Topic Author
Posts: 7
Joined: Sat May 11, 2024 2:47 pm

Re: VLANs leaking behind a switch?

Thu Nov 28, 2024 7:29 pm

Thanks anav,

ingress-filtering=yes is the default [at least in the current RouterOS version], this is why it isn't there. I have added it to my config to make it explicit. I have also updated trunk related comments as it is more clear that way.
I do not have trusted/untrusted VLANs for now as this is an experimental setup that is not going to be really used, but following your advice to split one /interface bridge vlan
config line into 3 distinct lines helped to resolve the issue, and also makes total sense now that I see it from the new perspective. Appreciate your help.

Now, I got a stretch question if you don't mind.

Assume I have a WiFi access point that is not VLAN aware, connected to let's say ether2 on Switch. I want to use switch rules on Mikrotik to separate Trusted and Guest devices to different VLANs based on their MAC addresses [I know this is a bad security practice, but this is the hardware I have; consider it a convenience not security] by assigning Trusted devices to let's say VLAN 13.
That will make the respective part of the Switch config to look like this:
/interface bridge vlan
add bridge=bridge tagged=ether4 untagged=ether2 vlan-ids=11
add bridge=bridge tagged=ether4 untagged=ether2 vlan-ids=13

/interface ethernet switch rule
add new-vlan-id=13 ports=ether2 src-mac-address=11:11:11:11:11:11/FF:FF:FF:FF:FF:FF switch=switch1
add new-vlan-id=13 ports=ether2 src-mac-address=22:22:22:22:22:22/FF:FF:FF:FF:FF:FF switch=switch1
That will in turn make both Trusted and Guest devices to receive IPv6 addresses with both 11 and 13 prefixes, kind of similar to the original issue, but now we actually need two VLANs on the same port.

Is there a proper way to configure this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs leaking behind a switch?

Thu Nov 28, 2024 7:44 pm

Beyond my scope of knowledge sorry! Hopefully someone else will chime in.
 
zlowred
just joined
Topic Author
Posts: 7
Joined: Sat May 11, 2024 2:47 pm

Re: VLANs leaking behind a switch?

Fri Nov 29, 2024 11:18 pm

I didn't manage to get IPv6 addresses not leaking across VLANs when using SLAAC to assign addresses. I ended up creating dhcpd6 containers for every VLAN, and those would assign addresses correctly even when there are several VLANs assigned on an access port.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs leaking behind a switch?

Sat Nov 30, 2024 10:43 am

I didn't manage to get IPv6 addresses not leaking across VLANs when using SLAAC to assign addresses.

Did you fix the switch VLAN settings according to @anav's instructions?

If port is untagged member of multiple VLANs, then broadcasts of all VLANs will egress through that port (and being untagged on the way). And router advertisements (RAs) as instrumental part of SLAAC are broadcasted. It's normal for a host, which receives RAs for multiple IPv6 prefixes, to end up configured with multiple IPv6 addresses from all those prefixes.

And after you fix switch config, hosts will keep being configured with those stray IPv6 addresses for quite a while, it's as per IPv6 standards as well. You can get rid of those by disabling (and re-enabling) IPv6 on those hosts ... or by restarting hosts.
 
zlowred
just joined
Topic Author
Posts: 7
Joined: Sat May 11, 2024 2:47 pm

Re: VLANs leaking behind a switch?

Sun Dec 01, 2024 3:26 pm

Yes, I realized that any host on untagged port will receive multiple RAs when multiple VLANs are configured, but I did not want for hosts to receive multiple IPv6 addresses (because subnet isolation won't work in that case) – and I still wanted several VLANs untagged on the same port (because my WiFi APs are not VLAN aware).
I solved it by disabling SLAAC address allocation (by setting M flag and unsetting A flag), and created a DHCPv6 servers in containers separately for every VLAN. This way every host only gets one IPv6.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs leaking behind a switch?

Sun Dec 01, 2024 9:56 pm

... and I still wanted several VLANs untagged on the same port (because my WiFi APs are not VLAN aware).
But does this really work for you? Only one VLAN can have bidirectional traffic (single PVID per port).
 
zlowred
just joined
Topic Author
Posts: 7
Joined: Sat May 11, 2024 2:47 pm

Re: VLANs leaking behind a switch?

Sun Dec 01, 2024 9:59 pm

But does this really work for you? Only one VLAN can have bidirectional traffic (single PVID per port).
It does, I use switch rules to assign VLAN tags based on MAC addresses. I understand this is not a security feature and is easy to work around; in my case it is a convenience one without strict security requirements.

Who is online

Users browsing this forum: No registered users and 26 guests