Better way to pass WAN (untagged) to LAN (tagged)?

nemoforum · February 25, 2020, 11:13pm

Hello!

Recently, I’ve found Manual:Layer2 misconfiguration - VLAN in bridge with a physical interface https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Bridged_VLAN_on_physical_interfaces .
I have the same configuration and would like to make it better. However, the provided solution is not suitable in my case, because it’s impossible to add an interface to more than one bridge.

I have 2 IPs from my ISP: one for my router (hAP ac2) and one for my home server.
I want my server to be connected to LAN as well as connected to the internet directly, using the IP from ISP.
There is only one Ethernet port on the server.

Currently, my working config is:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface vlan
add interface=ether2 name=vlan10 vlan-id=10

/interface bridge
add name=br-lan
add name=br-wan protocol-mode=none

/interface bridge port
add bridge=br-lan interface=wlan24
add bridge=br-lan interface=wlan50
add bridge=br-lan hw=no interface=ether2
add bridge=br-lan interface=ether3
add bridge=br-lan interface=ether4
add bridge=br-lan interface=ether5
add bridge=br-wan interface=ether1-wan
add bridge=br-wan interface=vlan10
add bridge=br-lan interface=wlan24.1
add bridge=br-lan interface=wlan50.1

/ip dhcp-client
add disabled=no interface=br-wan use-peer-dns=no use-peer-ntp=no

On the server I have:

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.253  netmask 255.255.255.0  broadcast 10.10.10.255

vlan10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 176.38.50.112  netmask 255.252.0.0  broadcast 176.39.255.255

default         _gateway        0.0.0.0         UG    0      0        0 vlan10
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 enp2s0

Everything works as expected.
One interesting thing I noted is that upload speed on the server is limited to ~170 Mbps, if HW offload is turned on on ether2. With HW offload turned off on ether2, the upload speed is as expected (700+ Mbps).

So, the question is: how to configure the same in the right way?

Sob · February 26, 2020, 12:10am

Why would you want to add any interface to two bridges?

Check this thread: http://forum.mikrotik.com/t/help-with-vlan-setup/137027/1

With bridge VLAN filtering, bridge is used as a way to either configure hardware switch (on some/few devices) or emulate the same behaviour in software. You can then work with different vlans using vlan interfaces on bridge and it automatically takes care about tagging and untagging them on the right ports. It may be confusing at first, because you see WAN ethernet interface bridged with LAN ethernet interface(s) and it looks completely wrong. But it’s the filtering part that makes things separated. It’s actually really nice and simple once you understand it. The only problem is that support for HW offloading is quite limited on many devices. Hopefully it will be fixed in future where possible, but nobody knows when.

nemoforum · February 26, 2020, 8:14am

Sob,
Thank you for your answer. It looks like exactly what I want.
And you are right, adding all interfaces to one bridge is confusing at first look.
I’ll give it a try.
Thanks again!

Sob · February 26, 2020, 10:39am

Check examples in manual:

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

They are simple and relatively easy to understand. Or there’s also this popular thread:

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

IMHO the most confusing part is that bridge interface can be two things at once. First is interface for configuring the switch (either hardware or software), but also the bridge interface itself can be used as member port of selected vlan (depending on bridge’s pvid).

anav · February 26, 2020, 5:46pm

My limited experience is that its better not to involve bridge in anything beyond moving traffic around/
a. keep its default PVID of 1
b. do not assign any dhcp responsibilities
c. if a management VLAN is required assign it to an unused number 66, 99 etc…

nemoforum · February 26, 2020, 9:32pm

Okay, I got it working with this config (using switch chip, i.e. with HW offload):

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface vlan
add interface=ether1-wan name=vlan10-wan vlan-id=10

/interface bridge
add name=br protocol-mode=none

/interface bridge port
add bridge=br interface=wlan24
add bridge=br interface=wlan50
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=wlan24.1
add bridge=br interface=wlan50.1
add bridge=br interface=ether1-wan

/interface ethernet switch port
set 0 default-vlan-id=10 vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=no ports=ether1-wan,ether2,switch1-cpu switch=switch1 vlan-id=10

I just don’t understand one thing: why vlan10-wan was able to get an IP via DHCP from ISP only when vlan10-wan is on ether1-wan, and not on br?

nemoforum · February 26, 2020, 10:04pm

BTW, I’ve tried the solution suggested by Sob in this post http://forum.mikrotik.com/t/help-with-vlan-setup/137027/1 :

bridge all ports together
bridge itself is your untagged LAN
give PVID 2 to bridge port ether1
add VLAN interface with id 2 on bridge
VLAN interface is your new WAN
configure VLAN assigment on bridge (in Bridge->VLANs), add VLAN 2 as untagged on ether1 and tagged on ether2-5 and bridge
enable bridge VLAN filtering

It’s not clear for me what is “- add VLAN interface with id 2 on bridge”.
I supposed, it’s:

/interface vlan
add interface=bridge name=VLAN vlan-id=2

So, my config is:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface bridge
add name=br protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=br interface=wlan24
add bridge=br interface=wlan50
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=wlan24.1
add bridge=br interface=wlan50.1
add bridge=br interface=ether1-wan pvid=10

/interface vlan
add interface=br name=vlan10-wan vlan-id=10

/interface bridge vlan
add bridge=br tagged=ether2 untagged=ether1-wan vlan-ids=10

I was able to get an IP via DHCP from my ISP on the server.
However, vlan10-wan was unable to get an IP from ISP. Did I miss something?

Sob · February 26, 2020, 11:00pm

I don’t know about hw switch way, I never really used it, except some test long time ago, and it was old switch without vlan support. I don’t know how it coexists with bridge, and I have no device I could test it with.

For the other way you need tagged vlan also on bridge interface, i.e. tagged=ether2,br. It’s the confusing part, here the bridge is used as interface and it needs to know that vlan interface added on top of it can access this tagged vlan.

nemoforum · February 26, 2020, 11:28pm

This:

/interface bridge vlan
add bridge=br tagged=ether2,br untagged=ether1-wan vlan-ids=10

works! Thank you!

Sob · February 27, 2020, 12:18am

Don’t forget to check what it does with speed, if it’s enough.