I have an RB4011 running RouterOS 6.47. It has a VLAN-filtered LAN bridge called “bridge” with three VLANs: 2, 13, and 14. It has been working for many months with ether2 and “bridge” as a tagged trunk ports for all three VLANs and ether4-ether8,ether10 as untagged access ports for VLAN2. This week I decided change ether7-ether8 into untagged access ports for VLAN14 instead.
But when I made the changes, RouterOS presented me with a puzzling warning/error message in red (WinBox), apparently related to the /interface bridge vlan entry with vlan-ids=14:
“# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry”. I don’t understand what the message means, or how I should work around it.
I think I need to specify pvid=14 to configure incoming untagged packets through ether7-ether8 into VLAN14. In any case, you can’t add an /interface bridge port without a PVID (at least not in WinBox). I’ve tried leaving untagged=ether7,ether8 out of the /interface bridge vlan engry for vlan-ids=14 (on the theory that pvid=14 dynamically adds the port to the /interface bridve vlan entry with vlan-ids=14), but the puzzling message remains.
What am I doing wrong? What should I do differently, and why?
I can’t remove it. In /interface bridge port, Winbox requires a decimal number as pvid even if frame-types=admit-only-vlan-tagged. I could give it a bogus VLAN id like 999 instead, but I can’t imagine how that would help.
I tried what erlinden suggested: changing the pvid of ether2 to 1, allowing all ingress frame types on ether2, and disabling ingress filtering on ether2. I think that’s a superset of anav’s suggestion as well. I also changed the pvid of the “bridge” (CPU) port to 1, following the same theory. The warning/error message remains.
Thanks, everyone, for looking at this. After reading your suggestions carefully and then reverting to my prior working configuration and moving forward in baby steps I found the problem(s).
What I learned is that if you have a port in a VLAN-filtered bridge whose ingress “frame-types” is “admit-only-untagged-and-priority-tagged” (a pure access port), then you should/must not mention that port in any /interface bridge vlan entries (because it will be dynamically added to the “current-untagged” list of the /interface bridge vlan entry of its pvid). On the other hand, if you have a port in a VLAN-filtered bridge whose ingress “frame-types” is “admit-only-vlan-tagged” (a pure trunk port), you should set its pvid to 1.
In order to get dynamic assignments to “current-untagged” to work properly, I sometimes had first to move a port to pvid 1 and “Apply” before moving it to the pvid I wanted for it.
Here are the same parts of my new configuration, which doesn’t generate an error/warning. Note that the /interface bridge vlan entries don’t mention any untagged ports.
Well that might be the mechanics,
But basically the Bridge Port settings are the INGRESS setttings.
Here you must put a pvid for access ports, but not for trunk ports
Here on typically uses admin priority and untagged frames for access ports, and ingress filtering for trunk ports.
Bridge VLAN settings are the egress settings…
In bridge vlan settings, trunk ports are always tagged for a specific VLANID and access ports are entered as UNTAGGED for specific vlan ids.
(I typically dont put ingress settings on my access ports but not sure why or why not is better)
In other words, your config is not quite right…
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=4,5,6,10 vlan-ids=2
add bridge=bridge tagged=bridge,ether2 untagged=7,8 vlan-ids=14
add bridge=bridge tagged=bridge,ether2 vlan-ids=13
Following anav’s suggestion, for my access ports (etherx with /interface bridge port frame-type=“admin-only-untagged-and-priority-tagged”), in addition to giving them valid pvid values I also added them in /interface bridge vlan untagged lists. And indeed the warning/error message did not reappear and all the interfaces and VLANs seem to work correctly. Thanks, anav!
My current speculation is that while reconfiguring the router in Winbox a few days ago I passed through a transient configuration that posted the warning/error message, and that for some reason when I shortly thereafter arrived at a correct configuration RouterOS did not cancel the warning/error message. I suspect that if I had rebooted the router at that point, the warning/error message would have disappeared. What finally made it disappear for me without a reboot was temporarily to set the access port pvid’s to 1, “Apply”, and then set them to their correct values and “Apply” again. A major puzzle has turned into a minor puzzle, and I’m turning my attention elsewhere now.
You have to set PVID explicitly on /interface bridge port … if it’s not set, then device doesn’t tag frames on ingress. In theory a particular port could be untagged member of multiple VLANs which would work just fine on egress (switch can strip 802.1q frames from any VLAN) but there would be confusion about which VLAN should be added for untagged ingress frame … setting PVID solves this problem.
It’s only commodity that it is optional to include port as untagged in /interface bridge vlan section (it gets added automatically), but for configuration readability I still prefer to do it manually (automatically added port does not show in exported config and can thus confuse innocent reader).
What you call “old school” and “new school” is actually all “new school”, “old school” was to use bridge as dumb (VLAN non-aware) switch and set VLAN stuff via /interface ethernet switch configuration subtree. Which might even be available on RB4011, but doesn’t work as switch chip, built in RB4011, does not support VLANs when used under ROS.
As to your original problem: the config looks completely valid. However (this happened to some forum users before): it might be that there’s some configuration lurking behind the scene not shown in config export, but still blocking new config to happen properly. Those users had to perform factory reset of their units and re-configure. I’m not sure if restoring from binary backup would do, copy-paste from exported ASCII file helps.
Thanks, mkx. I edited my prior post without having seen your reply to it. Oops! You’re absolutely right: for an access port both setting the interface pvid and listing the interface as an untagged member of the VLAN is the clearest expression of what’s going on.