Sofware VLAN/Bridge on RuterOS explained.

Software VLAN/Bridge


NB My first post in this thread uses old software VLAN Bridging. Read whole the thread. I may start over with a new thread


I will with this post try to explain how the VLAN tagging and Bridging works within RouterOS.
This is based on Software and no Hardware switching is used.

Background.
I have for some years tried to see how VLAN works on 750Gv3, and was very confused.
1, Change in RouterOS, use of Master Port removed
2. Hardware Switch on 750Gv3 does not support VLAN or maybe it does? (mixed information)

Disclaimer
I may not have understand all correctly, so if some is wrong or it is a better way to do it, please help out and I will edit the post.
I do not explain the configuration behind, just show the connection needed to make this to work.

Example
5 port switch with integrated Wifi

Port:

1. WAN
2. Trunkport with VLAN 1 as untagged and VLAN 20 and 30 as tagged
3. Untagged VLAN 20
4. Untagged VLAN 1
5. Q-in-Q VLAN 40 and 50 are transported over tagged VLAN 30

VLAN

1. Default home VLAN
2. Guest VLAN
3. Neighbor VLAN
4. Test VLAN
5. Hotspot VLAN

WLAN

1. Home_Wifi (Home network)
2. Guest_Wifi (Guest network)
3. Hotspot Wifi (Uses MikroTik hotspot function. User can be on Router, or external Radius server)
   It does not explain hotspot, just show how its connected.

RuterOS setup

Explanation:
Orange/Red line, separates the different modules used in RouterOS (configure paged)
Red line helps to identify need of Bridge or not.

Information: What is the use on the drawing:

• Interface:
  Physical or Virtual interfaces,
  Configured GUI: “Interface->Interface” Cli “/interface”
• Interface/VLAN
  This is where VLAN tag is added/removed. Only need this part if you like a port to send/receive tagged VLAN
  Configured GUI: “Interface->VLAN” Cli “/interface vlan”
  Connects only to interfaces and other Interface/VLAN (VLAN tag)
• Brige/Port
  This connects the Interface/VLAN tag to the Bridges
  Only needed if Bridge is used.
  Configured GUI: “Bridge->Port” Cli “/interface bridge port” (Why this has a different menu structure on GUI vs CLI is some strange. Should be the same)
  Connects Interface or Interface/VLAN (VLAN tag) to a Bridge
• Bridge
  Used as a hub for connecting multiple stuff togeather
  Configured GUI: “Bridge” Cli “/interface bridge” (Why this has a different menu structure on GUI vs CLI is some strange. Should be the same)
  Connects to norhing
• Function
  These are various Function used to the network (IP/DHCP/Hotspot)
  Connects to Bridge or Interface/VLAN (VLAN tag) or Interface (Physical or Virtual)
  
  
  Text in red is label used in RouterOS

VLAN are not used inside of the RouterOS in the example, it is just added or removed at the port side.
So you can have many different Bridges or network without using VLAN at all. VLAN are only needed when you like to tag a packed (VLAN tagging)

Do I need a Bridge or not?
That depends on the red line.
If you have more than one port physical or virtual that will be using the same network, you need a Bridge.
In the example, you have Homnet (1) on Interface 1,4 and Home-Wifi you need a Bridge.
There are more than one interface connecting lines back through red line using same IP/DHCP etc.
VLAN 40 is only used at port 5 (in a Q-in-Q over VLAN 30) so here is Bridge skipped and IP/DHCP connected to the VLAN tagging of VLAN 40.
If there were a port that do not need VLAN tag, IP/DHCP could be connected all the way to the physical interface.

VLAN tagging
VLAN tag are added to each interface that needs it trough (Interface/VLAN)
If you have several interface that need the same VLAN (example 30), you need one Interface/VLAN tagging for each interface.

Q-in-Q
It done the same way as VLAN tagging, but instead of connecting Interface/VLAN to a port, connect it to a Interface/VLAN tagging function.
VLAN tag 40 and 50 are both connected to VLAN tag 30. VLAN tag 30 is connected to Port 5

PS If you do add IP address to a Bridge or Interface/VLAN (VLAN tag) or Interface (Physical or Virtual), you will get routing between this network and other network you have IP on. To prevent traffic from one net to another use firewall rules.

Hopes this helps some to understand VLAN/Bridges in RouterOS.
Look at this from a graphical point is a much better way to do it.

Same drawing, but separated by different network

VLAN 1

.
.
.
VLAN 20

.
.
.
VLAN 30

.
.
.
VLAN 40

.
.
.
VLAN 50

@Jotne, I am afraid that using one /interface vlan per each physical interface and VLAN ID and bridging them together is a big waste of CPU resources, plus it doesn’t work with standard MSTP. What you do is (example for three VLANs on each of three ports)
bridge-vlan-10 — (IP configuration)
ether1 —tagged— vlan-eth1-10 —tagless— |
ether2 —tagged— vlan-eth1-10 —tagless— |
ether3 —tagged— vlan-eth1-10 —tagless— |

                                      bridge-vlan-20 --- (IP configuration)

ether1 —tagged— vlan-eth1-20 —tagless— |
ether2 —tagged— vlan-eth1-20 —tagless— |
ether3 —tagged— vlan-eth1-30 —tagless— |

                                      bridge-vlan-30 --- (IP configuration)

ether1 —tagged— vlan-eth1-30 —tagless— |
ether2 —tagged— vlan-eth1-30 —tagless— |
ether3 —tagged— vlan-eth1-30 —tagless— |
So in total you spend 9 /interface vlan and 3 /interface bridge, and you cannot have hybrid ports because if a physical interface is a member port of a bridge, it cannot at the same time serve as a carrier interface for an /interface vlan.

You can get the same effect the 6.41+ way:
bridge-all-vlans
ether1 ----------------tagged----------------- | —tagged— vlan-10 —tagless— (IP configuration)
ether2 ----------------tagged----------------- | —tagged— vlan-20 —tagless— (IP configuration)
ether3 ----------------tagged----------------- | —tagged— vlan-30 —tagless— (IP configuration)
So you spend just 1 /interface bridge and 3 /interface vlan for the same result, plus you can use MSTP, plus you can specify a pvid (aka default VLAN ID) for each port, so you can use hybrid ports.

Thank you for your feedback. This helps me (and other) to better understand how stuff works

So if I understand your ascii art, it should be some like this:

.
.
And if I would like VLAN 1 untagged on Interface 3 and 4, I can not use a Bridge/Port to join Bridge_1 and Bridg_All, so VLAN 1 would need a Bridge/Port to all port where it’s needed. Correct? It looks like that Interface/VLAN only add tagged VLAN, so I can not mix Tagged and Untaged VLAN in a Bridge
.

No. You cannot make a single ether interface a member port of two distinct bridges, so if you want tagless frames from the wire coming from an ether port to get tagged with a particular VID at ingress, you configure that VID as that port’s pvid. It matches the switchport trunk native vlan concept of Cisco.

So if my second ascii-art would be modified so that ether1 uses VID 10 in access (tagless on the wire) mode, ether2 uses VID 20 in access mode, and ether3 uses VID 30 in access mode, and the remaining VLANs out of (10, 20, 30) stay tagged (trunk mode) on each port, the whole configuration would be:

/interface bridge
add name=bridge-all-vlans vlan-filtering=yes pvid=1

/interface bridge port
add bridge=bridge-all-vlans interface=ether1 pvid=10
add bridge=bridge-all-vlans interface=ether2 pvid=20
add bridge=bridge-all-vlans interface=ether3 pvid=30

/interface bridge vlan
add bridge=bridge-all-vlans vlan-ids=10 tagged=bridge-all-vlans,ether2,ether3 untagged=ether1
add bridge=bridge-all-vlans vlan-ids=20 tagged=bridge-all-vlans,ether1,ether3 untagged=ether2
add bridge=bridge-all-vlans vlan-ids=30 tagged=bridge-all-vlans,ether1,ether2 untagged=ether3

/interface vlan
add name=vlan-10 interface=bridge-all-vlans vlan-id=10
add name=vlan-20 interface=bridge-all-vlans vlan-id=20
add name=vlan-30 interface=bridge-all-vlans vlan-id=30

What is different as compared to hardware switches from other vendors is that Mikrotik allows you to have tagless frames on the bridge. If the pvid value set in /interface bridge port row matches the pvid of the /interface bridge itself, the tagless packets coming in via that port are not tagged on ingress and make it tagless to the bridge, so you can attach the IP configuration directly to the /interface bridge itself, not to /interface vlan atop that bridge. Which implies that if a frame tagged with VID X arrives to a port with pvid=Y which is a member of bridge with pvid=X, the frame gets untagged on ingress.

I will try to understand you post, but it will take some time

First drawing is correct according to your ascii?
Second one will work? Just better way to do it?

No. My two ASCII-arts were each depicting a different way of implementation. So the lower part of your first drawing is an equivalent of my second one, and the upper part of your first drawing is an augmentation of it by a separate bridge (bridge-1) for a tagless VLAN 1.

Your second drawing contains a conceptual mistake - you cannot make an ethernet port (ether3 and ether4 in your case) simultaneously a member of bridge-all and bridge-1. Each interface can only be a member of a single bridge at a time (unless you put an interface vlan between the interface and the bridge which returns us to my first drawing).

So if I understand correctly, you need to tell two places that a port uses untagged vlan.
Eks VLAN 20

1. You set PVID 20 for Bridge/Port connecting ether2 and Bridge_all
2. Using Bridge/VLAN add a connection vlan VLAN 20 to Bridge_all and set VLAN 20 as untagged for ether2

Why do you set PVID=1 for Bridge_all when VLAN 1 is not mention anywher in you whole configuration?

Also if I will convert the working config under, how do I add VLAN1 (Interface/Vlan) pointing to the Bridge1 without loosing connection when I do it.


This is the working running config on my 750Gr3.
On port 2 I have a Cisco Switch with units on bot VLAN 1 and 20 all working.
So even if this is not correct, it does work.
.
.

Correct. BTW, I’ve just noticed today that the name vlan-filtering is a bit misleading (at least to date), because if you want the port to really filter by VLAN ID, you have to set ingress-filtering in both /interface bridge port and /interface bridge to yes, and you cannot actually set filtering on egress. Which has quite surprised me when analyzing whether some other device uses an individual MAC address table for each VLAN or a common one - I’ve found the Mikrotik to both accept in and foward out an ARP request tagged with a particular VLAN ID through a port on which that VLAN was not permitted. By setting ingress-filtering to yes I could get rid of the loop (STP was intentionally off), but it still means that tagged broadcast frames (e.g. generated internally on /interface vlan) are sent out even via ports on which the VLAN is not permitted.

Mostly to emphasize the interaction between the pvid of the /interface bridge itself and of /interface bridge port. So if you want to avoid surprisingly surprising surprises, make sure that you set the pvid of /interface bridge to a VID which is not used anywhere else Plus if you don’t specify a pvid, the default is 1 at both places, which makes people here (me included) avoid using VLAN 1 in general.

What is expressly prohibited is

• to make an interface a direct port of two different bridges,
• to attach IP configuration to an interface which is a member port of a bridge.

Whether it is OK to make an interface a member port of a bridge and simultaneously an underlying interface of /interface vlan is not clear to me but my feeling is that it may behave funny at some point.

@sindy
Thank you for taking time and help me with this.

I am trying again with an new example.
This is more or less the way you describe it. I do use only one Bridge. Use the Bridge/VLAN to handle the tags. Using PVID to tell what is untagged.
Only exception is VLAN1 that is native all without any tag. I could have use tagging and add a Bridge/VLAN for VLAN1, but that makes a transition from old design to new much more complicated, since it will stop data flowing at one point.

So my question is.

1. Does it look correctly?
2. Why do we have the possibility to use more than one Bridge, when we can do it all with one?
3. MikroTiks example here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN do use multiple Bridges (bridge-vlan200,bridge-vlan300 etc). Its more like my first post Is this the old way to do it? Also video on Youtube use multiple Bridges: https://www.youtube.com/watch?v=sdyWKOXMjwY
4. What is pluss and minus with the two different approach?
   5, Why does not MikroTik update their pages so we know what to use? I did a google search for MikroTik and VLAN and this comes up as hit #1
5. How to handle Q-in-Q with the Bridge/VLAN solution?
6. Since I add IP to an VLAN, it will automatically do routing with other VLAN that has IP, correct?
7. I do need to use FW to block if I would like to prevent some data from one VLAN to another VLAN?
   .
   .
   Green lines untag, red lines tag.
   Not easy to get it all in a single drawing without using 3d layer
   .
   

Just bear in mind that you’re asking a fellow forum user, not a Mikrotik insider.

Yes, except that, as you’ve found out yourself, it is not easy to mix together in 2D a network topology diagram with configuration item overview where two configuration items need to be set in accord so that a node in the network topology would operate correctly. I’m talking here about the /interface bridge port (interface, pvid) and /interface bridge vlan (untagged,vlan-ids) tuples which have to match so that the magic would happen.

So in another words, I know how it works (or at least I believe so), and therefore I was able to check whether the picture contains everything and the elements are properly linked together. But I am far from sure whether I would be able to understand how it works from this picture if I didn’t know that in advance.

Because Flexibility is Mikrotik’s second name? Basically there is no reason why it should not be possible to use several independent bridges as long as everything is done in software anyway, and in some cases it may prove useful to have several independent bridges with some VLAN IDs existing on more than one bridge without leaking between each other.

It is the old way to do it before VLAN-aware bridging was introduced in 6.41, and it is still possible and in some cases necessary to do it that way. Both old and new ways are documented, so it is a matter of choice.
Youtube videos are a separate category. I may be rude here but while some videos are made by knowledgeable people who want to share the knowledge in a form comprehensible to wider public, it seems to me that at least the same amount of videos is made by people who aren’t able to read and understand more than a few lines of text and are so excited that they have found some way (sometimes an obscure one) how to achieve their goal by try and fail that they feel an urgent need to share that success with the world. And even the good videos remain on youtube years after they’ve become outdated.

• the old approach is easier to diagram in 2D
• the configuration is more compact using the new approach
• the frame processing should be more efficient using the new approach (no idea whether it is really the case)
• things like several SSIDs with individual VLAN ID each are much easier to configure using the new approach
• the new approach allows MSTP to work
• the old approach gives you higher flexibility in extreme networking cases (QinQinQinQ)
  
  
  

I’m afraid it is not a question for me but for Mikrotik and Google. The most clicked search results get offered higher in the list, which makes them most clicked, which makes them… unless someone actively prevents that.

I’m afraid that this is exactly one of the cases where you have to combine the approaches. Both methods of tagging/untagging (/interface bridge port pvid with /interface bridge vlan on one hand and /interface vlan on the other) handle only one tag at a time (although reportedly, until recently there was a bug removing all tags in a single step).
Here is an example of extreme networking which clearly illustrates where the older approach remains necessary while combining it with the newer one saves some typing and CPU.

To be precise, you don’t add an IP to a VLAN, you add it to an interface whose media layer is incidentally a VLAN. So yes, unless you use firewall rules preventing that, any “connected subnet” (which is any subnet which contains an IP address assigned to a local interface) is included into routing automatically. But here we are getting into the L3 universe, so it is irrelevant whether old or new way of configuring VLANs is used.

wow, thanks again for your detailed response with welt of knowledge.
You are my man

When posting VLAN etc, it should be clearly shown that its for before 6.41 or after…
I may start a new thread with some good graphical example, since edit this may be complicated with alle the comments.
If you look at the last drawing everything should be self explained.
First line, where its found in GUI/CLI
Tekst in red, name of the config entry (This also messes with my mind, since some have name and other does not have. Eks Bridg/Port vs Interface/Vlan)
Rest is connections + info
Also the different path in GUI and in CLI makes it more complicated to make good documentation.
Eks in GUI you find Interface and Bridges as two different main category. In CLI Bridges are found under Interfaces???


Then the last topic, hardware switching. How does it connects all this together?? (Switch Chip Features)
To make i more complicated some supports it, some does some of it, some not, some may come with support later.
Eks 750Gr3 has switch chip, but does not support VLAN. Some place MT inform that it may come later.
The cheap 942-2nd with Atheros 8227 do support Switch Chip VLAN

Hopefully MikroTik reads these posts and will try to make documentation better and config more equal everywhere

You may, but then google will return both and people will get confused again. I’d recommend to edit the original post of this topic with a link to the one which has the most up to date version.

I strongly prefer to split the layers. The first, simpler one should show how it works and how the executive elements are linked together, and another one should add the translation of that information into configuration elements and their parameters. As you cannot post pictures with layers which could be enabled and disabled, I’d post one picture with only the network topology layer and another one with both.

Start reading from here, there is also something regarding the switch chips.

Not easy to post a visible drawing, but I think I can convert Visio that I am using to PDF with layer.
I know that PDF do support layers that can be turned on/off.

An animated GIF would drive people crazy when try to look at it

Hi

For some reason I do not get IP on VLAN 20 that I have tagged on port 2.
But when I set vlan-filtering=no everything works.
Any Idea?

None without seeing the configuration export.

Here is the interface configuration (eth3 is used for test only)

/interface bridge
add admin-mac=6C:3B:6B:AA:34:3F auto-mac=no name=Bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether2 ] name=ether2-Cisco
set [ find default-name=ether4 ] name=ether4-Server1
set [ find default-name=ether5 ] name=ether5-Server2
/interface vlan
add interface=Bridge1 name=Tag20->Bridge1 vlan-id=20
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface bridge port
add bridge=Bridge1 interface=ether3 pvid=20
add bridge=Bridge1 interface=ether4-Server1
add bridge=Bridge1 interface=ether5-Server2
add bridge=Bridge1 interface=ether2-Cisco
/interface bridge vlan
add bridge=Bridge1 tagged=ether2-Cisco untagged=ether3 vlan-ids=20
/interface list member
add interface=Bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4-Server1 list=discover
add interface=ether5-Server2 list=discover
add list=discover
add interface=Bridge1 list=mactel

Got it, in the /interface bridge vlan, the bridge itself must be listed in the tagged list if /interface vlan or anything else on the CPU (like a wireless interface) should have access to the bridge.

So this should be changed from:

/interface bridge vlan
add bridge=Bridge1 tagged=ether2-Cisco untagged=ether3 vlan-ids=20

to:

/interface bridge vlan
add bridge=Bridge1 tagged=ether2-C3560CX,Bridge1 untagged=ether3 vlan-ids=20

.
And this changed from:

/interface bridge
add admin-mac=6C:3B:6B:AA:34:3F auto-mac=no name=Bridge1 protocol-mode=none

to:

/interface bridge
add admin-mac=6C:3B:6B:88:34:3F auto-mac=no name=Bridge1 protocol-mode=none vlan-filtering=yes

Yes.