Another begginer's VLAN issue, network connection of the "switch"

neki · Tue Mar 12, 2024 9:49 pm

Hi,
can you please look at my config, I'm playing with VLANs and I'm not sure about the next step.

I'm using hAPax3 as a router and L009 as a switch. I made it almost working, but I'm missing connection of the switch itself to network (if that makes sence).

If I try to ping gateway, from the switch, at 10.10.0.1 I get reply, If I try to ping DNS server at 10.20.0.10 I get error that route does not exists (base on that, I think that I'm missing some route

)
So I tried to add route 0.0.0.0/0 with gateway vlan10 and then with bridge1 but as you can guess I was unsuccessful.

Question is, what should I do to get the connection? Because I basically don't have any more interfaces to try.

Switch config:

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether8 ] poe-out=forced-on

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10

/port
set 0 name=serial0

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=40
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=10
add bridge=bridge1 tagged=ether8 vlan-ids=20
add bridge=bridge1 tagged=ether8 vlan-ids=30
add bridge=bridge1 tagged=ether8 vlan-ids=40
add bridge=bridge1 tagged=ether8 vlan-ids=50

/ip address
add address=10.10.0.2/24 interface=vlan10 network=10.10.0.0

/ip dns
set servers=10.20.0.10

neki · Tue Mar 12, 2024 9:50 pm

Router config:

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes

/interface lte
set [ find default-name=lte1 ] name=LTE

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
add interface=bridge1 name=vlan40 vlan-id=40
add interface=bridge1 name=vlan50 vlan-id=50

/interface pppoe-client
add add-default-route=yes default-route-distance=10 disabled=no interface=\
    ether2 name=VDSL

/interface lte apn
set [ find default=yes ] default-route-distance=20 use-peer-dns=no

/ip pool
add name=pool10 ranges=10.10.0.100-10.10.0.200
add name=pool20 ranges=10.20.0.100-10.20.0.200
add name=pool30 ranges=10.30.0.100-10.30.0.200
add name=pool40 ranges=10.40.0.100-10.40.0.200
add name=pool50 ranges=10.50.0.100-10.50.0.200

/ip dhcp-server
add address-pool=pool10 interface=vlan10 name=server10
add address-pool=pool20 interface=vlan20 name=server20
add address-pool=pool30 interface=vlan30 name=server30
add address-pool=pool40 interface=vlan40 name=server40
add address-pool=pool50 interface=vlan50 name=server50

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi3 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi4 pvid=50

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=20
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=40
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=50

/ip address
add address=10.10.0.1/24 interface=vlan10 network=10.10.0.0
add address=10.20.0.1/24 interface=vlan20 network=10.20.0.0
add address=10.30.0.1/24 interface=vlan30 network=10.30.0.0
add address=10.40.0.1/24 interface=vlan40 network=10.40.0.0
add address=10.50.0.1/24 interface=vlan50 network=10.50.0.0
add address=192.168.1.2/30 interface=ether2 network=192.168.1.0

/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.20.0.10 gateway=10.10.0.1 ntp-server=\
    10.10.0.1
add address=10.20.0.0/24 dns-server=10.20.0.10 gateway=10.20.0.1 ntp-server=\
    10.20.0.1
add address=10.30.0.0/24 dns-server=10.20.0.10 gateway=10.30.0.1 ntp-server=\
    10.30.0.1
add address=10.40.0.0/24 dns-server=10.20.0.10 gateway=10.40.0.1 ntp-server=\
    10.40.0.1
add address=10.50.0.0/24 dns-server=10.20.0.10 gateway=10.50.0.1 ntp-server=\
    10.50.0.1

/ip dns
set servers=10.20.0.10

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=VDSL
add action=masquerade chain=srcnat out-interface=LTE

anav · Tue Mar 12, 2024 10:59 pm

Please use this as a basis for setting up vlans on your router.
viewtopic.php?t=143620

The switch is similar but
only need to identify the management vlan and its the only vlan tagged with the bridge on /interface bridge vlan settings!

on both do not invoke any other rules (ingress etc.) ON THE BRIDGE ITSELF, simply turn vlan-filtering on = yes, after finishing the config, last step.

neki · Wed Mar 13, 2024 12:06 am

I did my homework

I red that topic several times actually..

Bridge is working as it should, I believe.. Issue is with the device itself, it is not connected/route is missing..

It has IP on management VLAN and I can connect to it over IP, but then when try to ping, from the switch, anything else then gateway, it fails.

anav · Wed Mar 13, 2024 12:19 am

MT is very forgiving in that it allows you to setup stuff in many ways, and not necessarily the optimal or right way.
As for are reading you missed the fact that your entry is not in the reference.
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes

Dont need ether2 source nat rule, its covered by the VDSL one.

For the switch.

Same issue get rid of frame-types on BRIDGE SETTING itself, you have them correctly stated on the right place /interface bridge ports, however you are missing ingress-filtering=use on all the bidge ports ( both router and switch).

Why not use the NTP server function available on the router???

Add the following to switch
/interface list
add name=MGMT
/interface list members
add interface=vlan10 list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip dns
set allow-remote-requests=yes servers=10.10.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.0.1 routing-table=main
/system ntp client servers { comment if you elect to use router ntp services }
add address=10.10.0.1

+++++++++++++++++++++++++++++++++++++++++++++++++

Fix the above and see what transpires.

For NTP, set the NTP client on the router to the external sites desired
Set it up as NTP server for the network.
on the input chain make a firewall list of all devices that should be allowed to access NTP time.

neki · Wed Mar 13, 2024 2:31 am

frame-types on both bridges changed to admit-all, anyway official guide which I followed, says admit-only-vlan-tagged DOCS

nat removed

ingress-filtering is and was on, may be its default value, if not changed then not in the config? (I'm using Winbox/GUI)

I'm actually using NTP server on the router, router is also gateway for all the VLANs so I'm using VLAN gateway IPs as NTP server address if that makes sense

neighbor discovery was originally set to static

mks2.png

mks3.png

mks4.png

this is ping before/after route change

mks5.png

I did not change the DNS settings, I'm not able to get out of VLAN10, so I don't need more IPs, those I know are enough for now

I did not mention it, but I cut some parts of the config: NTP, WIFI and DHCP leases

AND... as I was prepairing for posting this reply I noticed that after the route change I was pinging wrong IP, the route change actually solved the issue, which is weird because I would swear that I tried it before, but... what ever...... may be typo

I reverted all the chages back, even the frame-types, as I mentioned, it is in official guide and it is working..

THANKS !

anav · Wed Mar 13, 2024 3:40 am

(1) Its perfectly valid to put the NTP server on each DHCP interface but its really not required if you have input chain rules in the format of

add chain=input action=accept in-interface-list=LAN dst-port=53,123 protocol=udp comment="allow users to DNS/NTP services"
add chain=input action=drop comment="drop all else"

or the more default weaker general rule......
add chain=input action=drop in-interface-list=!LAN

In both cases any LAN device now has access to the NTP server you dont need to put in DHCP, its redundant really.
I actually prefer to limit NTP to only the devices that need it so I have'

add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp comment="allow users to DNS services - udp"
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp comment="allow users to DNS services - tcp"
add chain=input action=accept in-interface-list=LAN dst-port=123 protocol=udp src-address-list=Permitted-NTP comment="allow specific devices to NTP"
add chain=input action=drop comment="drop all else"

(2) You really need to pay attention better!
First the article I noted is by an experienced MT coder and his article has garnered praise from many.
Second, you quoted documentation NOT for routers, but for switches, so really barking up the wrong tree - https://help.mikrotik.com/docs/display/ ... +switching
( the clue is its called VLAN Switching )

The article you should have been using for reference is the following: https://help.mikrotik.com/docs/display/ ... VLAN+Table
( the clue is its called BRIDGE VLAN )

3. Good to know about what shows up on the export, it keeps changing so we learn!

4. As a general rule, the official documentation are general references and are not copy proof examples to use in ones config.

neki · Wed Mar 13, 2024 10:57 am

I don't want to argue and I'm really grateful for your help (and patience with us, begginers..) but I'm really trying to pay attention..

The article Basic VLAN switching is divided to four sections, in my case the first and the last are valid.
The first is for XYZ switches and XYZ switch chips, among the switch chips is listed 88E6190, and that is the switch chip in L009 that I'm using

And because life is colorful even the Bridge VLAN Table states:

/interface bridge
set bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes

anav · Wed Mar 13, 2024 5:31 pm

Hahah,
Yes I will eat humble pie, I only looked at the example on the first page of the article........
Where it says to create the bridge and its very simple and notes add vlan-filtering=yes at the end.
/interface bridge
add name=bridge1

It later shows this setup as follows:
/interface bridge set bridge1 vlan-filtering=yes

Then they get into side niche examples where they put a different PVID on the bridge itself other than the default 1,
and after they show an example of setting frame types on the bridge itself, which is more of a switch approach and
by the way removes functionality...................
This does not only drop untagged packets, but disables the feature that dynamically adds untagged ports to the bridge VLAN table. If you print out the current bridge VLAN table you would notice that bridge1 is not dynamically added as an untagged port: ******

Neither of these side examples are needed in your simple case. All they serve to do is confuse the reader IMHO. As i stated, there doc are NOT to be used verbatim in your configs, but are presented for an overall understanding, often convoluted or confusing, of the available functionality.
What you should do is apply ingress filtering and frame types on each port ( /interface bridge ports ) and you are good to go.

****** I suspect this may have some negative effects sooner or later on your traffic..... especially because you do not manually untag ports (like I always do) and assume that the router will do it dynamically !!!

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=20 ( you assume untagged on ether3 )
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=30 ( you assume untagged on wifi1,wifi2 )
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=40 ( you assume untagged on wifi3 )
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=50 ( you assume untagged on wifi4 )

Another begginer's VLAN issue, network connection of the "switch" [SOLVED]

Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch" [SOLVED]

Re: Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch"

Re: Another begginer's VLAN issue, network connection of the "switch"

Who is online