Require help/advice with Bridge and VLAN's

RHWwijk · Fri Mar 01, 2024 6:30 pm

Hello people on the Mikrotik forums,

We have issues setting up a Mikrotik router for a configuration as in the attachment overview.
We are quite new into Mikrotik and are struggling through the documentation.
However, we can't find a correct way setting it up like we want to.
A lot of documentation is also for router OS6 instead of 7.

We have it running with the tagged trunk port to the switch, but we can't get the tagged/untagged combination to work.

Could somebody enlighten this configuration for us?
Thanks in advance!

Regards,
RHWwijk

Mesquite · Sat Mar 02, 2024 1:14 pm

Which part doesnt work the router ports or the switch ports and if its the switch, you failed to mention which router model or switch model??

RHWwijk · Mon Mar 04, 2024 4:27 pm

Which part doesnt work the router ports or the switch ports and if its the switch, you failed to mention which router model or switch model??

The router model is RB5009UG+S+(arm64) and the switch is an aruba instant on 1930.

when we connect a machine on the switch on either a100 or 101vlan port it recieves the proper IP adress corresponding to the respective VLAN's,
except for when we turn on "VLAN filtering"

but for example a machine connected on the switch on a VLAN100 port is not able to ping a device directly connected to the router on a VLAN100 port.

erlinden · Mon Mar 04, 2024 4:37 pm

It would help if you share the config:

/export file=anynameyoulike

Remove serial and any other private info and post in between code tags by using the </> button.

In regards to information:
viewtopic.php?t=143620 (the reference for setting up VLAN on MikroTik)
https://help.mikrotik.com/docs (the V7 reference from MikroTik)

RHWwijk · Mon Mar 04, 2024 5:19 pm

# 2024-03-04 16:12:59 by RouterOS 7.12.1
# software id = NP5I-1TDC
#
# model = RB5009UG+S+
/interface bridge
add name=bridge-all pvid=100 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] mac-address=78:9A:18:8A:43:BB
set [ find default-name=ether2 ] mac-address=78:9A:18:8A:43:BC
set [ find default-name=ether3 ] mac-address=78:9A:18:8A:43:BD
set [ find default-name=ether4 ] mac-address=78:9A:18:8A:43:BE
set [ find default-name=ether5 ] mac-address=78:9A:18:8A:43:BF
set [ find default-name=ether6 ] mac-address=78:9A:18:8A:43:C0
set [ find default-name=ether7 ] mac-address=78:9A:18:8A:43:C1
set [ find default-name=ether8 ] mac-address=78:9A:18:8A:43:C2
set [ find default-name=sfp-sfpplus1 ] mac-address=78:9A:18:8A:43:C3
/interface vlan
add interface=bridge-all name=vlan100-LAN vlan-id=100
add interface=bridge-all name=vlan101-WIFI vlan-id=101
add interface=bridge-all name=vlan199-ADMIN vlan-id=199
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ADMIN
add name=WIFI
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN ranges=172.25.16.100-172.25.16.199
add name=ADMIN ranges=10.25.16.100-10.25.16.199
add name=WIFI ranges=10.1.1.1-10.1.1.250
/ip dhcp-server
add address-pool=LAN interface=vlan100-LAN lease-time=1d name=dhcp-lan
add address-pool=ADMIN interface=vlan199-ADMIN lease-time=1d name=dhcp-admin
add address-pool=WIFI interface=vlan101-WIFI lease-time=1d name=dhcp-wifi
/interface bridge port
add bridge=bridge-all interface=ether3 pvid=100
add bridge=bridge-all interface=ether4 pvid=100
add bridge=bridge-all interface=ether5 pvid=199
add bridge=bridge-all interface=ether6 pvid=199
add bridge=bridge-all interface=ether7 pvid=199
add bridge=bridge-all interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-all tagged=ether8 untagged=ether3,ether4 vlan-ids=100
add bridge=bridge-all tagged=ether8 untagged=ether5,ether6,ether7 vlan-ids=\
    199
add bridge=bridge-all tagged=ether8 vlan-ids=101
/interface list member
add interface=ether3 list=LAN
add interface=ether1 list=WAN
add interface=ether5 list=ADMIN
add interface=ether2 list=WAN
add interface=sfp-sfpplus1 list=WAN
add interface=ether6 list=ADMIN
add interface=ether7 list=ADMIN
add interface=ether4 list=LAN
/ip address
add address=172.25.16.254/24 interface=vlan100-LAN network=172.25.16.0
add address=10.25.16.254/24 interface=vlan199-ADMIN network=10.25.16.0
add address=10.1.1.254/24 interface=vlan101-WIFI network=10.1.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.25.16.51 client-id=1:90:9:d0:50:e7:c9 mac-address=\
    90:09:D0:50:E7:C9 server=dhcp-admin
add address=10.25.16.9 client-id=1:70:10:6f:47:20:a6 mac-address=\
    70:10:6F:47:20:A6 server=dhcp-admin
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.254 domain=kaributhk-wifi.local \
    gateway=10.1.1.254
add address=10.25.16.0/24 dns-server=10.25.16.254 domain=\
    kaributhk-admin.local gateway=10.25.16.254 netmask=24 ntp-server=\
    131.188.3.221,131.188.3.222
add address=172.25.16.0/24 dns-server=172.25.16.254 domain=kaributhk.local \
    gateway=172.25.16.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.101.0/24 list=ADMINS
/ip firewall filter
add action=drop chain=input dst-address=172.25.16.0/24 in-interface-list=\
    ADMIN
add action=drop chain=input dst-address=10.25.16.0/24 in-interface-list=LAN
add action=accept chain=input comment="Remote ADMINS OPEN" src-address-list=\
    ADMINS
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=33389 in-interface-list=WAN \
    protocol=tcp to-addresses=10.25.16.10 to-ports=3389
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

i used this usefull thread viewtopic.php?t=143620 to get it to this point so far, i will look at the other link as soon as i have time aswell.

erlinden · Mon Mar 04, 2024 5:43 pm

/interface bridge
add name=bridge-all pvid=100 vlan-filtering=no

Should be:

/interface bridge
add name=bridge-all vlan-filtering=yes

Frame-types should be set on the /interface/bridge/port

anav · Mon Mar 04, 2024 10:41 pm

The question erlinden, is AFTER READING THE EXCELLENT article --> viewtopic.php?t=143620

WHY DID THE OP THEN USE THIS CONFIG LINE??
/interface bridge
add name=bridge-all pvid=100 vlan-filtering=no

I would like the OP to go through his/her thinking as to the construction of this line as it may help improve the documentation for others.

Also, you should be more careful on wording, frame types can be set where they are applicable, in most cases not on the bridge!

RHWwijk · Tue Mar 05, 2024 2:02 pm

maybe it would be good for me to explain that i am really quite new in the world of networking and this is the second router i have attemped to set up, and the first time i have worked with a mikrotik router and VLANS. So i am sure this is not a problem with any of the documentation or information avaliable. it is just me not having very much knowlegde and slimply misunderstanding things, and not fully understanding yet all the proccesses wich are needed to make setups like these work

/interface bridge
add name=bridge-all pvid=100 vlan-filtering=no

i think the reason this line is like this is because i did not do this trough the terminal, i did it with the winbox interface and when you check the box for "VLAN-filtering" it automatically puts in PVID:1 wich confused me since i dont really know what a PVID is for nor is it mentioned in the article. and since it didnt work with 1 as its PVID that i thought i might have to change it to one of my vlan ID's to make it work perhaps.

in any case, after changing the config line to the correct one

/interface bridge
add name=bridge-all vlan-filtering=yes

i am still not getting an Address from the router unless when i uncheck the "VLAN-filtering" in winbox interface

RhoAius · Tue Mar 05, 2024 4:36 pm

Assuming that the aruba switch is properly configured.

/interface bridge
add name=bridge-all vlan-filtering=yes
/interface vlan
add interface=bridge-all name=vlan100-LAN vlan-id=100
add interface=bridge-all name=vlan101-WIFI vlan-id=101
add interface=bridge-all name=vlan199-ADMIN vlan-id=199
/interface bridge port
add bridge=bridge-all interface=ether2 pvid=100 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge-all interface=ether3 pvid=100 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge-all interface=ether4 pvid=100 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge-all interface=ether5 pvid=199 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge-all interface=ether6 pvid=199 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge-all interface=ether7 pvid=199 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge-all interface=ether8 frame-types=admit-only-vlan-tagged
/interface bridge vlan
add bridge=bridge-all tagged=bridge-all,ether8 vlan-ids=100
add bridge=bridge-all tagged=bridge-all,ether8 vlan-ids=199
add bridge=bridge-all tagged=bridge-all,ether8 vlan-ids=101

I only address here the vlan part. The problem with your config was that you did not include the bridge itself as a tagged "port".
Because you are "tapping" into the individual vlans, the bridge(cpu from the switch logic) is also a virtual port that needs to "pass" tagged traffic

Other considerations:
Having vlan-filtering=no on the bridge defeats the purpose of using vlans as the defined rules are not enforced.
Different things happen on different devices(because of the different switching chips used).

After testing if things work you should enforce the settings by also enabling "ingress-filtering=yes" on each port in the bridge (in "/interface bridge port")

anav · Wed Mar 06, 2024 12:56 am

Concur with points above, as erlinded indicated once finished setting up all the vlan related settings go back to bridge and set vlan-filtering to YES.
As far as /interface bridge vlan settings its much better to put in the untaggings and thus one can more easily distinguish if the OP understands the concepts and perhaps hybrid ports are being properly handled.............

/interface bridge port
add bridge=bridge-all interface=ether2 pvid=100 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge-all interface=ether3 pvid=100 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge-all interface=ether4 pvid=100 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge-all interface=ether5 pvid=199 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge-all interface=ether6 pvid=199 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge-all interface=ether7 pvid=199 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridge-all interface=ether8 frame-types=admit-only-vlan-tagged ingress-filtering=yes
/interface bridge vlan
add bridge=bridge-all tagged=bridge-all,ether8 untagged=ether2,ether3,ether4 vlan-ids=100
add bridge=bridge-all tagged=bridge-all,ether8 untagged=ether5,ether6,ether7 vlan-ids=199
add bridge=bridge-all tagged=bridge-all,ether8 vlan-ids=101\

Very easy to visually cross check with bridge ports and make sense of the numbers.

RHWwijk · Thu Mar 07, 2024 11:30 am

I only address here the vlan part. The problem with your config was that you did not include the bridge itself as a tagged "port".
Because you are "tapping" into the individual vlans, the bridge(cpu from the switch logic) is also a virtual port that needs to "pass" tagged traffic

Other considerations:
Having vlan-filtering=no on the bridge defeats the purpose of using vlans as the defined rules are not enforced.
Different things happen on different devices(because of the different switching chips used).

After testing if things work you should enforce the settings by also enabling "ingress-filtering=yes" on each port in the bridge (in "/interface bridge port")

Thank you! the problem was indeed that i did not include the bridge itself as a tagged "port", after testing and confirming things worked the way i would like them to i did enable ingress-filtering=yes
on all the bridge ports.

also big thanks to Erlinden and Anav for the clarification and patience.

Require help/advice with Bridge and VLAN's [SOLVED]

Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's [SOLVED]

Re: Require help/advice with Bridge and VLAN's

Re: Require help/advice with Bridge and VLAN's

Who is online