802.1q trunk config on RB3011

RouterOS General
1

trying to get 802.1q trunking working on ether4 to attach to linksys switch using a single bridge. VLANs 22 and 33 work on ports ether2 and 3. I have read all the documentation I can find on this still nothing seems to work.

any help is appreciated its driving me nuts at this point.

thanks

  serial number = HF6094W66MX
/interface bridge
add admin-mac=78:9A:18:82:6E:12 auto-mac=no comment=defconf ingress-filtering=yes name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan22 vlan-id=22
add interface=bridge name=vlan33 vlan-id=33
/interface list
add comment=defconf name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcpVLAN33 ranges=10.10.33.10-10.10.33.200
add name=dhcpVLAN22 ranges=10.10.22.10-10.10.22.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcpVLAN22 disabled=no interface=vlan22 name=dhcp1
add address-pool=dhcpVLAN33 disabled=no interface=vlan33 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether3 pvid=33
add bridge=bridge interface=ether2 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=22
add bridge=bridge tagged=bridge vlan-ids=33
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface ethernet switch vlan
add independent-learning=no ports=ether2 switch=switch1 vlan-id=22
add independent-learning=no ports=ether3 switch=switch1 vlan-id=33
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=vlan22 list=LAN
add interface=vlan33 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.22.1/24 interface=vlan22 network=10.10.22.0
add address=10.10.33.1/24 interface=vlan33 network=10.10.33.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.22.0/24 dns-server=208.67.220.220 gateway=10.10.22.1 next-server=208.67.222.222
add address=10.10.33.0/24 dns-server=208.67.220.220 gateway=10.10.33.1 next-server=208.67.222.222
add address=192.168.88.0/24 comment=defconf dns-server=208.67.220.220 gateway=192.168.88.1 next-server=208.67.222.222
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add name=208.67.222.222 ns=208.67.222.222 type=NS
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input dst-address=192.168.88.0/24 log=yes src-address=10.10.33.0/24
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/lcd
set default-screen=log time-interval=weekly
/system clock
set time-zone-name=America/New_York
2 
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=22
add bridge=bridge tagged=bridge,ether4 vlan-ids=33
3

i get this:

[admin@MikroTik] /interface bridge vlan> add bridge=bridge tagged=bridge,ether4 vlan-ids=22
failure: vlan already added
[admin@MikroTik] /interface bridge vlan> add bridge=bridge tagged=bridge,ether4 vlan-ids=33
failure: vlan already added
[admin@MikroTik] /interface bridge vlan>
4

Yes of course it is assumed that you enter this from scratch, otherwise you need to edit the existing setting.

Easiest to do that with the GUI, just add ether4 and save.

1 Like
5

In addition to that, the frame-types setting for ether4 here is wrong. You need to change it to frame-types=admit-only-vlan-tagged.

This should also be removed. On devices like the RB3011, you EITHER do vlan-filtering=yes OR configure using /interface ethernet switch vlan. Not both at the same time. Because you've decided to use Bridge VLAN Filtering, you should not do the configuration with /interface ethernet switch anymore.

Note: on RB3011 VLAN configuration with /interface ethernet switch preserves hardware offload, while Bridge VLAN Filtering is not hardware offloaded (but it's easier).

1 Like
6

how would I configure to retain switching in hardware rather then the cpu?

if i  did

/interface bridge ---> vlan-filtering=no

???

7

i dropped the switch vlan entries and still no trunk, no network… Sniffed the wire with wireshark and see no VLAN tags at all..

8

still no love:

/interface bridge
add admin-mac=78:9A:18:82:6E:12 auto-mac=no comment=defconf ingress-filtering=yes name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan22 vlan-id=22
add interface=bridge name=vlan33 vlan-id=33
/interface list
add comment=defconf name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcpVLAN33 ranges=10.10.33.10-10.10.33.200
add name=dhcpVLAN22 ranges=10.10.22.10-10.10.22.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcpVLAN22 disabled=no interface=vlan22 name=dhcp1
add address-pool=dhcpVLAN33 disabled=no interface=vlan33 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether3 pvid=33
add bridge=bridge interface=ether2 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=22
add bridge=bridge tagged=bridge,ether4 vlan-ids=33
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=vlan22 list=LAN
add interface=vlan33 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.22.1/24 interface=vlan22 network=10.10.22.0
add address=10.10.33.1/24 interface=vlan33 network=10.10.33.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.22.0/24 dns-server=208.67.220.220 gateway=10.10.22.1 next-server=208.67.222.222
add address=10.10.33.0/24 dns-server=208.67.220.220 gateway=10.10.33.1 next-server=208.67.222.222
add address=192.168.88.0/24 comment=defconf dns-server=208.67.220.220 gateway=192.168.88.1 next-server=208.67.222.222
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add name=208.67.222.222 ns=208.67.222.222 type=NS
9

You have not removed the incorrect frame-types filter.

10

and still nothing:

/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether3 pvid=33
add bridge=bridge interface=ether2 pvid=22
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
11

This, together with this

/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=22
add bridge=bridge tagged=bridge,ether4 vlan-ids=33

and this

/interface bridge
add admin-mac=78:9A:18:82:6E:12 auto-mac=no comment=defconf ingress-filtering=yes name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan22 vlan-id=22
add interface=bridge name=vlan33 vlan-id=33

Should be enough to have port ether4 acting as trunk for VLAN 22 and 33. Your /ip address entries on the two vlan22 and vlan33 interfaces look ok. How are you checking whether port 4 works or not? Is VLAN correctly configured on the Linksys switch?

Unrelated to your problem, but what you are currently specifying in the /ip dhcp-server network entries with next-server=208.67.222.222 is not correct. That looks like an OpenDNS IP address, you probably wanted to specify two DNS IP addresses. If that's the case, use the triangle arrow in WinBox 3 (or the plus sign in WinBox 4) to add an extra row to the DNS field, so that it becomes dns-server=208.67.220.220,208.67.222.222. next-server is not for DNS!

Also unrelated to the VLAN problem, but you should not enable these two

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Unless you have a very good reason (special filtering requirements) to do so.

Same with this:

/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

It's not recommended to enable Detect Internet, it's not reliable and can cause problem. Set all the lists to none to disable that.

Alternative, older VLAN configuration method for RB3011

As for your question about the alternative way to configure VLAN on the RB3011: it would be more complicated for your particular device, because it has two switch chips, each connecting 5 ethernet ports. You'll either need to create two separate bridges, one for each switch chip, and configure VLAN on each bridge separately. Or if you want to keep one bridge with hardware offload and VLAN spanning both port groups, then you'll need to use a cable connecting two ports (and lose those two ports on the router).

The VLANs would then have to be configure by manipulating the switch chip setting, for switch1 and switch2 (the two switch chips) separately, as described here:

Switch Chip Features - RouterOS - MikroTik Documentation

as well as this small section

Basic VLAN switching - RouterOS - MikroTik Documentation

Pay attention to everything that mentions QCA8337 because that is the switch chip in the RB3011.

The second link also mentions what I wrote above:

For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).

And of course if you do this, then you have to remove the setting under /interface bridge vlan as well ans the pvid and frame-types setting on the bridge ports.

1 Like
12

disabled internet detect totally

/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none

alright internet detect is all off now.

yes Im attached to a linksys switch configured for vlans 22 and 33. I have also sniffed the ether4 port and see no networks in the switch announcments.