Adding an access port.

Eightplant · February 8, 2020, 10:45pm

Hello!
Apparently I stumbled into getting VLANs working on my CRS125 bridge but maybe I did not do it correctly. Tagged traffic (66) from ProxMox (ether6) and
3 VLANS (16,24,32)coming from the wireless network (ether15, ether16) get DHCP addresses as expected. I wanted to add an access port (ether23) to the camera’s VLAN (32) but each time I follow the instructions here: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table and enable VLAN filtering the wireless networks stop passing traffic.
Thanks in advance for any help.

feb/08/2020 14:37:36 by RouterOS 6.46.3

software id = KK3I-XKHR

model = CRS125-24G-1S

serial number = 49CD0450F827

/interface bridge
add admin-mac=4C:5E:0C:98:F2:91 auto-mac=no comment=defconf igmp-snooping=yes
name=bridge
/interface vlan
add interface=bridge name=CamerasVLAN vlan-id=32
add interface=bridge name=DMZ vlan-id=66
add interface=bridge name=GuestWirelessVLAN vlan-id=24
add interface=bridge name=HomeKitVLAN vlan-id=16
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.250
add name=VPN-Pool ranges=172.31.2.1-172.31.2.9
add name=CameraPool ranges=192.168.100.100-192.168.100.200
add name=WirelessGuest ranges=192.168.111.50-192.168.111.100
add name=WirelessCameras ranges=192.168.222.100-192.168.222.150
add name=“HomeKit Pool” ranges=192.168.99.100-192.168.99.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w name=IntDHCP
add address-pool=WirelessGuest disabled=no interface=GuestWirelessVLAN
lease-time=12h name=Wirelessguestpool
add address-pool=WirelessCameras disabled=no interface=CamerasVLAN
lease-time=2w name=WirelessCameras
add address-pool=“HomeKit Pool” disabled=no interface=HomeKitVLAN lease-time=
2w name=“HomeKit Devices”
/ppp profile
add change-tcp-mss=yes dns-server=192.168.88.16,192.168.88.13 local-address=
192.168.88.1 name=VPN-Profile remote-address=VPN-Pool use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23 pvid=32
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
/interface bridge vlan
add bridge=bridge tagged=GuestWirelessVLAN,ether15,ether16 vlan-ids=24
add bridge=bridge tagged=CamerasVLAN,ether15,ether16 untagged=ether23
vlan-ids=32
add bridge=bridge tagged=HomeKitVLAN,ether15,ether16 vlan-ids=16
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-Profile enabled=yes use-ipsec=
yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
add address=192.168.111.1/24 comment=“Wireless Guest Network” interface=
GuestWirelessVLAN network=192.168.111.0
add address=192.168.222.1/24 comment=CameraNetwork interface=CamerasVLAN
network=192.168.222.0
add address=192.168.99.1/24 comment=“HomeKit VLAN” interface=HomeKitVLAN
network=192.168.99.0
add address=192.168.66.1/24 interface=DMZ network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=bridge

Kaos1337 · February 9, 2020, 6:43pm

Hello,
may I ask why are you tagging CamerasVLAN here?

/interface bridge vlan
add bridge=bridge tagged=CamerasVLAN,ether15,ether16 untagged=ether23 vlan-ids=32

Eightplant · February 9, 2020, 6:56pm

Hello,
That was from me not knowing what I was doing From further attempts to understand my error, I have removed that tag but still no luck.

/interface bridge vlan
add bridge=bridge tagged=ether15,ether16 vlan-ids=24
add bridge=bridge tagged=ether15,ether16 untagged=ether23 vlan-ids=32
add bridge=bridge tagged=ether15,ether16 vlan-ids=16

Thank you!

Kaos1337 · February 9, 2020, 7:01pm

What happens if you tag the bridge to them?

/interface bridge vlan
set bridge=bridge tagged=bridge [find vlan-ids=24]
set bridge=bridge tagged=bridge [find vlan-ids=32]
set bridge=bridge tagged=bridge [find vlan-ids=16]

Eightplant · February 9, 2020, 7:15pm

Oh wow. It’s just like asking where something is in the grocery store and finding out the item is right next to you! So close!

I added the bridge tagged to each VLAN and I now get a 192.168.222.x DHCP address on port 23! The bridge is considered the egress interface and not the VLAN interface. Lesson learned!

/interface bridge vlan
add bridge=bridge tagged=ether15,ether16,bridge vlan-ids=24
add bridge=bridge tagged=ether15,ether16,bridge untagged=ether23 vlan-ids=32
add bridge=bridge tagged=ether15,ether16,bridge vlan-ids=16

Thank you so much!

Kaos1337 · February 9, 2020, 7:51pm

You are welcome!