So far devices on the wired vlan can get IP, DNS, Subnet, and Default gateway. From there they can go no further. They can not ping the gateway nor can they browse via internet. Wireless clients can do the same but that’s another issue for another forum. I’m pretty sure I’ve missed a tiny detail but I’m about of time to spend messing with this before school gets back in full swing.
Just a general remark: avoid using VLAN ID 1 as tagged VLAN. In ROS, VLAN ID is used as implicit default all over the place and if one doesn’t catch all the occurrences, things misbehave in most random ways. Avoid for untagged as well, if link between two devices is untagged (or hybrid with some tagged VLANs and single untagged), then VLAN ID used for untagged can be different on both end (although it can be confusing as hell when comparing configurations).
Hmmm .. the problems you’re describing might be due to setting router’s LAN address with subnet mask omitted (i.e. _192.168.88.1_versus 192.168.88.1**/24**).
So its clear you only have one vlan and its being put on etherport 5.
Not sure why you need a vlan then??
The problem is you think you can send untagged vlan data on ethernet 2 and at the same time send the bridge subnet traffic on ethernet 2.
So do pray tell what device do you have on the other end of ethernet two that will be able to pick out two streams of untagged data???
or vice versa how will the router know where incoming traffic is supposed to go…???
Where did you get the idea you had to UNTAG bridges???
As was noted you have a configuration for interface bridge vlans that includes vlan1, which you didnt define so it needs to be removed.
(if you need another vlan use 20 or something but you need to define it …
Finally you have disabled ethernet 2,3,4 and spf1 so you should not have any traffic.
>
While ROS doesn't blurp, you can't have two VLANs untagged at the same time over any port. Yet in your case both bridge and ether2 are supposed to carry untagged frames both for VALN ID 1 and VLAN ID 10. In egress direction that's not a problem, but how is bridge supposed to know which untagged ingress frames should go to VLAN 1 and which to VLAN 10? At the same time both ether2 and bridge ports (yes, bridge is a port of self as well) are not explicitly configured with PVID on ingress ... that's where implicit default configuration of PVID=1 comes into play (that's what I was talking about).
So really: read through tutorial from @anav's post and then start from scratch. My recommendation: start from blank config, first get L2 (bridge, VLANs, ...) done then add L3 (IP) stuff (this part you'll mostly copy-paste from existing config, only change a few interface names).
And ... if you decide to follow my advice of not using VLAN ID 1 explicitly anywhere, you can (easily?) change config appropriately on switch as well. Switch configuration should not be the reason not to make things on router better.
In Mikrotik world, trunk ports are ports carrying (one or) multiple tagged VLANs and none untagged VLANs. Ports carrying some tagged and (exactly) one untagged VLANs are called hybrid ports.
Changing network topology (adding VLANs into the mix is exactly that) is like repkacing car’s wheel. Kind of hard to do it while driving on a highway, much easier when car is parked at a curb or even in a garage. Specially if you don’t know exactly what needs to be done.
And yet in other ecosystems you can. I’ve done it in OpenWRT without having to dismantle the system.
This place doesn’t get the best reputation on other forums/sites.
There’s being helpful, and then there’s being rude. I get that tone is hard to interpret through forum posts but it goes a long way to make your post presentable and understandable without sounding like a know it all.
edit: I came here with a legitimate question. I’ve searched this site up and down reading posts. A lot of them end up the same way, read this post and get back. Assuming everyone who asks a question understands the completely terminology and ecosystem is a bit naive.
I’m sorry you got bad feedback from this forum. As you noticed, there are some super-helpful members of forum and then there are … the rest
The problem for helpful forum members is that there are plenty of users coming with (almost) identical questions. As you wrote, they might even not realize they have the same question as others which already received usable and extensive answers and the helpful forum members get fed up answering same questions all over again. So they resort to pointing to the most usable threads dealing with same (or very similar) questions. It might seem rude to the question poster, but how does this differ from copy-pasted answer? Other than the feeling of not getting due attention some question poster might get?
Assuming everyone who asks a question understands the completely terminology and ecosystem is a bit naive.
Well, if some poster comes and uses all the right buzzwords, I tend to assume that user knows the meaning of buzzwords. And if that user doesn’t indicate he’s coming from another ecosystem (where buzzwords might have slightly different meaning), why should I care explaining what exactly those buzzwords mean in MT ecosystem? After all, one writing a post should explain all the circumstances that might affect the meaning of question and if question poster doesn’t do it, why should answer poster?
Let me clear, if you are actually a qualified networking IT manager and you actually read the article I linked, then you would have understood it and your config would not have been so sloppy.
I am extremely patient with new homeowners learning the ropes, I have less time for snotty nosed arrogant I think I am gods gift to the world Network guy with obviously some useless certification.
Most folks actually come here with an open mind, it seems, but in your case, if it doesnt behave or config like openwrt there must be something wrong with RoS - Cry me a river!!
Also, a real IT guy would have fixed the config posted it for review and it would be close to correct based on the excellent feedback support provided thus far.
But NOOOOOOOOOO, just a lot of whining…
Quote: " It’s a network in service. I can’t bring it down to put it back up." Implies you are in charge of a network to me.
Quote: " that article tried it copied pasted it didnt work…no you didnt work, the article is excellent
Quote: " And yet in other ecosystems you can. I’ve done it in OpenWRT without having to dismantle the system." in this case your responding/challenging one of the most knowledgeable and friendly to a fault guys in this forum (definitely not me) who is giving you very good advice and learning points which you seem to dismiss at will..
Besides dissing the forums because you didnt get free satisfiction prior. Can you link to the thread so I can see what was missed?
Regardless, of the above, Where is the config… feedback and assistance cannot be provided without the information requested.
Clearly you just want to whine and not get at the root of the config issues. Did you attempt to follow the link more closely??
I can go on all day, so lets just get your config where it needs to be and simply work with the facts…
I tried it many times before I ever even started using my equipment. I tried it in a VM and the imports would fail.
He said bring the system down. I stated that I had implemented vlans in a system without having to bring it down in another system. I wasn’t dismissing anyone. I was stating I couldn’t bring my system down. If that’s a dismissal, then there’s a huge communication barrier going on here.
what thread?
what config? My current one? I just got rid of all the vlans and am using the CSS as a dumb switch now.
provide both eap and switch IP addresses on management vlan.
Keep vlan1 as the default pvid on both router and switch no need to define or do anything different (same as any other vendor switch etc.)
On the router enable bridge vlan filtering after setting up interface bridge ports and interface bridge vlans
Works for me from any MT router to MT switch, netgear switch, dlink switch, tplink switch, MT AP, tplink AP etc…
Just keep add vlans as required to the router
the 4 needed items are ip pool, ip address, dhcp-server, dhcp-server network interface is the single bridge.
on the switch and APs just need to add the vlan IDs …
On the switch if you want to be consistent with router setup, then do basically the same with a single bridge and interface bridge ports and interface bridge vlans as required.
I use a hex router as a switch on my desktop so configured.
If you need examples let me know.
This is what I’ve been playing with so far. I had it working for a bit with 99 but as soon as I removed vlan1 everything halts. Hence the reason i’m just keeping it as is for now.
I’ve got most of that set up. my issue is the bridge. Before, because I was switching on the all in one device, i had to include a bridge. I really think this is what is hanging me up.
Thanks, I appreciate it.
Sorry we got off on the wrong foot. I only went with Mikrotik because I wanted to learn something new that I’m not going to learn in school and I’ve been eyeballing it for years. I love the equipment and as it is now works fantastic. I just need to get vlan’ing working to move cameras, labs, and uest networks off my main lan.
Start with the router.
create the bridge call it bridge-test
Create 3 vlans with interface bridge-test. One for wifi vlan10 , one for management vlan99 and one spare you can use at any time or perhaps you have house users and guest users for wifi, or media boxes from china for wifi ;-P, or IOT devices for wifi.
then setup the vlans
Ip address
ip pool
ip dhcp server
ip dhcp server network
interface bridge port settings one line for each port or WLAN (WLAN meaning local unit WLAN, if none local not applicable ***)
add bridge=bridge-test NOTES:
select ingress filtering=yes
if its a trunk port (carrying tagged vlans) then add allowed only frames=tagged
a. if its an access port (carrying one untagged vla) then add allowed only frames=priority and untagged
3 b. if its an access port (or hybrid port) carrying one untagged vlan then you must identify the vlan by PVID=X
If its a hybrid port do not make any frames attributioin.
trunk ports carry vlans to smart devices (managed switches, APs that can read vlans)
access ports carry untagged vlans to dumb devices (PC, unmanaged switches etc)
hybrid port carry one untagged vlan and as many tagged vlans as needed ( VOIP modem for PC - modem reads vlan tagged, computer gets untagged vlan)
Next step is the interface bridge vlan settings.
add bridge=bridge for any line entries where the vlan is going to a smart device the bridge must be tagged. Ports are untagged or tagged as appropriate.
Normally one line per vlan ID.
(although the router will automatically create untagged entries dynamically as identified by PVID in bridge port settings, they will not show up in the config and thus I prefer to manually insert them in the config so its clear what the intentions are to the reader.)
(***WLANs are considered ports when the local device is an MT wifi capable device)
