Bonding With VLAN missconfig

MarcusNetworking · March 10, 2020, 11:52am

I wanna bound 6 ports into 3 LAG. The problem occurs when I’m not able to ping though one router to toher router. The phisical distribution is something like:

| Yellow |, is administrative port with VLAN 10 for administration proposes.
| Purple |, is a bounded interfice, the propose is to service DHCP for all VLANs.
|****| Black/RedFill |****|, is WAN propose.
|| Black/BlackFill ||, no propose
| Blue |, is a bounded interfice, the propose is to take for example client DHCP petitions.
| Red |, is a bounded interfice, the propose is to take for example guest DHCP petitions.

I can’t ping through Gateway to DHCP server on VLAN interfaces, on vlan interfaces. Maybe I missconfig routing configuration. I never work with Bridge VLANs option. I’m really stuck with this laboratory.

Gateway 12 port Router

/interface bridge
add name=Administrative
add name=Antennas
add name=Clients
add name=Guests
add name=Phone
add name=Workers
/interface ethernet
set [ find default-name=ether12 ] comment=eth-12 mac-address=D4:CA:6D:B0:BB:AC \
    name=LAG-1.1
set [ find default-name=ether11 ] comment=eth-11 name=LAG-1.2
set [ find default-name=ether10 ] comment=eth-10 mac-address=D4:CA:6D:B0:BB:AA \
    name=LAG-2.1
set [ find default-name=ether9 ] comment=eth-9 name=LAG-2.2
set [ find default-name=ether2 ] comment=eth-2 name=LAG-3.1
set [ find default-name=ether3 ] comment=eth-3 mac-address=D4:CA:6D:B0:BB:A3 name=\
    LAG-3.2
set [ find default-name=ether1 ] comment=eth-1 name=Phisical-Gestion
set [ find default-name=ether4 ] comment=eth-4 name=WAN
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
/interface bonding
add mode=802.3ad name=LAG-1 slaves=LAG-1.1,LAG-1.2 transmit-hash-policy=\
    layer-2-and-3
add mode=802.3ad name=LAG-2 slaves=LAG-2.2,LAG-2.1
add mode=802.3ad name=LAG-3-DHCP slaves=LAG-3.1,LAG-3.2 transmit-hash-policy=\
    layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU up-port=\
    1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US up-port=\
    1700
/queue simple
add name=Phones priority=3/3 target=Phone
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge vlan
add bridge=Administrative tagged=LAG-1,LAG-2,LAG-3-DHCP untagged=Phisical-Gestion \
    vlan-ids=10
add bridge=Antennas tagged=LAG-1,LAG-2 vlan-ids=40
add bridge=Clients tagged=LAG-1,LAG-3-DHCP vlan-ids=20
add bridge=Guests tagged=LAG-2 vlan-ids=60
add bridge=Workers tagged=LAG-2,LAG-3-DHCP vlan-ids=30
add bridge=Phone tagged=LAG-2 vlan-ids=50
/ip address
add address=192.10.0.1/16 interface=Administrative network=192.10.0.0
add address=192.20.0.1/16 interface=Clients network=192.20.0.0
add address=192.30.0.1/16 interface=Workers network=192.30.0.0
add address=192.40.0.1/16 interface=Antennas network=192.40.0.0
add address=192.50.0.1/16 interface=Phone network=192.50.0.0
add address=192.60.0.1/16 interface=Guests network=192.60.0.0
add address=192.10.0.1/16 interface=Phisical-Gestion network=192.10.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add distance=1 dst-address=192.10.0.2/32 gateway=LAG-3-DHCP
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set color-scheme=dark enabled=no touch-screen=disabled
/system identity
set name=MotherFuckingBoss
/tool user-manager database
set db-path=user-manager
[admin@MotherFuckingBoss] >

DHCP 5 port Router

/interface bridge
add fast-forward=no name=Antenas
add fast-forward=no name=Clientes
add fast-forward=no name=Gestion
add fast-forward=no name=Invitados
add fast-forward=no name=Phone
add fast-forward=no name=Trabajadores
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether2 ] comment=eth-2 name=LAG-DHCP-1.1
set [ find default-name=ether3 ] comment=eth-3 mac-address=B8:69:F4:43:9B:4A \
    name=LAG-DHCP-1.2
set [ find default-name=ether1 ] comment=eth-1 name=Phisical-Administration
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface bonding
add mode=802.3ad name=LAG-DHCP slaves=LAG-DHCP-1.1,LAG-DHCP-1.2 \
    transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Gestion ranges=192.10.1.0-192.10.255.254
add name=Clientes ranges=192.20.1.0-192.20.255.254
add name=Trabajadores ranges=192.30.1.0-192.30.255.254
add name=Antenas ranges=192.40.1.0-192.40.255.254
add name=Phone ranges=192.50.1.0-192.50.255.254
add name=Invitados ranges=192.60.1.0-192.60.255.254
/ip dhcp-server
add address-pool=Gestion disabled=no interface=Gestion name=Gestion
add address-pool=Clientes disabled=no interface=Clientes name=Clientes
add address-pool=Trabajadores disabled=no interface=Trabajadores name=\
    Trabajadores
add address-pool=Phone disabled=no interface=Phone name=Phone
add address-pool=Invitados disabled=no interface=Invitados name=Invitados
add address-pool=Antenas disabled=no interface=Antenas name=Antenas
/interface bridge vlan
add bridge=Gestion tagged=LAG-DHCP untagged=Phisical-Administration vlan-ids=10
add bridge=Clientes tagged=LAG-DHCP vlan-ids=20
add bridge=Trabajadores tagged=LAG-DHCP vlan-ids=30
add bridge=Antenas tagged=LAG-DHCP vlan-ids=40
add bridge=Phone tagged=LAG-DHCP vlan-ids=50
add bridge=Invitados tagged=LAG-DHCP vlan-ids=60
/ip address
add address=192.10.0.2/16 interface=Gestion network=192.10.0.0
add address=192.20.0.2/16 interface=Clientes network=192.20.0.0
add address=192.30.0.2/16 interface=Trabajadores network=192.30.0.0
add address=192.40.0.2/16 interface=Antenas network=192.40.0.0
add address=192.50.0.2/16 interface=Phone network=192.50.0.0
add address=192.60.0.2/16 interface=Invitados network=192.60.0.0
add address=192.10.0.2/16 interface=LAG-DHCP network=192.10.0.0
add address=192.20.0.2/16 interface=LAG-DHCP network=192.20.0.0
add address=192.30.0.2/16 interface=LAG-DHCP network=192.30.0.0
add address=192.40.0.2/16 interface=LAG-DHCP network=192.40.0.0
add address=192.50.0.2/16 interface=LAG-DHCP network=192.50.0.0
add address=192.60.0.2/16 interface=LAG-DHCP network=192.60.0.0
/ip dhcp-server network
add address=192.10.0.0/16 dns-none=yes gateway=192.10.0.1
add address=192.20.0.0/16 gateway=192.20.0.1
add address=192.30.0.0/16 gateway=192.30.0.1
add address=192.40.0.0/16 gateway=192.40.0.1
add address=192.50.0.0/16 gateway=192.50.0.1
add address=192.60.0.0/16 gateway=192.60.0.1
/system identity
set name=DHCP
/system routerboard settings
set silent-boot=no
[admin@DHCP] >

mkx · March 10, 2020, 12:51pm

The biggest mistake is to use multiple bridges … an interface can not be member of multiple bridges even though it carries multiple VLANs.

The way to go is to use single bridge with vlan-filtering=yes, tagged traffic will pass that bridge. If the router needs to interact with certain VLAN (e.g. it’s running DHCP server gir that L2 domain), then you have to make bridge interface tagged member of that VLAN and create corresponding VLAN interface, then use that interface for L3 config.

MarcusNetworking · March 10, 2020, 1:53pm

Thx for response, yes, I tried what u said. I create only one Bridge with VLan Filtering (only admit tagged - trunk VLAN). Then In submenu VLANs on Bridge I create certain VLANS Tagged to DHCP interface. Consecutively I create certain VLANs on interface\VLAN each one on bridge interface. Then I set up all VLAN IP on address list bridge interface.

Still missconfig something, maybe I’m tired and I’m doing some wrong configuration. I will try it tomorrow again with fresh reset config. Thx too much mkx

MarcusNetworking · March 12, 2020, 6:47am

I still missing something, could some one give me a clue? The packets are not routing through devices. But they are direct connected, so I don’t need to force a route right now. I going to paste /export of each mikrotik, DHCP and Gateway, both of them.

/interface bridge
add fast-forward=no name=Brdige-Administrative pvid=10 vlan-filtering=yes
add fast-forward=no frame-types=admit-only-vlan-tagged name=Bridge-Clients \
    pvid=20 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether3 ] mac-address=B8:69:F4:43:9B:4A
/interface vlan
add interface=Brdige-Administrative name=VLAN-Administrative vlan-id=10
add interface=Bridge-Clients name=VLAN-Client vlan-id=20
/interface bonding
add mode=802.3ad name=LAG-DHCP slaves=ether2,ether3 transmit-hash-policy=\
    layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Pool-Administrative ranges=192.10.0.10-192.10.0.254
add name=Pool-Clients ranges=192.20.0.10-192.20.0.254
/ip dhcp-server
add address-pool=Pool-Administrative disabled=no interface=VLAN-Administrative \
    name=DHCP-Administrative
add address-pool=Pool-Clients disabled=no interface=VLAN-Client name=\
    DHCP-Clients
/interface bridge port
add bridge=Brdige-Administrative frame-types=admit-only-vlan-tagged interface=\
    VLAN-Administrative pvid=10
add bridge=Bridge-Clients interface=VLAN-Client pvid=20
/interface bridge vlan
add bridge=Brdige-Administrative tagged=LAG-DHCP,Brdige-Administrative \
    untagged=ether1 vlan-ids=10
add bridge=Bridge-Clients tagged=VLAN-Client,LAG-DHCP vlan-ids=20
/ip address
add address=192.10.0.2/16 interface=VLAN-Administrative network=192.10.0.0
add address=192.20.0.2/16 interface=VLAN-Client network=192.20.0.0
add address=192.10.0.2/16 interface=Brdige-Administrative network=192.10.0.0
add address=192.20.0.2/16 interface=Bridge-Clients network=192.20.0.0
/ip dhcp-server network
add address=192.10.0.2/32 gateway=192.10.0.1 netmask=16
add address=192.20.0.2/32 gateway=192.20.0.1 netmask=16
/system routerboard settings
set silent-boot=no
[admin@MikroTik] >

/interface bridge
add name=Bridge-Administration pvid=10 vlan-filtering=yes
add name=Bridge-Client pvid=20 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=eth-1 name=Phisical-Administration
set [ find default-name=ether3 ] mac-address=D4:CA:6D:B0:BB:A3
set [ find default-name=ether12 ] mac-address=D4:CA:6D:B0:BB:AC
/interface vlan
add interface=Bridge-Administration name=VLAN-Administration vlan-id=1
add interface=Bridge-Client name=VLAN-Clients vlan-id=20
/interface bonding
add mode=802.3ad name=LAG-DHCP slaves=ether2,ether3 transmit-hash-policy=\
    layer-2-and-3
add mode=802.3ad name=LAG-GCA slaves=ether11,ether12 transmit-hash-policy=\
    layer-2-and-3
/interface list
add name=Administration_VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU up-port=\
    1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US up-port=\
    1700
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=Bridge-Administration frame-types=admit-only-vlan-tagged interface=\
    LAG-DHCP pvid=10
add bridge=Bridge-Administration frame-types=\
    admit-only-untagged-and-priority-tagged interface=Phisical-Administration pvid=\
    10
add bridge=Bridge-Administration frame-types=admit-only-vlan-tagged interface=\
    LAG-GCA pvid=10
add bridge=Bridge-Administration interface=Administration_VLAN pvid=10
/interface bridge vlan
add bridge=Bridge-Administration tagged=LAG-DHCP,LAG-GCA untagged=\
    Phisical-Administration vlan-ids=10
add bridge=Bridge-Client tagged=LAG-DHCP vlan-ids=20
/ip address
add address=192.10.0.1/16 interface=Bridge-Administration network=192.10.0.0
add address=192.20.0.1/16 interface=Bridge-Client network=192.20.0.0
add address=192.10.0.1/16 interface=VLAN-Administration network=192.10.0.0
add address=192.20.0.1/16 interface=VLAN-Clients network=192.20.0.0
/ip route
add distance=1 dst-address=192.10.0.2/32 gateway=\
    VLAN-Administration,Bridge-Administration,LAG-DHCP pref-src=192.10.0.1
add distance=1 dst-address=192.20.0.2/32 gateway=\
    Bridge-Client,VLAN-Clients,LAG-DHCP pref-src=192.20.0.1
/lcd
set color-scheme=dark enabled=no touch-screen=disabled
/tool user-manager database
set db-path=user-manager
[admin@MikroTik] >

mkx · March 12, 2020, 8:58am

You’ve made a mess with bridge, ports, PVID settings and what not.

I suggest you to go through this fine tutorial. The “switch with separate router” example applies to your case, it doesn’t matter that you have a few LACP bonds in the play.

Let me re-iterate: use single bridge (you still have two) and really avoid setting PVID on bridge (if you don’t understand things clearly, this messes setup massively), at the same time avoid using VLAN ID 1 (nothing wrong with using PVID on bridge or using VID=1, but you have to understand many implicit defaults).