BPDU problem

RouterOS General
1

Hi,

I’m trying to set up quite simple topology:

Netgear GS728 switch [Gi 25] -----trunk----- [SFP1] Mikrotik [SFP2] -----trunk----- [Gi 25] Netgear GS728 switch

Mikrotik is the root for all vlans (10,20,30,100 and 192) with Priority 4096, I use RSTP.

But Netgear switches somehow doesn’t respect MT as the root bridge. It looks like MT is not sending BPDU packets. Can you suggest what I’m doing wrong?

Mikrotik config

# jun/28/2018 13:16:06 by RouterOS 6.42.4
# software id = 5HWC-UFX8
#
# model = CRS328-24P-4S+
# serial number = 822308F79C2A
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=\
    "name=ch_01_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=\
    "name=ch_06_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=\
    "name=ch_11_2400_20_bgn"
/interface bridge
add fast-forward=no name=bridge-vlan10 priority=0x4096
add fast-forward=no name=bridge-vlan20 priority=0x4096
add fast-forward=no name=bridge-vlan30 priority=0x4096
add fast-forward=no name=bridge-vlan100 priority=0x4096
add fast-forward=no name=bridge-vlan130 priority=0x4096
add fast-forward=no name=bridge-vlan192 priority=0x4096
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether3 ] comment="ESX i ETH1 Trunk"
set [ find default-name=ether4 ] comment="ESXi ETH2 Trunk"
/interface vlan
add interface=ether3 name=trunk-eth3-vlan10 vlan-id=10
add interface=ether3 name=trunk-eth3-vlan100 vlan-id=100
add interface=ether4 name=trunk-eth4-vlan10 vlan-id=10
add interface=ether4 name=trunk-eth4-vlan100 vlan-id=100
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan10 vlan-id=10
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan100 vlan-id=100
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan130 vlan-id=130
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan192 vlan-id=192
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan20 vlan-id=20
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan30 vlan-id=30
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan10 vlan-id=10
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan100 vlan-id=100
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan130 vlan-id=130
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan192 vlan-id=192
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan20 vlan-id=20
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan30 vlan-id=30
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan10 vlan-id=10
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan100 vlan-id=100
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan130 vlan-id=130
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan192 vlan-id=192
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan20 vlan-id=20
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan30 vlan-id=30
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan10 vlan-id=10
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan100 vlan-id=100
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan130 vlan-id=130
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan192 vlan-id=192
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan20 vlan-id=20
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan30 vlan-id=30
/caps-man datapath
add bridge=bridge-vlan20 name=datapath-OFFICE
add bridge=bridge-vlan30 name=datapath-VISITORS
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-OFFICE
add name=security-VISITORS
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-OFFICE distance=indoors guard-interval=any mode=ap \
    name=config-OFFICE rates.basic="" rx-chains=0,1 security=security-OFFICE \
    ssid=OFFICE tx-chains=0,1
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-VISITORS guard-interval=any mode=ap name=\
    config-VISITORS security=security-VISITORS ssid=VISITORS
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.firma.pl hotspot-address=10.1.30.1 \
    html-directory=flash/hotspot login-by=http-chap name=HSPRO1
/ip pool
add name=pool-vlan10 ranges=10.1.10.100-10.1.10.250
add name=pool-vlan20 ranges=10.1.20.100-10.1.20.250
add name=pool-vlan30 ranges=10.1.30.100-10.1.30.250
add name=pool-vlan192 ranges=192.168.0.150-192.168.0.180
add name=pool-vpn-ppt ranges=10.1.99.100-10.1.99.250
/ip dhcp-server
add address-pool=pool-vlan10 disabled=no interface=bridge-vlan10 lease-time=\
    8h name=server-vlan10
add address-pool=pool-vlan192 disabled=no interface=bridge-vlan192 \
    lease-time=8h name=server-vlan192
add address-pool=pool-vlan20 disabled=no interface=bridge-vlan20 lease-time=\
    8h name=server-vlan20
add address-pool=pool-vlan30 disabled=no interface=bridge-vlan30 lease-time=\
    8h name=server-vlan30
/ip hotspot
add address-pool=pool-vlan30 disabled=no idle-timeout=none interface=\
    bridge-vlan30 name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-vlan30 keepalive-timeout=4h \
    mac-cookie-timeout=1d shared-users=100
/ppp profile
add dns-server=10.1.10.10 local-address=pool-vpn-ppt name=vpn-pptp only-one=\
    no remote-address=pool-vpn-ppt use-encryption=yes
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config-OFFICE \
    name-format=identity slave-configurations=config-VISITORS
/interface bridge port
add bridge=bridge-vlan10 interface=trunk-sfp1-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp1-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp1-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp1-vlan30
add bridge=bridge-vlan192 interface=trunk-sfp1-vlan192
add bridge=bridge-vlan192 interface=trunk-sfp2-vlan192
add bridge=bridge-vlan10 interface=trunk-sfp2-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp2-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp2-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp2-vlan30
add bridge=bridge-vlan192 interface=trunk-sfp3-vlan192
add bridge=bridge-vlan10 interface=trunk-sfp3-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp3-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp3-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp3-vlan30
add bridge=bridge-vlan192 interface=trunk-sfp4-vlan192
add bridge=bridge-vlan10 interface=trunk-sfp4-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp4-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp4-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp4-vlan30
add bridge=bridge-vlan100 comment=ILO interface=ether5
add bridge=bridge-vlan100 comment=UPS interface=ether6
add bridge=bridge-vlan100 comment=QNAP interface=ether7
add bridge=bridge-vlan100 comment=QNAP interface=ether8
add bridge=bridge-vlan192 interface=ether17
add bridge=bridge-vlan192 interface=ether10
add bridge=bridge-vlan10 comment=Server interface=trunk-eth3-vlan10
add bridge=bridge-vlan100 comment=Server interface=trunk-eth3-vlan100
add bridge=bridge-vlan10 comment=Server interface=trunk-eth4-vlan10
add bridge=bridge-vlan100 comment=Server interface=trunk-eth4-vlan100
add bridge=bridge-vlan192 interface=ether9
add bridge=bridge-vlan192 interface=ether11
add bridge=bridge-vlan192 interface=ether12
add bridge=bridge-vlan192 interface=ether13
add bridge=bridge-vlan192 interface=ether14
add bridge=bridge-vlan192 interface=ether15
add bridge=bridge-vlan192 interface=ether16
add bridge=bridge-vlan130 interface=trunk-sfp1-vlan130
add bridge=bridge-vlan130 interface=trunk-sfp2-vlan130
add bridge=bridge-vlan130 interface=trunk-sfp3-vlan130
add bridge=bridge-vlan130 interface=trunk-sfp4-vlan130
add bridge=bridge-vlan192 interface=ether18
add bridge=bridge-vlan192 interface=ether19
add bridge=bridge-vlan192 interface=ether20
add bridge=bridge-vlan192 interface=ether21
add bridge=bridge-vlan192 interface=ether22
/interface pptp-server server
set authentication=chap,mschap2 default-profile=vpn-pptp enabled=yes
/ip address
add address=XX.YY.ZZ.II/30 interface=ether1-WAN network=XX.YY.ZZ.128
add address=10.1.10.1/24 interface=bridge-vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=bridge-vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=bridge-vlan30 network=10.1.30.0
add address=192.168.0.1/24 interface=bridge-vlan192 network=192.168.0.0
add address=10.1.100.1/24 interface=bridge-vlan100 network=10.1.100.0
add address=10.1.130.1/24 interface=bridge-vlan130 network=10.1.130.0
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 dns-server=208.67.222.222,208.67.220.220 domain=\
    domain.internal gateway=10.1.30.1 netmask=24
add address=10.1.99.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.99.1 netmask=24
add address=10.1.100.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 dns-server=\
    10.1.10.10,208.67.220.220,208.67.222.222 domain=domain.internal \
    gateway=192.168.0.1 netmask=24
/ip dns
set servers=10.1.10.10,208.67.220.220
/ip firewall address-list
add address=10.0.0.0/8 list=LAN
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.0.0/24 list=LAN
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=drop chain=input dst-address-list=LAN in-interface=bridge-vlan30
add action=drop chain=forward dst-address-list=LAN in-interface=bridge-vlan30
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" src-address-list=LAN
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Access to Winbox" dst-port=42323 \
    protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5445 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5415 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5443 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5435 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5000 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5002 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5001 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=234234 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=input comment="Echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment=\
    "!!Drop any other traffic INPUT - put at the end"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5445 \
    protocol=tcp to-addresses=192.168.0.15 to-ports=5445
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5415 \
    protocol=tcp to-addresses=192.168.0.56 to-ports=5415
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5443 \
    protocol=tcp to-addresses=192.168.0.100 to-ports=5443
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5435 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=5435
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5000 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5000
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5001 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5001
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5002 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5002
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=51991 \
    protocol=tcp to-addresses=10.1.10.10 to-ports=3389
/ip hotspot user
add name=visitor
/ip route
add distance=1 gateway=XX.YY.ZZ.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=52341
/ppp aaa
set use-radius=yes
/ppp secret
add name=xadmin profile=vpn-pptp
/radius
add address=10.1.10.10 src-address=10.1.10.1 timeout=100ms
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NTO-R01
/system routerboard settings
set boot-os=router-os silent-boot=no

Netgear switches should see the root on ort G25 but it assumes itself as root. I attached Netgear screen from RSTP config and port.
Trunk work well between devices, only RSTP doesn’t work as expected. Can you help me ?

Thanks for any input or hint!
/BR Eliash
2.PNG
1.PNG

2

Most likely the Netgear is dropping tagged BPDUs, which are being sent out of your device because of misconfiguration.
You should read more about this case here:
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface

3

have you checked timings on RSTP settings on all devices??


check RSTP bridge priority on netgear devices

4

Hi,

Thanks for your reply.

Netgears have the same, default priority: 32768

Can you verify if my trunk configuration is correct? I’m new to Mikrotik.

/BR Eliash

5

Follow the suggestion of @artz.

The way you have configured it, each VLAN has its own bridge running its own instance of RSTP inside the Mikrotik, so the BPDU frames from these bridges are sent out to the Netgear with VLAN tags. This is not how STP works normally. In normal switches which are not so flexible as the Mikrotik ones, the BPDU frames are tagless and the spanning tree is a single common one for all VLANs (for RSTP) or there is one spanning tree for each group of VLANs (for MSTP), but even in the latter case the BPDU frames must be tagless.

The priority has nothing to do with that, the Netgear doesn’t recognize the tagged BPDUs as you have initially suspected.

6

Thank you very much for your help - I will try reconfiguration and let you know about the result.

best regards,
Eliash

7

I have some more questions:
I have couple of VLANs: 10,20,30, 100 and 192
I created bridges for each vlan:
bridge-vlan10,bridge-vlan20,bridge-vlan30,bridge-vlan100 and bridge-vlan192
My trunks are on physical ports SFP1, SPF2, SFP3 and SFP4

According to proposed solution (example):

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 pvid=99
add bridge=bridge interface=ether2
/interface bridge vlan
add bridge=bridge tagged=ether2 untagged=ether1 vlan-ids=99

I should set (for vlan10):

/interface bridge
add name=bridge-vlan10 vlan-filtering=yes

then add access ports and for trunk port (SFP1) set pvid


/interface bridge port
add bridge=bridge-vlan10 interface=SFP1 pvid=10
add bridge=bridge-vlan10 interface=ether2
add bridge=bridge-vlan10 interface=ether3
add bridge=bridge-vlan10 interface=ether4

and at the end set vlans on ports

/interface bridge vlan
add bridge=bridge-vlan10 tagged=ether2, ether3, ether4 untagged=SFP1 vlan-ids=10

How about another vlans? I can add SFP1 only to 1 bridge. I will get error when trying to add SFP1 to bridge-vlan20, bridge-vlan30…

BR/Eliash

8

The whole idea of RSTP requires that all VLANs share the same bridge which has trunk and access member ports, and that there are no loops via the access ports as all the VLANs in the same STP instance (and there is only one in case of RSTP) must have the same topology. The wiki explains how to do that.

9

i think is a good idea

making only one bridge with “normal” vlan configuration like a switch can help

10

You can specify multiple VLANs in “vlan-ids=10,20,30,40”.

The problem with the previous setup is that a packet is always sent out through a physical interface. In your case, you had a VLAN interface that was running a separate RSTP instance. The problem arises when a BPDU needs to be sent out, it will be sent out through all interfaces that are added to the bridge. The bridge takes each bridge slave and sends out a BPDU out of this interface, but since the VLAN interface is created on top of a physical interface, then traffic leaving the VLAN interface is tagged with a VLAN tag, regardless of the type of the packet. This can cause issues on other devices and it depends on the RSTP implementation. If the device is not running a VLAN aware bridge, then in case of a tagged BPDU the bridge might look at the DSAP field and find 0x8100XX (802.1Q VLAN EtherType), which does not correspond to STP BPDU and might get dropped since the packet does not comply with IEEE 802.1W.

11

Hi, to summarize, my current scenario

for vlans:
10 - wired office
20 -WLAN office
30 - Internet only vlan (captive portal)
100 - mgmt
192 - old 192.168.0.0/24 legacy network

I should create 1 common bridge

/interface bridge
add name=bridge vlan-filtering=yes

add ports to the bridge and for SFP which are trunks set pvid

/interface bridge port
add bridge=bridge interface=SFP1 pvid=10
add bridge=bridge interface=SFP1 pvid=20
add bridge=bridge interface=SFP1 pvid=30
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
...

assign vlans to particular ports

/interface bridge vlan
add bridge=bridge tagged=ether2 untagged=SFP1 vlan-ids=10
add bridge=bridge tagged=ether3 untagged=SFP1 vlan-ids=20
add bridge=bridge tagged=ether4 untagged=SFP1 vlan-ids=30

Is it OK?

Now I’m using different bridges for different dhcp pools. How to run different DHCP pools when I have only 1 bridge as you suggest?
Now I run captive portal for WLAN network on bridge-vlan30. How can I set it up with only 1 bridge?

12

It is not OK - you define the SFP as a tagless (untagged) port of more than one VLAN which is impossible. If a tagless packet comes in, there cannot be more than one VLAN ID with which it should be tagged. So you seem to have mixed the category names - tagged is for trunk ports, untagged is for access ports. Also the pvid must be specified for access ports, not for trunk ports in the /interface bridge port configuration.

Also, as you need the packets to be processed on L3 by the Mikrotik, you must make the bridge itself a tagged member port of itself. It’s a weird approach but that’s how it is currently done.

As for DHCP, each /ip dhcp-server must be attached to the corresponding /interface vlan, not to the common bridge. Each /interface vlan has a tagged side which is a member port of the bridge common to all VLANs (the bridge is chosen by the interface parameter of /interface vlan), and the tagless side to which the IP configuration (including /ip dhcp-server) is attached.

So the DHCP request arrives tagless to an access port, gets tagged as it is forwarded to the bridge, and the bridge forwards it to the /interface vlan with matching vlan-id which untags it again and sends it to the /ip dhcp-server attached to its tagless side.

13

Hello All,

Thank you for all your comments and hints. They are all very valuable for me.

I set up a lab at home with such scenario:
vlan 10 (10.1.10.0/24) - port ether2 (access)
vlan 20 (10.1.20.0/24) - port ether3 (access)
vlan 30 (10.1.30.0/24) - port ether4 (access)
vlan 100 (10.1.100.0/24) - port ether5 (access)
trunk - Ether 7 (tagged)

I created 1 bridge and tried to adjust to your suggestions, but I didn’t succeed. I can’t get vlan 10 (10.1.10.0) IP from DHCP on port Ether2 or vlan 20 (10.1.20.0) IP from DHCP on port Ether3. It looks like DHCP doesn’t work. I tried to set up static IP but still could’t ping my default GW 10.1.10.1 (port eth2 for vlan10) or 10.1.20.1 (port eth3 for vlan20). This is what I’m gonna start with. When it works, I’ll proceed to fix the trunk and BPDU related issues. Please review my lab config and tell me if I’m going into right direction.

This is my config:

# jan/02/1970 00:57:48 by RouterOS 6.42.1
# software id = 9VYH-4F3W
#
# model = 2011UiAS
# serial number = 771E069D0D75
/interface bridge
add admin-mac=6C:3B:6B:28:77:95 auto-mac=no name=bridge priority=0x4096 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool192 ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.1.10.100-10.1.10.200
add name=pool20 ranges=10.1.20.100-10.1.20.200
add name=pool30 ranges=10.1.30.100-10.1.30.200
add name=pool100 ranges=10.1.100.100-10.1.100.200
/ip dhcp-server
add address-pool=pool192 disabled=no interface=vlan1 name=server192
add address-pool=pool20 disabled=no interface=vlan20 name=server20
add address-pool=pool30 disabled=no interface=vlan30 name=server30
add address-pool=pool100 disabled=no interface=vlan100 name=server100
add address-pool=pool10 disabled=no interface=vlan10 name=server10
/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge edge=yes interface=ether3 pvid=20
add bridge=bridge edge=yes interface=ether4 pvid=30
add bridge=bridge edge=yes interface=ether5 pvid=100
add bridge=bridge edge=yes interface=ether6 pvid=192
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether7 untagged=ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=1,10,20,30,100,192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=192.168.0.1/24 interface=vlan1 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 gateway=10.1.30.1 netmask=24
add address=10.1.100.0/24 gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Many thanks for all comments!
BR/Eliash

14

The purpose of /interface bridge vlan is to set up the vlan filtering rules. So for each item of this list which contains at least one item in the untagged parameter must have just a single VLAN ID.
And all VLANs which are processed locally at the CPU (because IP configuration is attached to them or because a wireless interface should be a member of that VLAN) must have the bridge itself as a tagged port.
Plus avoid vlan ID 1 as it never works the way you expect.

So change your

/interface bridge vlan
add bridge=bridge tagged=ether7 untagged=ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=1,10,20,30,100,192

to

/interface bridge vlan
add bridge=bridge tagged=bridge,ether7 untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge,ether7 untagged=ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether7 untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether7 untagged=ether5 vlan-ids=100
add bridge=bridge tagged=bridge,ether7 untagged=ether6 vlan-ids=192

and you should be good.

15

Hi Sindy,

I tried your suggestion, but still with no success. See my current code:

# jan/02/1970 00:10:24 by RouterOS 6.42.1
# software id = 9VYH-4F3W
#
# model = 2011UiAS
# serial number = 771E069D0D75
/interface bridge
add admin-mac=6C:3B:6B:28:77:95 auto-mac=no name=bridge priority=0x4096 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool192 ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.1.10.100-10.1.10.200
add name=pool20 ranges=10.1.20.100-10.1.20.200
add name=pool30 ranges=10.1.30.100-10.1.30.200
add name=pool100 ranges=10.1.100.100-10.1.100.200
/ip dhcp-server
add address-pool=pool192 disabled=no interface=vlan1 name=server192
add address-pool=pool20 disabled=no interface=vlan20 name=server20
add address-pool=pool30 disabled=no interface=vlan30 name=server30
add address-pool=pool100 disabled=no interface=vlan100 name=server100
add address-pool=pool10 disabled=no interface=vlan10 name=server10
/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge edge=yes interface=ether3 pvid=20
add bridge=bridge edge=yes interface=ether4 pvid=30
add bridge=bridge edge=yes interface=ether5 pvid=100
add bridge=bridge edge=yes interface=ether6 pvid=192
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether7,bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether7,bridge untagged=ether3 vlan-ids=20
add bridge=bridge tagged=ether7,bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=ether7,bridge untagged=ether5 vlan-ids=100
add bridge=bridge tagged=ether7,bridge untagged=ether6 vlan-ids=192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=192.168.0.1/24 interface=vlan1 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 gateway=10.1.30.1 netmask=24
add address=10.1.100.0/24 gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

It does not provide IP address from DHCP and static IP address on my PC doesn’t allow me to ping default GW (10.1.10.1 on access port eth2 in vlan10).
I’m not sure if vlan interfaces should be attached to physical bridge.

Thanks in advance!
BR/Eliash

16

To me this whole configuration seems correct. The fact that the tagged side of the /interface vlan (the interface parameter) is the bridge is also correct, that’s the purpose of the setup. I hazily remember there were recently some issues with dhcp server on bridge, but if you cannot ping the Mikrotik’s address in the VLAN even if you set an IP address from the same subnet on the PC manually, there must be something else wrong. Except that I cannot see it.

The firewall could interfere but ICMP is permitted so pinging should work and the firewall has no effect on DHCP.

17

IIRC, I had issues with this config, change the following:

/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24

To

/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=255.255.255.0

And report back

18

Hi,

Thank you for all your comments. I have a progess :wink:
In my lab I managed to implement settings you suggested with vlan-filtering and 1 commong bridge. DHCP and intervlan routing works well except BPDU’s for each VLAN (works only for vlan1)

This is my lab config:

/interface bridge
add admin-mac=4C:5E:0C:C0:AB:32 auto-mac=no name=bridge priority=0x4096 \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.0.100-192.168.0.200
add name=pool10 ranges=10.1.10.100-10.1.10.200
add name=pool20 ranges=10.1.20.100-10.1.20.200
add name=pool30 ranges=10.1.30.100-10.1.30.200
add name=pool100 ranges=10.1.100.100-10.1.100.200
/ip dhcp-server
add address-pool=pool10 disabled=no interface=vlan10 name=server10
add address-pool=pool20 disabled=no interface=vlan20 name=server20
add address-pool=pool30 disabled=no interface=vlan30 name=server30
add address-pool=pool1 disabled=no interface=vlan1 name=server1
/interface bridge port
add bridge=bridge edge=yes interface=ether1 pvid=10
add bridge=bridge edge=yes interface=ether2 pvid=20
add bridge=bridge edge=yes interface=ether3 pvid=30
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp1
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=30
/ip address
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=192.168.0.1/24 interface=vlan1 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    bridge
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 gateway=10.1.30.1 netmask=24
/system routerboard settings
set silent-boot=no

Mikrotik is sending BPDU’s on it’s trunk (port eth5) and the other side (Cisco switch) receives BPDU’s.
Cisco switch sees that Mikrotik is the root, but only for VLAN1:

Cisco is attached via trunk from port te 3/0/12 ---- eth5 on Mikrotik

Switch#sh spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
[b]VLAN0001         16534 4c5e.0cc0.ab32         4    2   20  15  Te3/0/12[/b]
VLAN0010         32778 247e.12c1.e600         0    2   20  15
VLAN0020         32788 247e.12c1.e600         0    2   20  15
VLAN0030         32798 247e.12c1.e600         0    2   20  15
VLAN0100         32868 247e.12c1.e600         0    2   20  15
Switch#

As you can see, for vlans 10, 20 and 30, Cisco treats itself as ROOT. Only for VLAN1 everything works as expected. Additionally, priority of Mikrotik is incorrect, as it shows 16534, but MT configuration specifies 4096 as priority.

Thanks again for any hints.
BR/Eliash

19

That takes us a bit away from this forum scope as it is not a Cisco forum, but what STP flavor have you chosen on that Cisco? Because having the BPDU only respected on a single VLAN suggests that Cisco is running PVST or PVST+ which do work with tagged BPDUs. But don’t expect the Netgear gear to support the same, please.

STP and RSTP expect a common topology for all VLANs; PVST expects individual topology for every single VLAN so there is a lot of BPDU traffic and is Cisco-proprietary; MSTP expects individual topology for each “instance” which handles a group of VLANs and it is the only STP flavor you can expect to be fully interoperable between different vendors’ devices.

20

Hi Sindy,

Cisco is running rapid-pvst. It’s only LAB envorinment, on production I will use Netgear. If current Mikrotik config works with Netgear then I’m fine with that :slight_smile:

BR/Eliash