Bridge and port VLANs

RouterOS General
1

Hi,

From https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_without_a_built-in_switch_chip, we have:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes pvid=20
add bridge=bridge1 interface=ether3 hw=yes pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface bridge
set bridge1 vlan-filtering=yes

a) why

add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30 // a1

isn’t scripted as:

add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30

Since PVIDs (incoming untagged packets) for each port are defined here:

add bridge=bridge1 interface=ether2 hw=yes pvid=20
add bridge=bridge1 interface=ether3 hw=yes pvid=30

is first rule (a1) only for filtering purposes ? why it’s description is compressed: untagged=ether2,ether3 vlan-ids=20,30
since PVID is already defined for each bridge port, why we need to define it here again ?

b) why there is “bridge1” interface for tagged parameter used here:

add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99

c) Let’s say we have:

add bridge=bridge1 interface=ether2 hw=yes pvid=20 ingress-filtering=no

is it mean that:

  • if tagged packet with vlan id 30 will enter this port it’ll be still processed and directed to bridge (if port belongs to bridge)

d) what means ingress-filtering for bridge (if it is already defined for bridge ports)

Mikrotik 3011 VLAN setup voice + data
2

For starters

  • when assigning ethernet interfaces on bridge ports (and WLANS if its a wifi router) one does not assign PVIDS here, they should all be the default of 1

-when assigning VLANS as per the Vlan tab,
one defines the bridge (by bridgename pull down menu)
one defines all the Vlans running through the bridge, one per line
one defines the Tagged items which include the Bridge and any ethernet ports carrying one or more vlans (and WLANs as well if its a wifi router).
Should look like
seclect bridge: bridge1
VLAN IDs: 99
30
20
Tagged: bridge1
eth1
eth2
eth3

After your vlans are setup witch DHCP servers etc, go to the bridge tab on the bridge menu and doubleclick on teh name of the bridge and in the popup menu select vlans and select vlan filtering.

3

Vlan 20 and 30 are not used as routing, just passing trough like a switch without any IP for them on the router.
Vlan 99 do have a vlan interface with an IP connected to the bridge.

/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT

So to be able to communicate it also have to be tagged on the bridge as well.

add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99



You can no add an interface to the bridge so this command will fail

4

Sorry, I meant:
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes pvid=20 ingress-filtering=no

5

If am I correct, this port will be like an untagged port for vlan 20. So packed with no tag coming inn to this port will be marked as vlan 20.
You can also send taggeed packed to the port (eks tagged with vlan 30) They will enter the bridge with tagg 30 intact if you have:

/interface bridge vlan
add bridge=bridge1 tagged=ether2 vlan-ids=30

For this part:

/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes pvid=20
add bridge=bridge1 interface=ether3 hw=yes pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30

If I do understand this, you will on the ports get like this:

ether1: untagged vlan1  tagged: vlan20 and vlan30
ether2: untagged vlan20
ether3: untagged vlan30

This

add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30

would be a short form of this

add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30

since you do specify what should be the untaged in the interface.

add bridge=bridge1 interface=ether2 hw=yes pvid=20

it will select the correct untagged vlan

From the manual found here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

untagged ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid

You see that it will be sent out untagged if there is an match to the pvid on the port.

6

What you wrote is exactly as I thought:

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30

is a shorter form of:

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30

but this shorter form is valid only when it’s used in conjunction with:

/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes pvid=20
add bridge=bridge1 interface=ether3 hw=yes pvid=30

so why do we need to define untagged for bridge vlan again here:

/interface bridge vlan
add bridge=bridge1 tagged=ether1 [b]untagged=ether2[/b] vlan-ids=20
add bridge=bridge1 tagged=ether1 [b]untagged=ether3[/b] vlan-ids=30

isn’t it redundant and confusing ?
Also I think it’s better to define one line for one vlan-id (as above) as anav pointed, but maybe it has impact on performance ???

also for:

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes pvid=20 ingress-filtering=no

other than vlan20 tagged packets can enter this interface and will be forwarded to bridge cause of ingress-filtering=no, if it would be:

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes pvid=20 ingress-filtering=yes frame-types=admit-all

admit-all - both pvid tagged and untagged can enter, but no other
admit-only-vlan-tagged - only tagged (by pvid) can enter
admit-only-untagged-and-priority-tagged - only untagged and priority tagged by pvid can enter

right ?

7

Sorry I can only relate to a working setup I have on my hex…

/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
    100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface bridge
add admin-mac=64:D1:54:9A:70:B4 auto-mac=no comment=defconf name=HomeBridge \
    protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether3,ether2 vlan-ids=\
    100,30,45,200,666,99,40,33,111
/interface list member
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=ether4 list=LAN
add comment=defconf interface=HomeBridge list=LAN
add interface=GuestWifi_T&B_V100 list=LAN
add interface=Wifi-SDevices_cap1 list=LAN
add interface=Wifi_SDevices_cap2 list=LAN
add interface=vlanbell list=WAN
add interface=Guests_WIFI-v200 list=LAN
add interface=TheoVLAN list=LAN
add interface=VideoCamVLAN list=LAN
add interface=MediaStreaming_V40 list=LAN
add interface=NAS_V33 list=LAN
8

I’m learning MikroTik’s VLAN settings, so what follows is my understanding. I do think the sample configuration on the wiki showing two methods that accomplish the same thing does seems ambiguous. Repeatedly setting tagged=ether1 looks odd to me too.

With MikroTik, you’re configuring two things to make VLAN work: incoming (ingress) packet identification and egress packet tagging and identification. Because they are under different menus, I guess it makes it confusing.

Okay, so you’re going with MikroTik’s new Bridge_VLAN_Filtering concept. Great, then you will want to have one bridge. Then, you modify this bridge. We add “ports” (interfaces) to it. It is here that you also set the pvid (ingress) (1 is the default, untagged aka access port). Then setup vlan interfaces on the bridge’s port members.

Step 1: Setup ingress like this:

/interface bridge port
add bridge=B1 interface=ether5 pvid=123

Step 2: Set the egress, which is where you do the seemly confusing part of:

/interface bridge vlan
add bridge=B1 untagged=ether4 tagged=ether5 vlan-ids=123

Make more sense now?
: - )

Okay, but what about the bridge itself? Why does MikroTik show it as a possible tagged member? Well, if you want to have a VLAN interface (which will be managed by this one single wonder bridge) that can be routable, pingable, and IP accessible, a virtual standalone interface, MikroTik says it will need to hit the CPU and thus the bridge itself will need to be tagged. I don’t know why, that just what MikroTik says!

/interface bridge vlan
add bridge=B1 tagged=B1 vlan-ids=321

/interface vlan
add interface=B1 name=MyGuestInternetVLAN vlan-id=321

/ip address
add interface=MyGuestInternetVLAN address=10.0.0.1/24

Notes:
While you can set ingress and egress, and things will work, to be forceful and therefore secure, a packet with or without a tag can optionally be accepted or rejected based on its vlan ID being the same as pvid. This is why you have a pvid parameter. The vlan concept is about responding to packets with and without vlan ID tags. They can be the same, different, stacked, or not present. See ingress-filtering enabling the frame-types option.

9

With Router OS you can do VLAN in many ways. Just look at my post trying to learn VLAN here:
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1

You need to see what is going on here. Think of this as two devices.

Side on, the Interface. You need to tell the interface site what is the untagged vlan

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes pvid=20

Side two the Bridge. Here you need to tell how VLAN is handled against each interface.

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30

I do agree its very confusing and complicated.

10

Very nice way of describing this. Thank you.

11

I would like to point out that your suggested shortened version of the bridge VLAN table entry is not correct for this case. It gives VLANs to be able to access more ports than intended.
This case has been studied in this guide:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

12

Going back to your original (first post) and hopefully expand accurately upon what artz was stating…
For each vlan requiring a bridge port to behave like an access port (to mark packets from dummy devices) or to forbid vlan tags (to drop incoming vlan tagged packets for any reason), one will require an additional /interface bridge vlan RULE - caveat, unless access port vlan tagging is the only vlan on the network. The basic rule of thumb could be viewed also as (except for the case of only one VLAN), that every VLAN that requires a bridge port PVID assignment should have its bridge port untagged on at least one /interface bridge vlan rule.

Also to my understanding for PVID to work as required, ingress-filtering has to be enabled. In fact, I do not know what the result would be of assigning a PVID without ingress filtering enabled?? Anybody care to elaborate or help me on this unknown?

/interface bridge
add name=bridge1 set bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=20 ingress filtering=yes
add bridge=bridge1 interface=ether3 pvid=30 ingress filtering =yes
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
add interface=bridge1 vlan-id=vlan20
add interface=bridge1 vlan-id=vlan30
/interface bridge vlan
add bridge=bridge1 tagged=ether1, vlan-ids=99
add bridge=bridge1 tagged=ether2, ether3 vlan-ids=20,30

If you wanted the management vlan to be accessible from every location
then…
/interface bridge vlan
add bridge=bridge1 tagged=ether1, vlan-ids=99
add bridge=bridge1 tagged=ether2, ether3 vlan-ids=20,30,99

13

How should I know that, when the Wiki page was created today :slight_smile: (20 nov 2018)
Its nice to see that we do get some more clear information around this topic.


Ingress filtering - By default VLANs that don’t exist in the bridge VLAN table are dropped before they are sent out (egress), but you can drop the packet when they are received (ingress).

So If I do understand this correct. You are connecting a MT to a Cisco switch. The Cisco has a trunk port with VLAN 10,20,30 tagged.
On your MT you have setup so that you have VLAN 20 and 30 tagged on the port.

If you set ingress filter to yes, it will block VLAN 10 from entering the MT.

But where should it go if you do not have setup VLAN 10 on the MT, what problem could I do run inn to?

So if I need all VLAN that are coming on the trunk, I do not need to use Ingress Filtering?


PVID - The Port VLAN ID is used for access ports to tag all ingress traffic with a specific VLAN ID. An dynamic entry is added to the bridge VLAN table for all ports for the VLAN ID that matches the VLAN ID, the port is automatically added as an untagged port.

Is not the PVID also used to remove the VLAN ID from the outgoing packet (egress traffic) as well?


It is always recommended to configure VLAN filtering while using a serial console, though you can also configure a device through a port, that is not added to a bridge.

Here you should add that you could use mac to access the device.

14

Not relevant. When configuring VLANs one is changing L2 landscape and in case of misconfiguration L2 (aka MAC) connectivity is lost. So in this case it doesn’t matter if administrator is connected via IP or MAC.

15

Hmm
When my connection is lost using mac, I just reconnect (it may be a new mac). But it works, never locked my self out.

16

Wow nice link to vlan table. I will have to study this sucker tonight ( and I thought mkx was innately all knowing, seems he just had better resources :stuck_out_tongue_winking_eye: )

17

Consider this example: you’re setting up an access port (untagged member of a VLAN) which happens to be the exact ether port your management workstation is using to connect to RB. And that you make an error not to include bridge as tagged (or untagged but with matching LVID) member of same VLAN. At the moment when you enable vlan-filtering on bridge you loose L2 connectivity between your PC and RB’s CPU and you can’t get it back.

So consider yourself lucky - or an expert.

18

Hopefully this post will answer most of your questions.

anav - PVID to work you only need VLAN filtering to be enabled, ingress filtering has a different purpose that adds another layer of security when deciding if a packet with a VLAN tag needs to be dropped or forwarded. This has been studied in the wiki guide, there are a few cases where it makes a difference.

Jotne - you couldn’t have known the difference between the shortened version and the long version of the bridge VLAN table entry, that is why the guide was created.

The idea of why ingress filtering exists is because by default a packet with a VLAN tag can enter the device, but the decision to drop it comes only when the packet is being sent out. This means that if your packets are flowing from trunk->access port and you have allowed only VLAN20,30 on the trunk port and VLAN10,20,30 on the access port, then in one direction (trunk->access port) the VLAN10 traffic will be forwarded (since only egress traffic is checked), of course traffic will not be forwarded in the other direction (access->trunk port) since VLAN10 is not allowed on the egress port. If you enable ingress filtering, you are adding an extra check to make sure the VLAN is allowed both on egress and ingress. In the same example, if you had VLAN10 traffic going from trunk->access port, but VLAN10 was not allowed on the trunk port, then it will get dropped (and will not even reach the egress check), this is the same as “vlan-mode=secure” if you are more familiar with that.

PVID is used to set the VLAN ID for a VLAN tag, but there is also a feature that adds the port dynamically to the bridge VLAN table, which is studied in the guide. I don’t think it is entirely correct to say that the PVID is used to remove the VLAN tag, because in hybrid port setups the PVID is used to add a VLAN tag while you might have other tagged packets being forwarded without removing the VLAN tag. The best way to think of it is that the bridge VLAN table decides whether the VLAN tag is removed (like mentioned in the guide) since that is where you configure if the VLAN tag will be removed or not for the appropriate VLAN ID. There is a feature that dynamically adds access ports as untagged ports, so in that case you can consider that PVID is used to remove the VLAN tag, but that is just one possible case.

mkx - there is a chance not to loose access, I added this case to the guide. Basically it has to do with the fact that the bridge itself has PVID=1 and usually trunk ports are using PVID=1 as well, as a result both the trunk port and the bridge interface is added to the bridge VLAN table dynamically as untagged ports.

19

Thanks artz for the explanation.

One more question.
When you do enable Ingress Filtering, does it uses the Bridge VLAN table to decide what VLAN should be allowed in?

20

Yes, basically any decision to drop a packet based on its VLAN ID is done by checking the bridge VLAN table. Ingress filtering adds a second check when a packet is received (and then checked again before sent out). Of course frame-type will also be responsible for dropping appropriate packets. PVID is not used to decide whether to drop a packet or not (not directly at least).