Bridge VLAN Filtering- Home Router

dkovacevic · December 4, 2019, 10:53pm

Hello,

I’m attempting to use VLANs on a small network. I’ve not much experience with layer 2 (VLAN / physical).

This is the third or fourth time I’ve had to disconnect my router (RouterBoard 493), take apart the chassis, reset it, and put it back together. Is frustrating. I keep locking myself out with the “set bridge vlan-filtering=yes.”

Here is a brief overview of what I am trying to accomplish:
Router admin access available only on management VLAN

VLAN Port Setup:

Trunk ports:
3: Powerline: for connecting upstairs; will have multiple VLANs (which ultimately will be fed into wireless)
4: Downstairs AP: Wireless will support multiple SSIDs with individual VLANs
Access Ports:
Printer
WAN?
Win7 desktop
5: Raspberry Pi (might eventually switch to trunk port, depends on what it will be used to do)

VLANs (IP prefix 192.168):

ID: 97, IP: 57, Management (isolated, internet only)
ID: 10, IP: 40, Efeed (entertainment, streaming; internet only, isolated; video file server)
ID: 12, IP: 41, Guest
ID: 11, IP: 42, Work (printer access, otherwise isolated; home devices might join here)
ID: 14, IP: 43, Phones (copy Efeed; only difference that might come up is bandwidth assignment)
ID: 15, IP: 44, Office (printer; win 7 computer, document file server)
ID: 13, IP: 45, Workspace (printer access, network experimentation, terminal server, d’s laptop, etc)
From a near default starting point, I run these commands in the SSH terminal:

Bridge VLAN Filtering, CPU only (Switch Chip on RouterBoard 493 does not support VLAN port switching)

/interface bridge
add name=bridge1

/interface bridge port

Trunk ports?

add bridge=bridge1 interface=ether3 hw=no
add bridge=bridge1 interface=ether4 hw=no

Access Ports

Raspberri pi in Workspace VLAN (ID=13)

add bridge=bridge1 interface=ether5 hw=no pvid=13

Management Access: Management VLAN (ID=97)

add bridge=bridge1 interface=ether2 hw=no pvid=97

\

VLAN to Port table mapping?

/interface bridge vlan

Trunk Port (Looks like it isn’t possible to do things this way)

Why does the bridge need to be added to trunk ports as a tagged interface?

#add bridge=bridge1 tagged=bridge1,ether3,ether4 vlan-ids=10,11,12,13,14,15,97

Access Port: workspace VLAN (ID: 13), port 5 (Raspberri pi)

add bridge=bridge1 tagged=ether3,ether4 untagged=ether5 vlan-id=13

Access Port: Management VLAN (ID: 97), port 2 (As of 12/4/19, Win 7 pc)

add bridge=bridge1 tagged=ether3,ether4 untagged=ether2 vlan-id=97

/interface vlan

add interface=bridge1 vlan-id=10 name=Efeed
add interface=bridge1 vlan-id=11 name=Work
add interface=bridge1 vlan-id=12 name=Guest
add interface=bridge1 vlan-id=13 name=Workspace
add interface=bridge1 vlan-id=14 name=Phones
add interface=bridge1 vlan-id=15 name=Office
add interface=bridge1 vlan-id=97 name=Management

/ip address
add address=192.168.57.1/24 interface=Management
add address=192.168.40.1/24 interface=Efeed
add address=192.168.41.1/24 interface=Guest
add address=192.168.42.1/24 interface=Work
add address=192.168.43.1/24 interface=Phones
add address=192.168.44.1/24 interface=Office
add address=192.168.45.1/24 interface=Workspace

/ip pool
add name=Management ranges=192.168.57.20-192.168.57.100
add name=Efeed ranges=192.168.40.20-192.168.40.100
add name=Guest ranges=192.168.41.20-192.168.41.100
add name=Work ranges=192.168.42.20-192.168.42.100
add name=Phones ranges=192.168.43.20-192.168.43.100
add name=Office ranges=192.168.44.20-192.168.44.100
add name=Workspace ranges=192.168.45.20-192.168.45.100

/ip dhcp-server
add address-pool=Management interface=Management name=Management_DHCP disabled=no
add address-pool=Efeed interface=Efeed name=Efeed_DHCP disabled=no
add address-pool=Guest interface=Guest name=Guest_DHCP disabled=no
add address-pool=Work interface=Work name=Work_DHCP disabled=no
add address-pool=Phones interface=Phones name=Phones_DHCP disabled=no
add address-pool=Office interface=Office name=Office_DHCP disabled=no
add address-pool=Workspace interface=Workspace name=Workspace_DHCP disabled=no

/interface bridge set bridge1 vlan-filtering=yes
This is the best run yet.

Device connected at port five can see STP packets, as well as UDP port 5678 LLDP packets which show that some of the IP addresses have been properly set (192.168.45.1 and 192.168.57.1).

Device connected on port 2 and set to DHCP does not get IP address (neither does device at port 5), but unlike prior attempts, the DHCP packets from port 2 are not seen on port 5 device (good; this means that either VLAN separation might be partly working, or there’s some other problem).

Any input would be appreciated. I’ve spent a lot of time on this and feel not much headway has been made.

mkx · December 5, 2019, 4:12pm

The comment in config file about necessity of bridge1 interface being tagged member of needed vlans … is correct. As to why: bridge has two personalities, one is “something like a switch” and the other is “an interface” … the second one gets created automatically with the first one … and should be correctly configured.

BTW, check settings under /tool mac-server, they govern access from winbox via MAC … if configured openly enough, it might save you from resetting your device.

BTW2: enable safe mode before setting stuff that might break management access … if it breaks, setup will revert to state before entering safe mode … allowing you to reconnect and try again slightly differently.

anav · December 5, 2019, 5:19pm

Cannot help but to reiterate the great advice. USE SAFE MODE!!!

Also this resource is excellent to help setup vlans…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

After a cursory glance at your setup I would look at the VLAN to Port table mapping?
(1) I would remove the duplication you have for vlantags for vlanid 13, 97 in red
by removing ether3,4 from second and third lines

/interface bridge vlan
#add bridge=bridge1 tagged=bridge1,ether3,ether4 vlan-ids=10,11,12,13,14,15,97

Access Port: workspace VLAN (ID: 13), port 5 (Raspberri pi)

add bridge=bridge1 untagged=ether5 vlan-id=13

Access Port: Management VLAN (ID: 97), port 2 (As of 12/4/19, Win 7 pc)

add bridge=bridge1 untagged=ether2 vlan-id=97

Sob · December 6, 2019, 4:04am

Safe mode is annoying. Either you forget to turn it on and you lock yourself out, or you forget to turn if off after each step, so when you finally lock yourself out and it kicks in, you lose the config all the way back since you enabled it.

You have nine ports, you probably don’t need all of them. Even if you do, you can set one aside temporarily. Keep it separate, don’t add it to bridge. Enable MAC access on it and you’re safe, no matter what you mess up, you can use this port to get in.

Edit: And yes, the overlap noticed by anav could be it (for the lack of better ideas). Only I’d remove 13 and 97 from first rule. It’s just a guess, but vlan ids not repeating in different rules at all sounds better to me.

anav · December 6, 2019, 4:46am

Funny you should say that as my original edit, had them removed from the first rule and added to the second and third rules but then I thought perhaps tagging the Bridge in only one rule vice 3 would be less load on the CPU and thus more efficient.

Sob · December 6, 2019, 5:02am

My guess is more along the lines that router could process first rule, then see next ones and skip them, because it already has config for vlan 13 and 97. Of course it can be nonsense. I’m too tired to test it now. I’d expect that router would warn about it, if it didn’t like vlans repeated in different rules, but who knows..

mkx · December 6, 2019, 6:52am

I don’t know how ROS would react if separate config lines would actually contradict each other. Alas OP’s rules don’t. First rule set ether3 and ether4 as tagged ports of whole lotuwa VLANs, the second and third rule set ether2 and ether5 to be access ports each for one of VLANs.
I agree that a line per VLAN makes configuration much more readable and thus less prone to some misconfiguration.

dkovacevic · December 6, 2019, 5:43pm

Thank you all for your help. It will be a day or so before I can work at this again, but the input is much appreciated.

Also, I found other material online that suggested that the bridge might need to be added to the VLANs, so that the CPU port (which is in some way connected to the bridge?) will see the traffic from the bridge.

In other words,

#add bridge=bridge1 tagged=bridge1,ether3,ether4 vlan-ids=10,11,12,13,14,15,97

That line, while not correct overall (don’t remember why), was correct in tagging the bridge.

Thanks again! I’m currently using a Hex line router for home, but got this additional one to learn how to set things up without breaking the internet connection for my family.

Mikrotik has a reputation for reliability. Bravo!

Sob · December 6, 2019, 6:33pm

It was written already, if you have vlan interface on bridge with vlan X (/interface vlan add interface=bridge vlan-id=X name=somevlan), the bridge itself must be included as tagged interface for X in vlan definition (/interface bridge vlan add bridge=bridge tagged=bridge, untagged= vlan-ids=X).

anav · December 6, 2019, 7:59pm

Sob you can be more clear ;-p
Is the following correct - ruleS of thumb?
To have a vlan on a trunk port the bridge must also be tagged.
To have a vlan on an access port the bridge does not need to be tagged.
In any line where one has tagged ports (trunk) and untagged ports (access), the bridge must also be tagged.

Ex.
/interface bridge vlan
#add bridge=bridge1 tagged=bridge1,ether3,ether4 vlan-ids=10,11,12 (ether3,4 are trunk ports)
add bridge=bridge1 untagged=ether5 vlan-id=13 (ether5 access port)
add bridge=bridge1 tagged=bridge1,ether7 untagged=ether2 vlan-id=97 (ether7 trunk ports, ehter2 access port)

mkx · December 6, 2019, 8:44pm

Setting bridge as tagged member of a vlan has nothing to do with how other ports are configured with regard to vlans.

Keep in mind that bridge is not only a switch-like entity, it is also an interface which enables router to join the party in switch-like bridge … and should be configured exactly the same way. So if router needs to interact with some VLAN, it needs a vlan interface on bridge (interface!) and bridge interface has to be tagged member of same vlan.

There’s no magic … if config line says interface=bridge, then it’s about bridge interface … if config line says bridge=bridge, then it’s about switch-like bridge.

BTW, config in /interface bridge (not in branches below that) is about bridge interface …

Sob · December 6, 2019, 9:01pm

And if you want it easy to understand, just completely ignore bridge as interface. Think about it only as a way how to configure vlans on ports in switch-like way. Give the bridge some unused PVID and only use vlans on bridge to access stuff.

anav · December 6, 2019, 10:34pm

Yes but what is not clear to most is that when I config a line as such
/interface bridge vlan
add bridge=bridge1 untagged=ether5 vlan-id=13 (ether5 access port)

why would I need it to be
add bridge=bridge1 tagged=bridge1 untagged=ether5 vlan-id=13

is it because the router will be doing Layer 3 routing for that traffic???

mkx · December 6, 2019, 10:49pm

It would need to be like this if and only if you had /interface vlan add interface=bridge1 name=vlan13 vlan-id=13 … and L3 setup on vlan13 interface.

mkx · December 6, 2019, 10:54pm

You can’t do that entirely … if one uses bridge as dumb switch, then one has to use bridge interface for router interaction with network served by bridge.

Sob · December 6, 2019, 11:15pm

I meant when we’re talking about advanced bridge with vlan filtering, I otherwise don’t have anything against good old simple bridge.

mkx · December 6, 2019, 11:41pm

I fully agree with that … just wanted to nitpick

anav · December 7, 2019, 2:33pm

To further nitpick…
when you say L3 setup on vlan12 interface, do you mean.

a. firewall rules that apply to the VLAN
b. routing rules that apply to the VLAN
c. ???

++++++++++++++++++++++++++++++++++++++

In any case then, this
/interface bridge vlan
#add bridge=bridge1 tagged=bridge1,ether3,ether4 vlan-ids=10,11,12,13,14,15,97

Access Port: workspace VLAN (ID: 13), port 5 (Raspberri pi)

add bridge=bridge1 untagged=ether5 vlan-id=13

Access Port: Management VLAN (ID: 97), port 2 (As of 12/4/19, Win 7 pc)

add bridge=bridge1 untagged=ether2 vlan-id=97

Should probably look like this then!!!
/interface bridge vlan
#add bridge=bridge1 tagged=bridge1,ether3,ether4 vlan-ids=10,11,12,14,15

Access Port: workspace VLAN (ID: 13), port 5 (Raspberri pi)

add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=ether5 vlan-id=13

Access Port: Management VLAN (ID: 97), port 2 (As of 12/4/19, Win 7 pc)

add bridge=bridge1 tagged=bridge1, ether3,ether4 untagged=ether2 vlan-id=97

Sob · December 7, 2019, 5:49pm

If you need bridge only as L2 switch for vlans, then you have everything needed under “/interface bridge”. Create bridge, add ports, set their pvid, define where each vlan is (ports) and in what form (tagged/untagged). And that’s it. If you need the router to participate in some vlan on L3 level for any reason (to be router for that vlan or just be there as host, doing e.g. VPN server, monitor vlan network using Dude, …), add vlan interface under “/interface vlan”.

dkovacevic · December 7, 2019, 8:02pm

Access to the router through ports 2 and 5 is now working.

Is it possible for a VLAN to exist in a trunk port as well as in an access port? I feel it would be nice to access the management VLAN both from the dedicated port (ether 2 in this case) and through the trunk ports 3 and 4.