Hi everyone.
I have a strange issue with one device in my networks when i turning on Bridge VLAN filtering on my main routers(no matter it ROS 6 or ROS 7). Simplified schema:
So i have main router (ROS 6 or ROS 7) i have switch attached to main router to bridge port. Clients are connected to the switch and also one cAP AC. I need to separate guest wifi clients from my lan network so i used bridge vlan filtering and isolated vlan for this clients. And everything works prfectly, PCs, laptops, wifi, TV’s and other devices except one - thermal receipt fiscal printer. This printer has problem connectivity to main router, about 60% packet loss, internet connection working just partially(only servers check but not sending any data). The main problem that this is more than one case, i have at least 5 location with different switches, different routers where this problem presist(only when bridge vlan filtering on). All devices using native vlan 1 except guest wifi clients. So i made a simple stand and what did i manage to find out:
Even without any configuration on vlan but only with enabled option “bridge vlan filtering” - the printer has connectivity issues.
After i disabling “bridge vlan filtering” problem still presist until i turning on and off interface on router that connected to switch. After that there’s no connectivity problems.
Replacing the switch had no effect(used unmanaged TP-Link, CSS-326, router RB-951 with all bridged ports)
Tried to manage vlans on switch, configured untagged port for printer and trunk on uplink - no effect.
PC that connected to the same switch has no connectivity issues with this printer. Connectivity issue only between Mikrotik router(with bridge vlan filtering on) and this printer.
I tried to hide this printer behind another router with NAT - no connectivity issues, everyting workin fine.
I thought it might be problem with MTU, but pinging with any size of packet with “dont fragment” flag did not bring any result.
Main settings on Mikrotik router just only with bridge vlan filtering on:
Connectivity issue from main router to printer looks like this:
I can understand that this is might be a problem with this printers, but i cant refuse to use this printers because they attached to tax service and at the same time i need vlans to isolate guests. I even dont know where to dig next to solve this problem. I will appreciate any advice. Thank you.
Can you provide some clarity on the diagram.
What is the product on the far left, is that your router??
Does it get a public IP from the ISP?
Does it provide DHCP for the entire network?
The device behind it, the switch, is actually an Access point with 5 ports, please confirm you are using this solely as a switch and why you use the word unmanaged is beyond me.
Its going to be a managed device.
With that said,
I need three configs. THe mt router, the switch(ap)< and the Capac.
/export file=anynameyouwish (minus device serial number, any public WANIP information, keys)
What is the product on the far left, is that your router??
Yes, i have CCR1009, RB3011, RB-951. CCR on ROS 6.49.13, RB3011 on ROS 7.15.2, RB951 on ROS 7.15.3, all in different locations all have same symptoms.
Does it get a public IP from the ISP?
Yes it did.
Does it provide DHCP for the entire network?
Yes
The device behind it, the switch, is actually an Access point with 5 ports, please confirm you are using this solely as a switch and why you use the word unmanaged is beyond me.
Main router → switch(no matter what swtich CSS-326, RB-951 with bridged ports or TP-LINK TL-SF1008D(unmanaged) tried all of them - nothing changed). PC/Laptop/TV/printer/cAP AC conected to this switch.
With that said,
I need three configs. THe mt router, the switch(ap)< and the Capac.
cAP AC is for example to show why i need vlans. In my lab i excluded cAP AC and problem still presist.
Main router config(far left device, fow now i’m using it as a test lab):
Config for switch - default from the box CSS326, there’s no config to show…
cAP AC not connected for now cos I made sure that without it the same problems were observed.
So my lab now - RB-3011 interface ether3 → port 1-24(no matter) CSS326 → port 1-24(no matter) printer
So take the bridge off any subnet duties, simply make it another vlan.
Then come back with that config.
You should consider which vlan is your trusted vlan (and if there is not one then you need a management or base vlan).
Typically you only need three interface lists
WAN-LAN-TRUSTED on the router…exceptions includeumerous vlans with complex firewall rule interactions
You have a mgmt address list but no such list on your config… just bogons
Suggest firewall filter keep chains together otherwise difficult to understand order and also to see errors.
YOur mangle rules are wrong and also not clear why you are using them.
Your routing rules seem very numerous WHY?? what are you trying to do???
Also you have routing rules and one must be very careful to mix them as there can be NO overlap… mangles take precedence over routing rules.
I do recommend taking one port OFF the bridge and doing all my configuration from that port.
Okay but if vlans are private IP addresses it matters little, and should be shown.
Public IP addresses should not identified.
Also, in bridge vlan filtering vlan1 is the default vlan on the bridge and is not to be used and works in the background.
If you have a bridge vlan now with DHCP simply make it vlan5 or vlan10, dont care but not vlan1.
Same goes with base or management vlan, should not be 1.
Thank you for reply.
So after some research and tests i found what was a problem. This type of equipment for some reason was blocked when Ingress Filtering was on in Bridge Vlan Filtering. I dunno why but with some advice in another community i changed my lan network to full vlan so i excluded default vlan 1 and then all worked fine. Thank you for your help.
