bridge vlan sanity

toxicfusion · March 5, 2019, 7:18pm

Hey there,

Just looking for some clarity on my brain fog when it comes to the new vlan method within bridge vlan. Historically, I would just create multiple vlan entries and rename them, and associate to interfaces.

Topology >

Mikrotik Router >> Cisco Switch(s)

Mikrotik eth1 >> Sw1. (10,20,40,99)
Mikrotik eth2 >> Sw2 (10,20,40,99)
Mikrotik eth3 > Sw03 - different network, untagged. (40)

Need ports eth1, eth2, to be ‘trunk’ ports, with all vlans tagged, but also need the PVID to be untagged for access: eth3 vlan to be untagged as goes to unmanaged layer2 network switch.

Would it be as follows?

/interface bridge
add name=all-vlan-bridge vlan-filtering=yes pvid=1
add name=data-lan-bridge
add name=vlan40-lan-bridge

/ip dhcp server dhcp1
add interface=data-lan-bridge

/ip dhcp server dhcp2
add interface=vlan40-lan-bridge

/interface bridge port
add bridge=all-vlan-bridge interface=ether1 pvid=10
add bridge=all-vlan-bridge interface=ether2 pvid=10
add bridge=all-vlan-bridge interface=ether3 pvid=40
add bridge=data-lan-bridge interface=vlan10-data

/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 untagged=ether1,ether2 untagged=all-vlan-bridge
add bridge=all-vlan-bridge vlan-ids=20,40,99 tagged=ether1,ether2
add bridge=all-vlan-bridge vlan-ids=40 untagged=ether3

/interface vlan
add vlan-id=10 interface=all-vlan-bridge name=vlan10-data
add vlan-id=40 interface=vlan40-lan

/ip address
add address=x.x.x.x/m interface=data_lan (main IP of router, untagged)

/ip address
add address=x.x.x.x/m interface=vlan20

/ip address
add address=x.x.x.x/m interface=vlan40-lan

basically, vlan 10 is untagged traffic. Need router to be accessible. Not going to over complicate this network with a mgmt vlan…

vlans 20, 99 are tagged for tagged traffic & devices with vlan ID’s.

vlan 40 will be untagged port to un-managed L2 switch

Otherwise for vlan 40, I’ll just create a bridge-interface, add the port and have IP assigned. (how its setup now)

anav · March 5, 2019, 7:44pm

Two ways to do this,
The first is my attempt to do it not using pvid=1…

/interface bridge
add name=all-vlan-bridge vlan-filtering=yes pvid=10

/interface bridge port
add bridge=all-vlan-bridge interface=ether1
add bridge=all-vlan-bridge interface=ether2 
add bridge=all-vlan-bridge interface=ether3 

/interface bridge vlan
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2, ether3 vlan-ids=40
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2 vlan-ids=20,99
add bridge=all-vlan-bridge tagged=all-vlan-bridge untagged=ether1,ether2 vlan-ids=10
{note not sure if the third rule here will be dynamically created by the router or not, so may not be required but I think its correct)

/interface vlan
add vlan-id=10 interface=all-vlan-bridge name=vlan10-data
add vlan-id=20 interface=all-vlan-bridge name=vlan20-data
add vlan-id=40 interface=all-vlan-bridge name=vlan40-data
add vlan-id=99 interface=all-vlan-bridge name=vlan99-data

/ip address
add address=x.x.x.x/m interface=vlan10 (main IP of router)

/ip address
add address=v.v.v.v/m interface=vlan20
add address=y.y.y.y/m interface=vlan40
add address=y.y.y.y/m interface=vlan99

…

This is how I know how to do it as the above method has proved challenging to implement properly with some capacs in the mix.
(Uses default vlan1 for main lan traffic and no requirement for vlan10)

/interface bridge
add name=all-vlan-bridge vlan-filtering=yes {pvid=1 is implied by default}

/interface bridge port
add bridge=all-vlan-bridge interface=ether1
add bridge=all-vlan-bridge interface=ether2 
add bridge=all-vlan-bridge interface=ether3 

/interface bridge vlan
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2, ether3 vlan-ids=40
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2 vlan-ids=20,99
 {note the router dynamically creates an untagged rule for pvid=1)
 
/interface vlan
add vlan-id=20 interface=all-vlan-bridge name=vlan20-data
add vlan-id=40 interface=all-vlan-bridge name=vlan40-data
add vlan-id=99 interface=all-vlan-bridge name=vlan99-data

/ip address
add address=x.x.x.x/m interface=all-vlan-bridge (main IP of router)

/ip address
add address=v.v.v.v/m interface=vlan20
add address=y.y.y.y/m interface=vlan40
add address=y.y.y.y/m interface=vlan99

toxicfusion · March 5, 2019, 8:07pm

Thanks!

pvid=10 is default data vlan (untagged traffic, data lan) This is set for the cisco SG series switch as well (pvid=10), ports vlan10=untagged, all other vlans=tagged on switch.

switch port going to mikrotik will untagged vlan10, and rest tagged.

I was reading documentation on wiki. That I can set

/interface bridge port
bridge=all-vlan-bridge interface=ether3 pvid=40

setting PVID on bridge port should make that port an access port (untagged). Right?

historically, we would add vlans to bridge ports in order to make those tagged packets become untagged so we can associate DHCP-server and such. correct?

Unsure if you read my edited & revised post, I did edited a few times. sorry…

toxicfusion · March 5, 2019, 8:22pm

Device is an RB2011-uas-in, perhaps better if I just use built in switch-chip functionality??

I’m just so use to creating bridges, adding interfaces and the vlans be within the bridge interface so those packets are untagged. As creating bridge use to by default untag.

toxicfusion · March 5, 2019, 8:45pm

reading on prior posts. I believe PVID=ID is equivelant to cisco switch trunk native (which sets vlan as access/untagged).

Here is maybe more simple config (taken from prior post). Modified for my usage:

/interface bridge
add name=bridge-all-vlans vlan-filtering=yes pvid=1

/interface bridge port
add bridge=bridge-all-vlans interface=ether1 pvid=10
add bridge=bridge-all-vlans interface=ether2 pvid=10
add bridge=bridge-all-vlans interface=ether3 pvid=40

/interface bridge vlan
add bridge=bridge-all-vlans vlan-ids=10 tagged=bridge-all-vlans untagged=ether1,ether2,wlan1
add bridge=bridge-all-vlans vlan-ids=20 tagged=bridge-all-vlans,ether1,ether3,wlan2
add bridge=bridge-all-vlans vlan-ids=40 tagged=bridge-all-vlans,ether1,ether2 untagged=ether4
add bridge=bridge-all-vlans vlan-ids=99 tagged=bridge-all-vlans,ether1,erther2

/interface vlan
add name=vlan10-data interface=bridge-all-vlans vlan-id=10
add name=vlan20-data interface=bridge-all-vlans vlan-id=20
add name=vlan40-data interface=bridge-all-vlans vlan-id=40
add name=vlan99-data interface=bridge-all-vlans vlan-id=99

/ip address
address=x.x.x.x/m interface=vlan10-data
address=x.x.x.x/m interface=vlan20-data
address=x.x.x.x/m interface=vlan40-data
address=x.x.x.x/m interface=vlan99-data

/ip dhcp server dhcp1
add interface=vlan10-data
/ip dhcp server dhcp2
add interface=vlan40-data

rinse repeat for other interfaces that need dhcp server on?

vlan10 trunk native - all untagged traffic
vlan20 - tagged traffic (guest wifi)
vlan40 - untagged traffic
vlan99 - tagged traffic (VOIP Phones) - have dhcp options to push vlan ID config s’id’

anav · March 5, 2019, 10:05pm

Basics,
Trunk ports do not get pvid
Access ports get pvid
Your eth3 I thought was going to a managed switch first…thus also a trunk port.
BUT now I see its going to an un-managed switch…
You also dont mention an access point but have guest wifi now added as well???

Thus

/interface bridge
add name=bridge-all-vlans vlan-filtering=yes pvid=1

/interface bridge port
add bridge=bridge-all-vlans interface=ether1
add bridge=bridge-all-vlans interface=ether2
add bridge=bridge-all-vlans interface=ether3 pvid=40 admit-frames=untagged only
add bridge=bridge-all-vlans interface=wlan1 pvid=10 admit-frames=untagged only
add bridge=bridge-all-vlans interface=wlan2 pvid=20 admit-frames=untagged only


/interface bridge vlan
add bridge=bridge-all-vlans vlan-ids=10 tagged=bridge-all-vlans,ether1,ether2 untagged=wlan1
add bridge=bridge-all-vlans vlan-ids=20 tagged=bridge-all-vlans,ether1,ether2 untagged=wlan2
add bridge=bridge-all-vlans vlan-ids=40 tagged=bridge-all-vlans,ether1,ether2 untagged=ether3
add bridge=bridge-all-vlans vlan-ids=99 tagged=bridge-all-vlans,ether1,ether2

/interface vlan
add name=vlan10-data interface=bridge-all-vlans vlan-id=10
add name=vlan20-data interface=bridge-all-vlans vlan-id=20
add name=vlan40-data interface=bridge-all-vlans vlan-id=40
add name=vlan99-data interface=bridge-all-vlans vlan-id=99

/ip address
address=x.x.x.x/m interface=vlan10-data
address=x.x.x.x/m interface=vlan20-data
address=x.x.x.x/m interface=vlan40-data
address=x.x.x.x/m interface=vlan99-data

/ip dhcp server dhcp1
add interface=vlan10-data
/ip dhcp server dhcp2
add interface=vlan40-data

rinse repeat for other interfaces that need dhcp server on?

vlan10 trunk native - all untagged traffic
vlan20 - tagged traffic (guest wifi)
vlan40 - untagged traffic
vlan99 - tagged traffic (VOIP Phones) - have dhcp options to push vlan ID config s’id’

toxicfusion · March 5, 2019, 10:14pm

do i set the bridge port to pvid=10, along with the individual ports within the bridge to make untagged traffic the default native vlan?

such as:

/interface bridge
add name=bridge-all-vlans vlan-filtering=yes pvid=10

/interface bridge port
add bridge=bridge-all-vlans interface=ether1 pvid=10
add bridge=bridge-all-vlans interface=ether2 pvid=10

/interface bridge vlan
add bridge=bridge-all-vlans vlan-ids=10 tagged=bridge-all-vlans,ether1,ether2 untagged=wlan1

vlan10 i need to be native untagged access vlan for data traffic.. so confused!!!

so question is do I set the /interface bridge and enable vlan=filtering? or leave NO and pvid=1. and then set my PVID at the /interface bridge port level???

sigh.

toxicfusion · March 5, 2019, 10:25pm

anav · March 6, 2019, 12:09am

toxic,
Look at my last config, I kept the bridge pvid at default ie 1
Yes. bridge itself has vlan filtering
The bridge ports that are trunk cannot have pvid assigments its only for incoming untagged traffic that needs to be tagged.
hence wlan1, wlan2 and eth3
Give that a try.
If it doesnt work then try the bridge with pvid=10

If both options with the rest as I stated dont work then I too am stumped.

toxicfusion · March 6, 2019, 1:58pm

anav - thank you! Much appreciated. I will let you know once I apply the config changes and can return my findings or success.

anav · March 6, 2019, 2:02pm

In the meantime it never hurts to go back to some decent references and this is the best…
Pick the example which fits closest to your scenario (Router-Switch-AP (all in one))
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

toxicfusion · March 6, 2019, 2:05pm

question:

Will inter-vlan routing work since all vlans are within the single bridge? I will need inter-vlan, and then can create firewall rules to block some traffic as needed.

toxicfusion · March 6, 2019, 2:06pm

Appreciated! I did a similar setup ~6+ months ago with the new vlan bridge method, but had to do it the ‘unorthodox’ method, and is essentially backwards. But is working for said client. Was one of those ad-hoc - on site scramble setups and was unprepared. But got through it.

anav · March 6, 2019, 2:28pm

When within the same bridge or not on the same bridge, the answer is NO at layer 2, YES at layer IF, you make the proper firewall fllter forward rules.
Basically in my setup I have the usual suspects
allow fasstrack established related
allow established related
drop invalid
allow ipsec
allow dstnat (if required
allow LAN to WAN

DROP ALL ELSE

If I need to provide any other flows I enter them here *******************
such as VLAN to WAN, or VLANx to VLANy or
ALL VLANS to a shared printer on my LAN etc etc etc…

anav · March 6, 2019, 2:28pm

Please post your working config so that I can learn something!!

toxicfusion · March 6, 2019, 2:38pm

anav - which working config would you like? I had it on a HEX & PowerBox Pro for a small campground, trunk ports back to a L3 switch.

The ‘unorthodox’ method I did way back when I was naive and still learning the ‘new way’. Which after grasping it… is much cleaner..

This new config I’m working on is to revamp a current RB2011 configuration and move it to the new vlan bridge method. Which will allow for cleaner config and not cascading switches.

Last night ended up doing overhaul of network wiring and racks. Will work to apply config later in week when get a chance. Its a super busy office/business - have to do it late after hours. Was up until 3:30AM EST

toxicfusion · March 6, 2019, 2:40pm

Already have those rules and typical for all my configs. Just need the a few of the networks to work for inter-vlan.

IE: vlan10-data (access ports) to be able to hit the VOIP phones if need to gain access to webUI.
IE: vlan10 (access port) access another access point (vlan40, or any other vlan config as PVID/access-port)

anav · March 6, 2019, 3:00pm

Awesome, Looking forward to seeing an RB2011 “WORKING” config with the vlans!! Cheers.

toxicfusion · March 13, 2019, 2:19pm

hey anav! Success..

  "/interface bridge
add name=all-vlan-bridge vlan-filtering=yes
add admin-mac= auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment="TRNK to SW01" name=ether1-sw01.p49
set [ find default-name=ether2 ] comment="TRNK to SW02" name=ether2-sw02.p18
set [ find default-name=ether4 ] comment="To Control4" name=ether4_control4
set [ find default-name=ether5 ] name=ether5_control4
set [ find default-name=ether6 ] comment="TO DINING AP_" name=ether6_AP
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] comment=BHN_WAN1 name=ether10-gateway \
    poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=all-vlan-bridge name=vlan10-data-lan vlan-id=10
add interface=all-vlan-bridge name=vlan20-GuestWifi vlan-id=20
add interface=all-vlan-bridge name=vlan40-Control4 vlan-id=40
add interface=all-vlan-bridge name=vlan99-Phones vlan-id=99
/interface list
add name=mactel
add name=mac-winbox
add name=VLANS
add name=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
    comment=WIRELESS country="united states" disabled=no frequency=2432 \
    frequency-mode=regulatory-domain mode=ap-bridge security-profile=WPA-PSK \
    ssid="SSID_NAME" tx-power=18 tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11 wps-mode=disabled
add default-forwarding=no disabled=no mac-address=4E:5E:0C:06:B5:13 \
    master-interface=wlan1 name=wlan2-guest ssid="SSID_NAME" \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:06:B5:14 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3-control4 \
    security-profile=WPA2-Control4 ssid=SSID_NAME wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled

/ip pool
add name=dhcp_pool1 ranges=192.168.3.40-192.168.3.220
add name=voip-dhcp_pool ranges=10.10.99.10-10.10.99.60
add name=dhcp_pool8 ranges=192.168.40.200-192.168.40.240
add name=dhcp_pool9 ranges=192.168.20.20-192.168.20.240

/interface bridge port
add bridge=all-vlan-bridge interface=ether5_control4 pvid=40
add bridge=all-vlan-bridge interface=ether6_AP pvid=10
add bridge=all-vlan-bridge interface=wlan1 pvid=10
add bridge=all-vlan-bridge interface=ether3 pvid=10
add bridge=all-vlan-bridge interface=ether4_control4 pvid=40
add bridge=all-vlan-bridge interface=wlan3-control4 pvid=40
add bridge=all-vlan-bridge interface=ether2-sw02.p18 pvid=10
add bridge=all-vlan-bridge interface=wlan2-guest pvid=20
add bridge=all-vlan-bridge interface=ether1-sw01.p49 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=all-vlan-bridge tagged=\
    all-vlan-bridge,ether1-sw01.p49,ether2-sw02.p18,ether6_AP untagged=\
    ether4_control4,ether5_control4,wlan3-control4 vlan-ids=40
add bridge=all-vlan-bridge tagged=\
    all-vlan-bridge,ether1-sw01.p49,ether2-sw02.p18 vlan-ids=99
add bridge=all-vlan-bridge tagged=all-vlan-bridge untagged=\
    ether1-sw01.p49,ether2-sw02.p18,ether6_AP,wlan1 vlan-ids=10
add bridge=all-vlan-bridge tagged=\
    all-vlan-bridge,ether1-sw01.p49,ether2-sw02.p18,ether6_AP untagged=\
    wlan2-guest vlan-ids=20
/interface list member
add interface=ether2-sw02.p18 list=mactel
add interface=ether3 list=mactel
add interface=ether2-sw02.p18 list=mac-winbox
add interface=ether3 list=mac-winbox
add interface=ether6_AP list=mactel
add interface=ether7 list=mactel
add interface=ether6_AP list=mac-winbox
add interface=ether8 list=mactel
add interface=ether7 list=mac-winbox
add interface=ether9 list=mactel
add interface=ether8 list=mac-winbox
add interface=ether9 list=mac-winbox
add interface=sfp1 list=mactel
add interface=wlan1 list=mactel
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=vlan20-GuestWifi list=VLANS
add interface=vlan10-data-lan list=VLANS
add interface=vlan40-Control4 list=VLANS
add interface=vlan99-Phones list=VLANS
add interface=ether10-gateway list=WAN
/ip address
add address=192.168.88.1/24 comment="MGNT LAN" interface=ether9 network=\
    192.168.88.0
add address=X.X.X.X/YY comment=BRIGHTHOUSE interface=ether10-gateway \
    network=67.78.248.24
add address=10.10.99.1/24 comment="VOIP Network" interface=vlan99-Phones \
    network=10.10.99.0
add address=192.168.20.1/24 comment="GUEST WIFI" interface=vlan20-GuestWifi \
    network=192.168.20.0
add address=192.168.3.254/24 comment=LAN interface=vlan10-data-lan network=\
    192.168.3.0
add address=192.168.40.1/24 comment="Control 4" interface=vlan40-Control4 \
    network=192.168.40.0"