bridge vlan setup (new way)

RouterOS General
1

Hey there,

Since routerOS 6.41 - implementation of new vlan methodology. Took me awhile to wrap my head around the idea of it.. I think i understand. But upon me implementing it ad-hoc for a new customer of mine… Im struggling.

Anyone help? As it made me look like a fool configuring a Mikrotik Powerbox Pro and a Hex S as downstream switches for a WISP install…

need eth1 to be a Trunk port (all ingress/egress) to be tagged.
need eth2 to be trunk port (all vlans tagged both directions)
need eth5 to be access for a poe phone (so gets DHCP address from upstream switch)

I got base of it working… I’m able to get IP address on the main Untagged network. But the Vlans are not passing. I cannot ping from the MikroTik devices other equipment on other vlan subnets.

However, once I receive an IP when connected to switch - I can ping devices on any subnet – but only because they’re attached to the upstream switch that is doing the vlan tagging. Anything connected to the MikroTik PowerBox or Hex S is not..

Pass WAN over VLAN
Bridge VLAN filtering
v6.43 [current] is released!
Trunk between RB1100 and CRS326 doesn`t work
2

Do read this thread and you will understand some more.
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1
At the bottom, you will find how to do it with >=6.41 software.

3

Keep in mind that if you enable VLAN filtering on bridge (and without that VLANs essentially don’t work), you loose HW offload and every packet passes CPU. This kills performance on slower routerboards, such as RG951G. I advise you to configure your Powerbox pro in the old way by using /interface ethernet switch section.

4

Thanks for input

When I configured bridge >> Vlans >> and Vlan >> ports

the bridge I added PVID and enabled vlan-filtering…

I had vlan-id’s listed all throughout the bridge interface and specfied which ports are tagged and specified the one port that was to be untagged. Further, on the port that was untagged - i selected the port (within bridge menu) and specified the PVID for that interface… That appeared to work and showed it as untagged.

However, what was concerning was the master_vlan-bridge that i added PVID to, came up as ‘untagged’. I even tried creating another bridge for the untagged traffic, no dice.

I ran out of time and have to fly back tomorrow. Was visiting family/friends and took on this job within certain number of days. I spent 6+ hours messing wtih both MikroTik devices with this new configuration and failed

Core router is a MikroTik RB1100Ahx4 (dude edition). Works fine as router on stick method… But me trying to make the MikroTik routers do switching with vlans is mind numbing and makes me cry in a corner.

How would I go about setting within the Switch menu? I was looking to do that, but I didnt see where I could specify more than one ports. As I need ports 1-4 to be “trunk” ports that pass all vlans as tagged. As Access Points will be tied into them…

Lastly, I also was looking at creating bridges for the vlans (br_vlan10, br_vlan20, etc), add the physical interface and then the vlan interface to it… as I know for untagged traffic to work - the interface and vlan has to be part of a bridge.

I started doing the br_vlan aspect and just hit a road block of mass confusion as was getting entirely messy due to the number of VLANS and port assignments.

5

Client/friend is most likely going to return the PowerBox Pro and the Hex S and I’ll install Netonix Switches.. due to odd POE requirements.

switch in middle (hex X) was required as it accepted POE input (48dc), and outputted on port5 48dc - as there was a VOIP phone connected going into a camper/cabin. This was mounted inside an outdoor enclosure that Netonix Sells.. Then from a port I need to send all tagged traffic to a downstream switch (PowerBox Pro), As this is a corner area where a few AP’s will be hung from..

Netonix are cost effective enough as just regular switches that will take less time to configure and me not crying. I was upset with myself - felt defeated. Only the untagged traffic was working with my config.

I’ll take remote connection later today and post the config export of the middle downstream switch. PowerBox was pulled out and not powered on. (Was accessible). Config was identical.

6

soooooo…

did I totally only miss one(1) setting this entire time?

I did NOT add the “master vlan_bridge” interface to the bridge >> ports >> vlan as interface to be tagged… is that entire issue?! As I only added the individual physical interfaces to the list of interfaces to be tagged.

Then From there, I do not need to set PVID on the master vlan_bridge interface? Just set the PVID on the ports (interface ports) that need to be access/untagged, as well as specify the physical port being untagged?

Hopefully its that simple. Otherwise I give up.

7

Here’s excerpt from my home configuration. First I had RB951G with VLANs on switch … then I wanted to see how to configure the same on bridge, this time on RBD52G (hAP ac2). The last config was in production for a couple of days.

As the goal of my exercise on RBD52G was to learn how to configure VLANs on bridge, both configs are actually identical as to device behaviour … part from differences in WiFi (RB951G does not have 5GHz WiFi).

The scenario:

  • ether1 is trunk port towards router. It carries VLANs 40,41,42 and 3999 all tagged
  • ether2 is hybrid port for IPTV set-top box. It carries VLAN 40 untagged and 3999 tagged
  • ether3, 4 and 5 are access ports for VLAN 42
  • wifi runs two SSIDs: wifi-42 is for LAN access, tagged with VLAN 42 … and wifi-guest-41 is VAP for guest access (without password), tagged with VLAN 41
  • VLAN 42 is main VLAN for home LAN and is also management VLAN, so device has vlan42 interface with its IP address.

Switch chip:

/interface bridge
add admin-mac=E4:8D:8C:49:EE:4A auto-mac=no fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-router
set [ find default-name=ether2 ] name=ether2-BOX
set [ find default-name=ether3 ] name=ether3-AV
set [ find default-name=ether4 ] name=ether4-TV
/interface vlan
add interface=bridge name=vlan-42 vlan-id=42
/interface ethernet switch
set 0 mirror-source=ether1-router
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=fallback
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether1-router,ether3-AV,ether4-TV,ether5 switch=switch1 vlan-id=42
add independent-learning=no ports=ether1-router,ether2-BOX switch=switch1 vlan-id=3999
add independent-learning=no ports=switch1-cpu,ether1-router switch=switch1 vlan-id=41
add independent-learning=no ports=switch1-cpu,ether1-router,ether2-BOX switch=switch1 vlan-id=40
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
    country=slovenia disabled=no frequency=2472 frequency-mode=\
    regulatory-domain mode=ap-bridge name=wifi-42 security-profile=mkxNet \
    ssid=mkxNet vlan-id=42 vlan-mode=use-tag wireless-protocol=802.11 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E4:8D:8C:49:EE:50 \
    master-interface=wifi-42 multicast-buffering=disabled name=wifi-guest-41 \
    ssid=mkxGuest vlan-id=41 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge interface=ether1-router
add bridge=bridge interface=wifi-42
add bridge=bridge interface=wifi-guest-41
add bridge=bridge interface=ether2-BOX
add bridge=bridge interface=ether3-AV
add bridge=bridge interface=ether4-TV
add bridge=bridge interface=ether5
/ip address
add address=192.168.42.3/23 interface=vlan-42 network=192.168.42.0
/ip route
add distance=1 gateway=192.168.42.1

Note: you define PVID for ports in /interface ethernet switch port where you also define how tags are treated on egress (option vlan-header). You need to add switch-cpu to the list of VLAN member ports for any VLAN to which router needs access (it is then present on bridge as tagged).
Settings for port 5 (=switch-port) are probably weird, it’s legacy from the time when I was doing the config and my knowledge was even worse than it’s now.

Bridge VLAN way:

/interface bridge
add admin-mac=B8:69:F4:20:A5:49 auto-mac=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-router
set [ find default-name=ether2 ] name=ether2-BOX
set [ find default-name=ether3 ] name=ether3-AV
set [ find default-name=ether4 ] name=ether4-TV
/interface vlan
add interface=bridge name=vlan-42 vlan-id=42
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    country=slovenia disabled=no distance=indoors frequency=2452 \
    frequency-mode=regulatory-domain mode=ap-bridge name=wifi-42-2G \
    security-profile=mkxNet ssid=mkxNet vlan-id=42 vlan-mode=use-tag \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \
    country=slovenia disabled=no distance=indoors frequency=auto \
    frequency-mode=regulatory-domain mode=ap-bridge name=wifi-42-5G \
    security-profile=mkxNet ssid=mkxNet vlan-id=42 vlan-mode=use-tag \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=B8:69:F4:20:A5:50 \
    master-interface=wifi-42-2G multicast-buffering=disabled name=\
    wifi-guest-41 ssid=mkxGuest vlan-id=41 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-router
add bridge=bridge interface=ether2-BOX pvid=40
add bridge=bridge interface=ether3-AV pvid=42
add bridge=bridge interface=ether4-TV pvid=42
add bridge=bridge interface=ether5 pvid=42
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-42-2G
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-42-5G
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-guest-41
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-router,wifi-42-2G,wifi-42-5G untagged=ether3-AV,ether4-TV,ether5 vlan-ids=42
add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999
add bridge=bridge tagged=bridge,ether1-router,wifi-guest-41 vlan-ids=41
add bridge=bridge tagged=bridge,ether1-router untagged=ether2-BOX vlan-ids=40
/ip address
add address=192.168.42.6/23 interface=vlan-42 network=192.168.42.0
/ip route
add distance=1 gateway=192.168.42.1

Note that one needs to explicitly list all tagged and untagged ports connected to bridge in this case. Example: in switch chip way the wlan interfaces (“ports”) were only listed as bridge members, but their VLAN settings were only set in the wireless interface definition itself. In bridge VLAN, the wireless interface definition is identical to the one in switch chip case, but they need to be listed as tagged members of bridge in /interface bridge vlan section of configuration.

And my warning (again!): configuring VLANs on bridge disables HW offload so all wired intra-VLAN data passes CPU rather than switch chip alone. While RBD52G was quite capable of wire-speed transfers between two ether ports (and load on CPU indicated that another wire-speed between different pair of ports would be possible), good ole RB951G maxed CPU load (100%) with one (almost) wire-speed transfer between a pair of ether ports, so I assume another wire-speed transfer over different pair of ether ports would not be possible.
In first scenario (switch chip), RB951G doeasn’t even blink with eye while doing wire-speed transfers.

8

This can’t be repeated enough. So many people tout the “new way”, but there are major caveats that need to be considered.

Here is a good explanation from MT. Focus is on CRS, but also covers other RB’s.
http://forum.mikrotik.com/t/bridge-vlan-vs-switch-vlan/118449/1

9

Thanks @proximus for reminder about the explanation from MT.

I’ll add that the “new way” changed how bridge sees switched ports (pre-6.41 bridge only saw master port, now it sees all of them). Nothing changed regarding VLANs, doing it in switch part of configuration is completely legitimate configuration. So one should not avoid it just because it can be done on bridge.

10

@mkx
Thanks for you example. I am still learning VLAN and boy its complicated compare to Cisco and HP that I do know.
In the software bridge you are using VLAN aware Bride, so you need ROS >= 6.41

I may see some missing configuration in your example.
This:

add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999

should be this?

add bridge=bridge tagged=bridge,ether1-router,ether2-BOX vlan-ids=3999

You also need to tag vlan 3999 to the bridge?

Here is a visual drawing of you Software Bridge Vlan: /interface bridge vlan makes it hard to do in 2D, should be a 3D drawing.
I will try to draw the Switch chip version when I do understand it.
Exemple p=682093 Bridge.jpg

11

This is fine. If there’s nothing to be done by RB for a particular VLAN, bridge doesn’t have to be part of it. In my particular case, that VLAN is used by my ISP to deliver multicast of IPTV and what I’m doing is just to pass it on through my “switches” to “subscriber” devices while router parts don’t need to touch it. This is same as not including switch-cpu in list of VLAN member ports in the classical way of doing the same.

12

Jotne well done

13

@mkx
OK, so here 3999 is just floating between port 1 and 2.

You could add a security profile for the wireless, then this config would be just cut/paste :slight_smile:

PS Drawing is updated, I did miss the link connecting Bridge/VLAN 3999 to the Bridge.

14

I omitted the wireless security profile so that readers of your topic have something to think about :wink:

Perhaps a few words to clarify things further. “bridge” is used in two quite distinct senses in this configuration exercise.
In first sense, as used in /interface bridge port, it is used as name of bridge which spans all member ports - either ethernet or wireless devices or higher-level devices such as PPPoE, VPN or some other tunneling setup. Or, in a perverse setup, untagged end of vlan pseudo-devices. It carries L2 frames, either tagged or untagged - that depends on port setup … in any case, it doesn’t care about VLAN tags while frames are within bridge just as smart switch doesn’t … until those frames get pushed out of bridge through one (or several) port.
In second sense, as it is used in /interface bridge vlan in the port list, it represents a higher layer device which can deal with L3 traffic through its IP address. And the second sense brings another mix of possible confusion: it can be used directly as part of non-VLAN setup (and in this case, everything is HW offloaded if possible on most RB devices), then it can be used again directly but as kind of access port of itself (being a bridge) with PVID set, and last it can be used in sense of trunk port and one needs to create vlan interfaces (with VID set, kind of access port again) to be able to use it as L3 device. Explicit use of vlan device compared to use bridge with PVID set brings (IMHO) clearer view over setup … and possibility of using more than one VLAN locally in the RB device (a must on router but not in my example of usage as AP and smart switch).

15

So just to clarify:

I have a single bridge that contains the VLAN ID’s (listed) and then I’m specifying the ports to be tagged, and the ports to be untagged.

For the specified ‘untagged’ ports. I also under vlan > ports > I give it a PVID.

And further clarification sake (I think this is my issue). I need to include this SAME bridge interface as an interface to be tagged. As Right now, I’m only specifying the actual physical interfaces - and its not working - unable to pass traffic on vlans besides the untagged. I’m lost. So confusing with this overly complicated implementation.

16

also since I’m specifying VLAN ID’s under the bridge vlan setup. Do I still need to create /interface vlan(s) and pop them under a bridge interface or physical?

17

Everything right.

As for vlan interfaces: you need to create ones on top of the bridge only for the vlan-ids, for which you have specified the bridge itself as a tagged port - to attach the ip configuration (addresses, dhcp clients/servers etc.) for these vlans.
For “default” vlan id (that is set in PVID for the bridge itself) that is not necessary and instead of creating an interface, you can attach ip configuration to the bridge itself, but for it to work you need to add the bridge not as tagged, but as untagged port for this vlan.

18

@xvo

Thank you for input. These MikroTik devices are really acting as switches – they’re hanging off a Cisco switch (upstream) and the core router is an RB1100ahx4..

So is my entire issue because I never added this master bridge interface to the list of interfaces that need to be set to tagged under bridge > vlans?

using an Hex S and PowerBox as switches hence need the ports to be trunked (tagged). Hanging off these MT’s are Engenius AP’s

So, I need to still add the VLAN’ under /interfaces vlan under the master bridge that I create that specifies all the vlan Id’s.

For mgmt of these devices – I can just leave the device IP address on the bridge interface and it be accessible via a ‘management port’ or a port that I leave as untagged vlan PVID? as once it is connected to switch upstream - it will work or should be accessible from within the network.

19

If you don’t need any routing between vlans performed on the devices in question, you don’t need to create vlan interfaces and even add the bridge as a port for the vlans (except for the management vlan - to give an address the device itself).
Unless there is some device-specific issue, which can be the case with hex s, as it has some weird purely software vlan implementation.
Try it.
If it doest’t work - add the bridge as tagged ports.
If it doesn’t work still - add vlan interfaces for each vlan.
But on most devices it should work without that.

For mgmt of these devices – I can just leave the device IP address on the bridge interface and it be accessible via a ‘management port’ or a port that I leave as untagged vlan PVID? as once it is connected to switch upstream - it will work or should be accessible from within the network.

Correct.

20

I’d correct it a small bit - for a given VID, you need to add bridge X itself to the list of tagged member ports of bridge X not only if you want to add an /interface vlan for that VID, to which you could attach an IP configuration (static address or dhcp client), but also if you want to make some wireless or virtual interface a member port of that bridge for that VLAN. In another words, if you need the frames tagged with that VID to reach the CPU. I don’t understand the reason why it has been done this way but it has. The only case when you may omit setting the bridge as a tagged member port of itself for a given VID is when it is enough that frames tagged with this VID are forwarded between Ethernet ports of the same switch chip - even though with vlan-filtering=yes the actual forwarding is also done by the CPU.