bridge vlan setup (new way)

When i config’d the device I created a new bridge. was /interface bridge name=vlan_master

and under vlan_master ports, i had tagged=eth1, eth2, eth3, eth4, untagged=eth5

after your advice, i added ‘vlan_master’ to list of tagged members. broke when i removed PVID=10 to PVID=1 on the vlan_master bridge interface. whoops.

Worst case, I have known-good config saved to flash on that device which I’ve used prior to restore from my config mess ups when I was onsite. I can instruct client to perform reset and I’ll restore config when remotely connected..

Once I get up and apply the changes per your advice and config layout - i should be 100%. Then I can reconnect the PowerBox Pro and configure that the same way. Once all set and done, will be no need for the Netonix switches and valuable experience/knowledge gained from this…

Ok Cool.. I want to thank you all for your help. I was able to regain access to the Hex S device and reconfigure, along with the PowerBox Pro..

Caveat or bug in 6.41.3 (hex S).

I tried to do PVID=1 on the /interface bridge all-vlan-bridge (as in example #1 provided by Sindy). I was not able to access device from core switch/network. So performed reset. I was able however, to get working 100% using the unorthodox method #2. Perhaps review config and let me know why?

# aug/27/2018 21:17:28 by RouterOS 6.41.3
# software id = QLBM-QQJI
#
# model = RB760iGS
# serial number = 976C094D4A89
/interface bridge
add fast-forward=no name=all-vlan-bridge pvid=10 vlan-filtering=yes
add admin-mac=B8:69:F4:05:9B:D1 auto-mac=no name=bridge_switch
/interface ethernet
set [ find default-name=ether5 ] name=ether5_phone poe-out=forced-on
/interface vlan
add interface=all-vlan-bridge name=VLAN10_LAN-Mgmt vlan-id=10
add interface=all-vlan-bridge name=VLAN88_MGMT vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=all-vlan-bridge interface=ether2
add bridge=all-vlan-bridge interface=ether3
add bridge=all-vlan-bridge interface=ether4
add bridge=all-vlan-bridge interface=ether5_phone pvid=10
add bridge=all-vlan-bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=all-vlan-bridge tagged=ether1,ether2,ether3 untagged=ether5_phone,all-vlan-bridge vlan-ids=10
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2,ether3 vlan-ids=20,40,60,88
/interface list member
add comment=defconf interface=bridge_switch list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.251/24 comment=Bkup-Mgmt interface=VLAN88_MGMT network=192.168.88.0
add address=192.168.128.251/24 comment="Switch Mgmt" interface=all-vlan-bridge network=192.168.128.0
/ip dns
set allow-remote-requests=yes servers=192.168.128.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.128.1

PowerBox Config:

# aug/27/2018 21:21:17 by RouterOS 6.42.7
# software id = UNXD-I877
#
# model = 960PGS
# serial number = 8A320942F8E2
/interface bridge
add admin-mac=B8:69:F4:0F:34:E1 auto-mac=no name=all-vlan-bridge pvid=10 vlan-filtering=yes
add admin-mac=B8:69:F4:0F:34:E1 auto-mac=no name=bridge_lan
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=all-vlan-bridge name=vlan10_LAN vlan-id=10
add interface=all-vlan-bridge name=vlan88_MGMT vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=all-vlan-bridge interface=ether2
add bridge=bridge_lan hw=no interface=sfp1
add bridge=all-vlan-bridge interface=ether3
add bridge=all-vlan-bridge interface=ether4
add bridge=all-vlan-bridge interface=ether5 pvid=10
add bridge=all-vlan-bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=all-vlan-bridge tagged=ether1,ether2,ether3,ether4 untagged=ether5,all-vlan-bridge vlan-ids=10
add bridge=all-vlan-bridge tagged=ether1,ether2,ether3,ether4,all-vlan-bridge vlan-ids=20,40,60,88
/interface list member
add comment=defconf interface=bridge_lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=bridge_lan list=discover
add interface=all-vlan-bridge list=discover
add interface=bridge_lan list=mactel
add interface=bridge_lan list=mac-winbox
/ip address
add address=192.168.88.252/24 comment="backup mgmt" interface=vlan88_MGMT network=192.168.88.0
add address=192.168.128.252/24 comment="Mgmt IP" interface=all-vlan-bridge network=192.168.128.0
add address=192.168.99.252/24 interface=ether4 network=192.168.99.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.128.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name="Bears PowerBox - Trailer"
/system ntp client
set enabled=yes primary-ntp=192.168.128.1 server-dns-names=0.us.pool.ntp.org
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

last question - looking for tips or suggestions.

Thinking about buying the MikroTik mANTbox 12s (2.4ghz 120* setor) setup as AP Bridge. This to replace an OLD engenius 2.4ghz N radio…

Would the vlan tagging be the same when associating to SSID’s? As will need to associate / include the SSID & vlans into the same bridge-interface? All interfaces would be tagged

Be opposite, mgmt vlan on WAP would be vlan88

When configuring WiFi interfaces as VLAN tagged, you need to do configuration like this:

# enable VLAN tagging on wlan interfaces ... all physical as well as virtual. VLAN IDs can be different on every wlan interface.
# The commands below go on top of "regular" WiFi configuration.
/interface wireless
set [ find name=wlan1 ] vlan-id=42 vlan-mode=use-tag
set [ find name=virtual_wlan ] vlan-id=666 vlan-mode=use-tag
# If wlan interfaces are not yet members of bridge, add them as tagged (trunk) - no PVID!!!
/interface bridge port
add bridge=all-vlan-bridge interface=wlan1
add bridge=all-vlan-bridge interface=virtual_wlan
# if wlan interfaces are members of bridge, change their VLAN settings. On wired (bridge) side, these interfaces carry tagged traffic!
# adjust the commands below to fit the rest of /interface bridge vlan setup!!!
/interface bridge vlan
add bridge=all-vlan-bridge tagged=wlan1 vlan-ids=42
add bridge=all-vlan-bridge tagged=virtual_wlan vlan-ids=666

Just remember to set proper VID on both /interface wireless as well as /interface gridge vlan and you’re all set. The rest of setup (regarding ethernet ports) is just the same…

If, instead of using bridge VLAN ,one goes HW way using switch chip VLAN, VLAN-tagged wifi config is even simpler: you only define VLAN IDs on /interface wireless exactly tha same as in config sample above, no need to do anything anywhere else (no VLAN-special setup on bridge).

As you have published only the working configuration, there is nothing to review so I’m afraid it will remain and unsolved mystery - unless you’d try to revert to that confuguration just in order to learn what was wrong.

Thanks for the tip! I will try the switch chip vlan method first - and perhaps also the new bridge vlan way as well. I’ll know more later today about the performance or lack there of when this old AP is installed at far side of campground. Few campers and sites ~1000ft LOS with some maple in way. I’m doubtful it will cut the mustard, as its an older ENH202 model. The mANT 2 12’s seems it’ll do the trick for this part of site. Wish MikroTik had some newer outdoor devices that were dual band 2.4/5ghz and do band steering. But I regress on that notion. I used what they had bought and that was new Engenius ENH620ext AP’s (4) and a single ENH1750EXT (very nice). These are omni-radio’s - not my suggestion; but had to use what they already had investment with. Rest of network is all MikroTik and Cisco for core switch.

@Sindy - i do have a backup file of the non working config, I would have to only need to flip the PVID=1 on the /bring interface vlan-all-master (but would most likely lose conn). After thinking about it though - I wonder if it ‘broke’ due to having the same mangement IP address specified on both VLAN10 interface as well as on the vlan-all-master bridge… could of been confused. But I dont feel like breaking it and not being on-site and having to get client involved again with having to remotely hop onto a laptop there. Everything is up and working and in production now.

~200Mbps throughput the Hex S device via Bandwidth Test to the RB1100ahx4