Hi everyone, I have a problem with VLAN filtering on a bridge running on a 4011. I have a VLAN (VLAN id 100) which is attached to the bridge with a corresponding L3 interface. DHCP is configured and without VLAN filtering enabled on the bridge, everything works as expected. Once VLAN filtering is enabled traffic stops passing. I have tagged VLAN 100 on the outgoing interface. As soon as VLAN filtering is disabled, traffic resumes. Relevant config as follows:
Did you follow this guide… http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
By the way, dont tell me another person that likes mixing apples and oranges.
if your are going to run vlans and bridge,
then make all subnets vlan on one bridge and dont have the bridge do anything
in other words only vlans get ip pool, ip address, dhcp-server, dhcp-server network etc…
In any case you need to read the link make any adjustments and then
post your full config /export (minus the serial number and any public WANIP info)
I’d say that relevant config is a bit more than was posted. You have DHCP on some VLAN interface, right? That interface must be listed as tagged in /interface bridge vlan.
The use case here is just a simple guest network, tagged onto an interface which has my regular network untagged using a Hybrid port configuration (ether2). One point which is worth mentioning again is that this configuration works as expected until VLAN filtering on the bridge is enabled. The aim here is to simply restrict the amount of VLANs that are tagged on a Hybrid port.
Sorry you only have one subnet identified, and thus not sure what you are trying to do…
Why mixing apples and oranges and making config more complex, no need for hybrid ports for example.
.
You need two vlans.
vlan100 guests
vlan10 normal users.
Where you have it wrongis the /interface bridge ports and /interface bridge vlan settings.
However, before a clear answer can be provided, we need to know what you are connecting to on etherports 2 through X.
To dumb PC/printer
To smart switch
To something else
What is it that can accept a hybrid flow of traffic for example on your ether2??
ASIDE DISCUSSION: By the way, it matters not how many vlans are tagged on a hybrid port, the key is ONLY one untagged vlan can be assigned but as many tagged vlans you wish.
Yes, as I noted where the problems lay, that is one of them but again, going to name you “cart before the horse” Sob.
You fail to note the incomplete /interface bridge port settings as well and thus that would not really fix all the issues.
Which means the OP doesnt understand the bridge filtering process and one liner answers are not helpful for the OP to learn.
Let alone the fact that the OP is throwing around the words hybrid, and its not clear why and the fact that he thinks one needs to limit the number of tagged vlans on a hybrid port is another clue to the need for education.
Thanks for your reply.
I have my home network configured directly on the bridge, complete with it’s own IP address, DHCP server & pool etc (I omitted that detail from the config I supplied as this element is working fine). Ether2 is connected to an access point. I also have a KVM host connected to ether6 which uses various VLANs for VMs that reside on it. On my access point I have configured a ‘Guest’ SSID which utilises VLAN 100 for clients. This works perfectly if I switch off VLAN filtering on the bridge Home-NW-Bridge. If I enable it, traffic stops passing on VLAN 100. From the documentation I have read, it appears that under the ‘/interface bridge vlan’ context the command to permit and tag the VLAN(s) once filtering is enabled on the required interface(s) is in my case ‘add bridge=Home-NW-Bridge tagged=ether2,ether3,ether6 vlan-ids=100’. This does not appear to work for me.
My reason for wanting to restrict the amount of VLANs on a hybrid port is due to security. At home it doesn’t matter about including every VLAN on a hybrid interface. If I wanted to use this in a business environment I would want to prune only the specific VLANs to meet the clients requirements. In the Cisco world on a switchport the command to permit only the required VLANs would be: ‘switchport trunk allowed vlan x,y,z’.
@anav: And I’m going to name you, “fix everything else before or instead the actual problem” anav.
OP posted partial config first and judging by those repeating parts, next attempt is also edited and probably incomplete. So a hint what’s clearly wrong could be enough.
Yes, of course, the OP is claiming about getting wet, but one cannot save the world unless one understand all the interconnected worlds problems LOL. Once we get hunger. famine out of the way we can work on shelter…
@OP i figured you had gone down the rabbit(sob) hole of mixing up bridge and vlans. I personally as soon as I start using vlans on a bridge take away the bridge from any duties other than being a simple bridge. It makes life clean consistent and simple.]
Regardless you can do it anyway you like. ( sentence added to make Sob happy )
However which AP are you using on ethe2. Is it smart AP? if so is it Mikrotik??
Most of them expect vlans on a trunk port except UNIFI as they come default expecting the management or trusted subnet untagged all the data vlans tagged
So once we have sorted out what monster you are using…
as for # of vlans, you only send vlans to a device that are required, so there is security pairing down here. Functionality/requirements drive the vlans going through any interface.
Security is ensuring firewall rules are applied where necessary and one can add ingress filtering and frame types on the /interface bridge port settings… for a full vlan scenrio.
Hybrid ports usually dont have such settings.
Thank you for your reply. The missing part of the config was not tagging the VLAN on the bridge. I had this:
/interface bridge vlan
tagged=ether2,ether3,ether6 vlan-ids=100
Your suggestion was to configure it like this:
tagged=ether2,ether3,Home-NW-Bridge,ether6 vlan-ids=100
With the VLAN tagged it is now working as expected.
As a further discussion point, I am happy to move the bridge layer 3 config to a VLAN if this is Mikrotik’s recommended configuration. Will schedule in a maintenance window with the family and get this done.
And I usually do the same, the uniformity of using VLAN interfaces for all VLANs seems more clear and easier to understand. But it’s not that big difference, if instead of one VLAN interface you use the bridge directly, it’s just another interface.
( sentence added to make Sob happy )