Hi Guys,

I am having problem with getting VLAN Filtering to work. I am posting the configuration here and ask you guys to check and tell me if i am missing something, please. From my understanding, we can use VLAN filtering to simply vlans setup. I summarized a couple of points here, please correct me if i am wrong:

1. we should avoid using Port based VLANs as it is the old type of configuration. which means we dont need to touch the VLAN configuration settings in /Interface switch vlan;
2. the /interface switch port settings will regulate the traffic flow for this specific switch port with the combination effects of the VLAN Filtering set in /interface bridge vlan;
   3, when we use VLAN filtering, we dont need to use /interface switch vlan, as /interface bridge vlan has more control over it.

I was trying to follow the instruction here https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table#Trunk.2FAccess_port_setup with my own setup:

1, ether3 as trunk with vlan40 and vlan50;
2, ether4 is access port with vlan40;
3, ether5 is access port with vlan50;

But it doesnet seem I could get the vlan working. The hosts connected to ether4 and ether5 did not get valid IP and cannot ping the respected gateways with manual IP configured on the hosts.

Could you guys please tell me what I am missing or what I have done wrong?

the router configs are:
/interface vlan
add interface=bridge1 name=vlan40 vlan-id=40
add interface=bridge1 name=vlan50 vlan-id=50
/interface ethernet switch port
set 2 vlan-mode=secure
set 3 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan40-pool ranges=192.168.40.20-192.168.40.200
add name=vlan50-pool ranges=192.168.50.20-192.168.50.200

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=vlan40-pool disabled=no interface=vlan40 name=
dhcp-server-vlan40
add address-pool=vlan50-pool disabled=no interface=vlan50 name=
dhcp-server-vlan50

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2


/interface bridge vlan
add bridge=bridge1 tagged=ether3,bridge1 untagged=ether4 vlan-ids=40
add bridge=bridge1 tagged=ether3 untagged=ether5 vlan-ids=50

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=8.8.8.8 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

When configuring VLANs via bridge vlan-filtering, you don’t configure anything in /interface ethernet switch, everything goes to /interface bridge … And it’s the /interface bridge port section which is wrong in your config. Should be something like this:

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=50

As I mentioned, you don’t configure anything in /interface ethernet switch part of configuration tree.

The rest of config seems right …

Hi MKX,

Thank you very much for correcting my configuration and the clarification about no need to touch /interface ethernet switch part of configuration tree when we configure vlans via bridge vlan-filtering. I changed the config as you advised, but it doenst seem I could make it working. Can you please have another look my config? I even disabled the input chain to allow all interfaces coming into the router (this is a lab setup). Thank you very much in advance.

my config as below:

/interface vlan
add name=vlan40 vlan-id=40
add name=vlan50 vlan-id=50

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan40-pool ranges=192.168.40.2-192.168.40.200
add name=vlan50-pool ranges=192.168.50.20-192.168.50.200

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=vlan40-pool disabled=no interface=vlan40 name=
dhcp-server-vlan40
add address-pool=vlan50-pool disabled=no interface=vlan50 name=
dhcp-server-vlan50

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes
interface=ether3
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes interface=ether4 pvid=40
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes interface=ether5 pvid=50

/interface bridge vlan
add bridge=bridge1 tagged=ether3 untagged=ether4 vlan-ids=40
add bridge=bridge1 tagged=bridge1,ether3 untagged=ether5 vlan-ids=50
add bridge=bridge vlan-ids=“”

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1

/ip dhcp-server network
add address=192.168.40.0/24 dns-server=8.8.8.8 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid disabled=yes
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid disabled=yes
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

I finally managed to get it working. Thanks MKX for helping me to narrow down the problem. Basically the problems were compounded by a few factors:

1, I wasnt smart enough to grab the logic of the documentation. The online manual did not seem to well explain with the logic between the overlapping configuration in:
/interface vlan
/interface bridge
/interface switch

2, When I referred the to configuration example RouterOS - RouterOS - MikroTik Documentation, it did not state that I need to tag the bridge1 (in my case), but it did mention elsewhere. But after reading the following quote, I thought it was all we needed for a successful vlan filtering config (without the need of tagging the vlan bridge):

"For testing purposes we are going to enable VLAN filtering, but note that it might make you lose access to the device since it does not have a management access configured yet (we will configure it later). It is always recommended to configure VLAN filtering while using a serial console, though you can also configure a device through a port, that is not added to a bridge. Make sure you are using a serial console or connected through a different port (that is not in a bridge) and enable VLAN filtering:

/interface bridge set bridge1 vlan-filtering=yes
..."

3, unknown conflict configuration left behind. I reset the router with Do Not Back up a few times and tried with all the possible configuration with the advice given by mkx. It did not work even I tagged the bridge1. But once I reset the router with No default configuration and configured all from scratch and tagged the bridge1, it started working straight away.

[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic

BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED

0 bridge1 40 bridge1 ether4
1 bridge1 50 bridge1 ether5
2 D bridge1 1 bridge1

Hope this is the correct way of doing it.

Thanks to MKX and all.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Thanks anav. I found that the http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 is an invaluable source to learn and configure a functional mikrotik unit. But I think it would be good that the documentation have a high level of instructions. Because when I configured the valn filtering, I didnt think of that the default configuration of the INPUT chain would block the vlan traffic to the router itself. Because I did not need to do it with other vendors. But when I read the links above 3 days ago, I realized it could be one of the things causing my problem. However, it did not mention in the documentation in the vlan manual (or at lease I did not see it).

Mikrotik is very flexible and powerful. However, I would think we would need more high level of instruction to explain how it works, how it relates to each other and how to secure it. Because from my experience, it normally wouldn’t be too hard to understand the detailed configuration, but the harder bit is to understand how it relates to other part. For example, Mikrotik routers with switch ports integrated, once we created the vlans, it automatically allows intervaln routing. This is risky if someone configures it and uses it in production environment without realizing it. But it doenst seem that the documentation addresses it and draws much attention when we configure the vlans.

The link above is good, but in the documentation should address more instead of plainly explain the stuff standalone. That is my opinion. Hope it doesn’t upset anyone.