Bridged VLAN

RouterOS General
1

Hello,

at the company I’m working for we want to create an VLAN-setup with 12 separate vlan-networks for guests, it-administration, production, telephony, the office and so on.

We have a RouterBoard 1100AHx4 (6.43.7). This is connected to the provider-router on ether1. This connection works (I can ping servers outside).
We have some switches (d-link, managed), where the vlan-id’s are set and are working internally. the first switch from the router-side is connected on router-port ether6 with vlan-ids 1 and 10 (it-network, telephony)

Problem: only one of the both vlans is working correctly (depending on configuration, tested by ping on known hosts inside the vlan).

What I added:
bridge1, without vlan-filtering.
vlan1, with id=1 and interface=bridge1
vlan10, with id=10 and interface=bridge1
bridge1 ports:
→ vlan1 (pvid=1), vlan10 (pvid=10) and ether6 (pvid=1)
bridge1 vlans:
→ vlan-id 1 with tagged ether6 and untagged vlan1 and bridge1
→ vlan-id 10 with tagged ether6 and untagged vlan10 and bridge1
ip/adresses:
bridge1: 10.10.10.12/8 network 10.0.0.0
bridge1: 192.168.10.1/14 network 192.168.10.0
ether1: 102.168.200.4/24 network 192.168.200.0
ip/routes:
0.0.0.0/0 gateway 192.168.200.6 (via ether1) → works
dynamic: 10.0.0.0/8 gateway bridge1
dynamic: 192.168.10.0/24 gateway bridge1
dynamic: 192.168.200.0/24 gateway ether1

now I turned vlan-filtering on bridge1 on, with pvid=1
→ can reach anything in 192.168.200.0/24 (“outside”)
→ can reach anything in 10.0.0.0/8
→ can’t reach 192.168.10.0/24

changed pvid=10
→ now I can reach 192.168.10.0/24, but 10.0.0.0/8 no longer.

turned vlan-filtering off: behaves like first case.

this is the actual configuration:

/interface bridge print
Flags: X - disabled, R - running 
 0 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:DC:2B:62 protocol-mode=none 
     fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all 
     ingress-filtering=no dhcp-snooping=no 

 /interface vlan print
Flags: X - disabled, R - running 
 #   NAME                                              MTU ARP             VLAN-ID INTERFACE                                           
 0 R IT-Netz (VLAN 1)                                 1500 enabled               1 bridge1                                             
 1 R Telefonie (VLAN 10)                              1500 enabled              10 bridge1                 

/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                            BRIDGE                           HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0     Telefonie (VLAN 10)                  bridge1                                10     0x80         10                 10       none
 1     IT-Netz (VLAN 1)                     bridge1                                 1     0x80         10                 10       none
 2     ether6                               bridge1                          yes    1     0x80         10                 10       none

/interface bridge vlan print    
Flags: X - disabled, D - dynamic 
 #   BRIDGE                             VLAN-IDS  CURRENT-TAGGED                            CURRENT-UNTAGGED                           
 0   bridge1                            10        ether6                                    bridge1                                    
                                                                                            Telefonie (VLAN 10)                        
 1   bridge1                            1         ether6                                    bridge1                                    
                                                                                            IT-Netz (VLAN 1)             
                                                                                            
/ip address print      
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                      
 0   192.168.200.4/24   192.168.200.0   ether1                                                                                         
 1   10.10.10.12/8      10.0.0.0        bridge1                                                                                        
 2   192.168.10.1/24    192.168.10.0    bridge1  
 
  /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.200.6             1
 1 ADC  10.0.0.0/8         10.10.10.12     bridge1                   0
 2 ADC  192.168.10.0/24    192.168.10.1    bridge1                   0
 3 ADC  192.168.200.0/24   192.168.200.4   ether1                    0

I read the wiki-pages on bridging, vlan and so on and some other examples/problem-descriptions on this forum.
But I get stuck here…
simple question (hopefully): where am I thinking in the wrong way?

Thanks for your help,
Christoph

2

Confirm firmware version and post entire config.

3

Version:

/system resource> print
             uptime: 1d6h58m41s
            version: 6.43.7 (stable)
         build-time: Nov/30/2018 09:01:14
   factory-software: 6.40.4
        free-memory: 972.4MiB
       total-memory: 1024.0MiB
                cpu: ARMv7
          cpu-count: 4
      cpu-frequency: 1400MHz
           cpu-load: 0%
     free-hdd-space: 89.0MiB
    total-hdd-space: 128.3MiB
  architecture-name: arm
         board-name: RB1100AHx4
           platform: MikroTik
4

Configuration:

/export
# dec/12/2018 20:15:44 by RouterOS 6.43.7
# software id = CLDY-SGRJ
#
# model = RouterBOARD 1100x4
# serial number = 91D708D8BA65
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name="IT-Netz (VLAN 1)" vlan-id=1
add interface=bridge1 name="Telefonie (VLAN 10)" vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface="Telefonie (VLAN 10)" pvid=10
add bridge=bridge1 interface="IT-Netz (VLAN 1)"
add bridge=bridge1 interface=ether6
/interface bridge vlan
add bridge=bridge1 tagged=ether6 untagged="Telefonie (VLAN 10),bridge1" vlan-ids=10
add bridge=bridge1 tagged=ether6 untagged="IT-Netz (VLAN 1),bridge1" vlan-ids=1
/ip address
add address=192.168.200.4/24 interface=ether1 network=192.168.200.0
add address=10.10.10.12/8 interface=bridge1 network=10.0.0.0
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
/ip dns
set servers=192.168.200.57,192.168.200.6
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.200.6
/system clock
set time-zone-name=Europe/Berlin
/tool user-manager database
set db-path=user-manager
5

I have no idea what the purpose of defining vlan1 is because it already exists as default in the Router.
So you still have vlan1 transparent below and the bridge is the dhcp server for this and i created vlan100 for the other need IT-NETZ

/export

dec/12/2018 20:15:44 by RouterOS 6.43.7

software id = CLDY-SGRJ

model = RouterBOARD 1100x4

serial number = 91D708D8BA65

/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name="IT-Netz (VLAN 100)" vlan-id=100
add interface=bridge1 name="Telefonie (VLAN 10)" vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface="Telefonie (VLAN 10)" pvid=10
add bridge=bridge1 interface="IT-Netz (VLAN 100)"
add bridge=bridge1 interface=ether6 (ingress-filtering=yes if this is a trunk port)
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6 untagged="Telefonie (VLAN 10), vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether6 vlan-ids=100
/ip address
add address=192.168.200.4/24 interface=eth1 network=192.168.200.0
add address=10.10.10.12/8 interface=bridge1 network=10.0.0.0 (normal LAN)
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0 (for vlan 10)
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0 (for vlan 100)
/ip dns
set servers=192.168.200.57,192.168.200.6
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.200.6
/system clock
set time-zone-name=Europe/Berlin
/tool user-manager database
set db-path=user-manager

6

thanks a lot!

everything now works as expected, here's the code:

/export

dec/14/2018 12:44:54 by RouterOS 6.43.7

software id = CLDY-SGRJ

model = RouterBOARD 1100x4

serial number = 91D708D8BA65

/interface bridge
add fast-forward=no ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name="Telefonie (VLAN 10)" vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface="Telefonie (VLAN 10)" pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether6
/interface bridge vlan
add bridge=bridge1 tagged=ether6,bridge1 untagged="Telefonie (VLAN 10)" vlan-ids=10
/ip address
add address=192.168.200.4/24 interface=ether1 network=192.168.200.0
add address=10.10.10.12/8 interface=bridge1 network=10.0.0.0
add address=192.168.10.1/24 interface="Telefonie (VLAN 10)" network=192.168.10.0
/ip dns
set servers=192.168.200.57,192.168.200.6
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.200.6
/system clock
set time-zone-name=Europe/Berlin
/tool user-manager database
set db-path=user-manager