Bridging all tagged and untagged vlan traffic

RouterOS General
1

Hello! :slight_smile:

I have a question about Mikrotik Vlan handling.

We have a number of mikrotik backhauls that presently deliver standard network traffic from point A to point B.

We are trying to upgrade our network to take advantage of Vlans. We want to put our network infrastructure — including our MT’s — on vlan 123, so that it can be routed separately from client traffic at our NOC.

We are having difficulty configuring our MT’s to behave that way though.

[cloud]----eth1[MT]wireless ---- wireless[MT]eth1—[cloud]

Whether these links are wireless or ethernet seem to have no bearing on the problem however. For example, I am testing configs in the lab here using a setup like this:

[cloud]—ethX[MT]ethY—[cloud]

If I create a bridge, and add both physical interfaces to the bridge, the MT appears to bridge all tagged and untagged traffic beautifully. However, it will only respond to management requests via untagged traffic.

If I am passing, say, 3 vlans I can use the following setup:
create vlan121e, vlan121w, vlan122e, vlan122w, vlan123e, vlan123w .. where vlanXY is vlanid X attached to physical interface Y (ethernet or wireless)
And then create a bridge for each vlan id, and add 2 vlan objects to each bridge with the matching vlanid. Now the MT is able to bridge all the vlan traffic, and respond to IP addresses attached to any vlan object via the appropriate vlan tagging. However:
A> It’s troublesome to have to explicitly define every vlan we wish to bridge, and
B> There seems to be no way to use this setup, and to bridge untagged traffic simultaneously.

If These were Cisco switches of some kind instead of MT’s, the solution I seek would be to put all the physical ports one wishes to bridge into trunk mode, set allowed vlan any, and specify a native vlan which the switch would use to internally understand all of the untagged traffic. The management port could then be the untagged vlan (as default), or any other vlan I wish to add an ip to (like our 123 management vlan goal). That is exactly how we have configured all of our non-wireless Cisco equipment for this planned upgrade.

Can anyone suggest an arrangement of MT configuration objects (bridges, vlans, etc :smiley:) that operates in a similar method to a Cisco trunk port, as described here?

If I cannot avoid explicitly defining each vlan, then I can swallow that pill.. but our setup REQUIRES that the MT respond on an IP address handled by a tagged vlan, but that it also bridge some other vlans and also all untagged traffic. Aside from responding on it’s vlan-handled IP, the MT would not be needed to change, add or remove any of the vlan tags it bridges (in case that helps simplify the solution :slight_smile:

Please let me know if this is possible. :slight_smile:

    • Jesse Thompson
      Webformix, Bend OR
Configuring for multiple VLANs
RouterOS v5.8 released
2

Post your vlan and bridge configs… You’ll need to make separate bridges for the client traffic and reassign the IP address to the bridge instead of the actual interface. Also you have to use WDS to support vlans over wireless.

3

Jesse,
As you wrote each VLAN needs it’s own bridge, that’s basically how a switch work.
You need to create a bridge for the native VLAN.
Read my replies in this topic:
http://forum.mikrotik.com/t/configuring-vlan-trunking-on-mt-router-to-cisco-c2924-switch/21509/7
/Paul

4

I take it peson that you are recommending we use one bridge containing the two physical interfaces to handle untagged traffic, and one bridge for each of the vlans we wish to support, simultaneously?

This is one permutation I tried before posting the question. It appears as though having physical ports on a bridge prevents vlan interfaces or bridges from being able to handle vlan-tagged traffic. Instead, all traffic is forwarded through the bridge regardless of destination IP or vlan.

Here is my test config:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
    name=bridgeUntagged priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
    name=bridge130 priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
    mac-address=00:0C:42:2F:57:66 mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes mac-address=00:0C:42:2F:57:67 master-port=\
    none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes mac-address=00:0C:42:2F:57:68 master-port=\
    none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes mac-address=00:0C:42:2F:57:69 master-port=\
    none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
    "" disabled=no full-duplex=yes mac-address=00:0C:42:2F:57:6A master-port=\
    none mtu=1500 name=ether5 speed=100Mbps
/interface vlan
add arp=enabled comment="" disabled=no interface=ether2 mtu=1500 name=\
    vlan130e2 vlan-id=130
add arp=enabled comment="" disabled=no interface=ether3 mtu=1500 name=\
    vlan130e3 vlan-id=130
/ip address
add address=10.10.0.201/24 broadcast=10.10.0.255 comment="" disabled=no \
    interface=bridge130 network=10.10.0.0

That can be summarized in pseudocode as:

/interface bridge
  add name=bridgeUntagged 
  add name=bridge130
/interface ethernet
  set 0..4 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
      mtu=1500 name=ether1..5 speed=100Mbps
/interface vlan
  add interface=ether2 name=vlan130e2 vlan-id=130
  add interface=ether3 name=vlan130e3 vlan-id=130
/ip address
  add address=192.168.0.11/24 broadcast=192.168.0.255
      interface=ether2 network=192.168.0.0
  add address=10.10.0.201/24 broadcast=10.10.0.255
      interface=bridge130 network=10.10.0.0
/bridgeport [I can't find anything like this in the config export, we manipulate our configuration via Winbox :P]
  add bridge=bridgeUntagged interface=ether2
  add bridge=bridgeUntagged interface=ether3
  add bridge=bridge130 interface=vlan130e2
  add bridge=bridge130 interface=vlan130e3

Configured this way, MT passes all untagged traffic through eth2<->eth3, and all vlan tagged traffic of any vlan id, including 130. (and 120 and 1234 — all tagged traffic gets bridged) and replies on 192.168 ip address (which is routed via untagged traffic) Only drawback is that MT does not respond on 10.10 IP address which is routed through vlan130. Managing MT via vlan130 is vital to our needs.

If I disable the bridge named “bridgeUntagged”, then the IP address 10.10 begins responding instantly. IP 192.168 continues to work, vlan130 traffic continues to flow, but all untagged traffic and any traffic via vlans aside from 130 stop flowing.

I can reclaim traffic for vlans aside from 130 by building a bridged vlan arrangement for each one, but I cannot build such an arrangement for untagged traffic without preventing ip access via vlan130.

So I am left in a situation where I have to choose between being able to bridge untagged traffic, and being able to manage the MT via tagged vlan traffic. There has to be something I am missing about the right way to configure this.

Thank you for helping me to check things out. :slight_smile:

    • Jesse
5

When you make the bridges you need reassign the IP address to the bridge and NOT the interface.

peson I know you don’t like doing it this way, but would you post a config for this example? If you have vlans on two physical interfaces that you need to bridge how else do you configure it?

/interface bridge
	add name=bridge-untagged disabled=no
/interface bridge port
	add interface=ether2 bridge=bridge-untagged disabled=no
	add interface=ether3 bridge=bridge-untagged disabled=no
/interface vlan
	add interface=bridge-untagged name=vlan130 vlan-id=130 disabled=no
/ip address
	add address=192.168.0.11/24 interface=bridge-untagged
	add address=10.10.0.201/24 interface=vlan130
6

True, but I will make an exception :slight_smile:

This is the way it should be configured:

/interface vlan
	add interface=ether2 name=ether2-vl130 vlan-id=130 disabled=no
	add interface=ether3 name=ether3-vl130 vlan-id=130 disabled=no
	add interface=ether4 name=ether4-vl2 vlan-id=2 disabled=no
	add interface=ether2 name=ether2-vl10 vlan-id=10 disabled=no
	add interface=ether3 name=ether3-vl10 vlan-id=10 disabled=no
	add interface=ether4 name=ether4-vl10 vlan-id=10 disabled=no
/interface bridge
	add name=br-vl130 disabled=no
	add name=br-vl2 disabled=no
	add name=br-vl10 disabled=no
/interface bridge port
	add interface=ether2-vl130 bridge=br-vl130 disabled=no (id 130 tagged traffic on ether2)
	add interface=ether3-vl130 bridge=br-vl130 disabled=no (id 130 tagged traffic on ether3)
	add interface=ether4 bridge=br-vl130 disabled=no (untagged traffic on ether4)
	add interface=ether2 bridge=br-vl2 disabled=no (untagged traffic on ether2)
	add interface=ether3 bridge=br-vl2 disabled=no (untagged traffic on ether3)
	add interface=ether4-vl2 bridge=br-vl2 disabled=no (id 2 tagged traffic on ether4)
	add interface=ether2-vl10 bridge=br-vl10 disabled=no (id 10 tagged traffic on ether2)
	add interface=ether3-vl10 bridge=br-vl10 disabled=no (id 10 tagged traffic on ether3)
	add interface=ether4-vl10 bridge=br-vl10 disabled=no (id 10 tagged traffic on ether4)
	add interface=ether5 bridge=br-vl10 disabled=no (untagged traffic on ether5)
/ip address
	add address=192.168.0.11/24 interface=br-vl2
	add address=10.10.0.201/24 interface=br-vl130
	add address=10.10.10.1/24 interface=br-vl10

I hope this will give you an idea of how the configuration for VLANs should be made
/Paul

VLAN trunk
7

Paul,

If you add a vlan to an interface that is part of a bridge it does not work. You have to add the vlan to the bridge, at this is my experience in the past. I will do some testing tomorrow.

Also Jesse is only using two interfaces, so your example seems a little over complicated to me.

8

Netrat,
I have done this before, but it might have been a Linux box and not ROS.
Since ROS is Linux it should work. I will setup this config in my lab with v3.
I’ll keep you informed how it works out.
/Paul

9

As I remember with RouterOS my experience was an interface that was part of bridge could not have VLANs. The VLAN had to be assigned to the actual bridge. I could be wrong, but I will test tomorrow. If I’m right maybe you can get around this with a few bridge filter rules…

10

I it’s not working, ten it’s something for Mikrotik developers.
It should work

11

I think your problem is related to mine http://forum.mikrotik.com/t/bridge-filter-does-not-see-tagged-vlan/23821/1

12

what is ‘untagged vlan’? =)

13

Native VLAN

14

Here is the following config I tested with:

/interface vlan
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan100-e1 vlan-id=100

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 name=LAN-bridge priority=0x9000 protocol-mode=rstp transmit-hold-count=6

/interface bridge port
add bridge=LAN-bridge comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto priority=0x80

As soon as I put ether1 into the bridge the assigned VLAN100 stops responding. If I reassign the vlan to the bridge then it works.

15

If an interface is captured by a bridge, then the vlan interface needs to be on the bridge.

16

afaik, ROS have only tagged vlans =)

17



Clause 9 of the standard defines the encapsulation protocol used to multiplex VLANs over a single link, and introduces the concept of a native VLAN. Frames belonging to the native VLAN are not modified when sent over the trunk. Conversely, if an untagged frame is received on a trunk port, the frame is placed into the VLAN that is native to this port. This concept has been introduced to ensure interoperability with older and low-cost devices that do not understand 802.1Q.

For example, if an 802.1Q port has VLANs 2, 3 and 4 assigned to it with VLAN 2 being the Native VLAN, frames on VLAN 2 that egress (exit) the aforementioned port are not given an 802.1Q header (ie., they are plain Ethernet frames). Frames which ingress (enter) this port and have no 802.1Q header are put into VLAN 2. Behaviour of traffic relating to VLANs 3 & 4 is intuitive.

/interface vlan add name=vlan2-e1 vlan-id=2 interface=ether1 disabled=no

Then ether1 would be on the native vlan…

The term native vlan is mostly used with switches.

18

yep, I meant exactly that it is applying to switches, not RouterOS :wink: or tagged, or no vlan =)

19

We were able to get netrat’s first configuration suggestion to work:

put both physical interfaces into the bridge, make the bridge be the interface for the vlan, then give an ip to the vlan (and optionally an ip for untagged management to the bridge)

Thanks for the tip! And if any googlers have similar difficulties I hope this conversation hepps them out. :slight_smile:

    • Jesse Thompson
      Webformix, Bend OR
20

Jesse, glad to hear that you got your configuration to work the way that you like.
This confirm that there is a bug/error in the configuration of bridges and interfaces in ROS.

When I’m doing this on my Debian box I create a bridge for each VLAN I want to use.
This way I can put a physical interface (untagged traffic) into a VLAN (Native VLAN for the interface).

This is my Debian config.

# ip link
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:1d:60:2c:d9:bd brd ff:ff:ff:ff:ff:ff
4: tap0: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:f4:82:94:fd brd ff:ff:ff:ff:ff:ff
5: vlan2@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
6: vlan4@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
7: vlan5@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
8: vlan10@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
9: tap2: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:81:e7:94:60 brd ff:ff:ff:ff:ff:ff
10: tap4: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:c9:3d:fa:8e brd ff:ff:ff:ff:ff:ff
11: tap5: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:63:a1:5b:16 brd ff:ff:ff:ff:ff:ff
12: tap50: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:b8:65:51:c3 brd ff:ff:ff:ff:ff:ff
13: tap10: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:a8:71:18:b4 brd ff:ff:ff:ff:ff:ff
14: tap100: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 500
    link/ether 00:ff:66:f9:d4:9b brd ff:ff:ff:ff:ff:ff
15: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
16: br2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
17: br4: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
18: br5: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff
19: br10: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
    link/ether 00:1d:60:2c:d9:bc brd ff:ff:ff:ff:ff:ff

~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001d602cd9bc       no              eth0
                                                                    tap0
                                                                    tap100
br10            8000.001d602cd9bc       no             vlan10
                                                                    tap10
br2             8000.001d602cd9bc       no              vlan2
                                                                    tap2
br4             8000.001d602cd9bc       no              vlan4
                                                                    tap4
br5             8000.001d602cd9bc       no              vlan5
                                                                    eth1
                                                                    tap5
                                                                    tap50

In this configuration you can see that the eth1 is part of br5 and the native vlan is vlan5.
The tap interfaces are interfaces for my virtual Mikrotik and virtual servers :slight_smile:

Uldis, I hope you read this, or anyone at Mikrotik, please put some comments about this issue,
/Paul