cant figure out how to make management vlan have the same ip as bridge

sky4 · December 23, 2021, 6:14am

hi this is my config on hex s

interface bridge add admin-mac=08:55:31:BB:8D:5no
auto-mac=no comment=defconf name=bridge protocol-mode=mstp vlan-filtering=yes
/interface vlan add interface=bridge name=vlan30 vlan-id=30
/interface vlan add interface=bridge name=vlan40 vlan-id=40
/interface vlan add interface=ether1 name=vlan835 vlan-id=835
/interface pppoe-client add add-default-route=yes disabled=no interface=vlan835 name=pppoe-out user=x

/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.168.0.1/24 interface=vlan30 network=192.168.0.0
/ip address add address=192.168.4.1/24 interface=vlan40 network=192.168.4.0

/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.253
/ip pool add name=pool30 ranges=192.168.0.2-192.168.0.254
/ip pool add name=pool40 ranges=192.168.4.2-192.168.4.254

/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server add address-pool=pool30 interface=vlan30 name=server30
/ip dhcp-server add address-pool=pool40 interface=vlan40 name=server40

/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3 pvid=30
/interface bridge port add bridge=bridge comment=defconf interface=ether4 pvid=40
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5

/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=30
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=40
/interface list member add comment=defconf interface=pppoe-out list=WAN

/ip service set winbox address=192.168.88.254/32

/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

now i would like ether 2 and ether 5 to act like ether 3,4 but on a different vlan (10), change bridge pvid to 10, enable allow only untagged and priority tagged and have vlan 10 ip 88.x

i thoight about running these commands

/interface vlan add interface=bridge name=vlan10 vlan-id=10
/interface bridge port add bridge=bridge comment=defconf interface=ether2 pvid=10
/interface bridge port add bridge=bridge comment=defconf interface=ether5 pvid=10
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=10

but i dont get how i should change

/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

to have that address on vlan10

anav · December 23, 2021, 11:48am

Okay you are all over the map and mixing up a few things and it stems from unclear requirements or ones that are very confusing.
Suggest read this article…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

easiest thing to do is move the subnet OFF the bridge (just let it do bridging) and use another vlan instead…

In terms of requirements, think of them as use cases.
Determine the users/devices or groups of users/devices that need to be able to do tasks (talk to a printer, reach the internet etc).
Once those are all clear in your mind, then a configuration will be much easier.

sky4 · December 24, 2021, 7:38am

i forgot to say that i did read that article, in fact im trying to follow the third post
Router-Switch-AP (all in one)

the base VLAN ip of Router-Switch-AP (all in one)

/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

and thats what im trying to do with ether2 and 5

as soon as i change

/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0

to

/ip address add address=192.168.88.1/24 interface=vlan10 network=192.168.88.0

i get locked out

mkx · December 24, 2021, 2:33pm

If you’re connecting via IP (webfig, ordinary winbox, ssh, …), then moving IP address from one interface (bridge) to another (vlan10) will brwak connection for sure. If, OTOH, you connect via MAC (winbox where you click device’s MAC address), the management connection should survive changes in IP layer. No guarantee for survival of L2 changes though (those include enabling vlan-filtering on bridge).
A bit more sensible approach would be to create additional IP subnet on vlan10 interface (complete with DHCP server & co.) and only when you’re able to establish management connection over that subnet you drop old subnet from bridge. Nothing is forcing you to use 192.168.88.0/24 subnet in your LAN, you know?

sky4 · December 24, 2021, 5:02pm

sounds right… id like to access the router via its ip, so i i believe i need to type 192.168.88.1 in winbox
im doing some tests on a hap ac2 i had laying around. my pc is the only connected device
im trying to setup ether5 for winbox access but its not even getting ip via dhcp with the following config as soon as I enable VLAN filtering, set bridge PVID = 10 and enable ingress filtering (GUI). I also tried to set an ip manually (192.168.1.x) while connected to ether5 but i still cant connect to winbox

[admin@MikroTik] > /export terse
# RouterOS 7.1
/interface bridge add admin-mac=x auto-mac=no comment=defconf name=bridge

/interface bridge port add bridge=bridge comment=defconf interface=ether5

/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=VLAN

/interface vlan add interface=bridge name=vlan10 vlan-id=10

/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0

/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254

/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server add address-pool=dhcp_pool1 interface=vlan10 name=dhcp1

/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=10
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=vlan10 list=VLAN

/ip dhcp-client add comment=defconf interface=ether1

/ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input in-interface=vlan10
/ip firewall filter add action=accept chain=input in-interface-list=VLAN
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-l
ist=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
[admin@MikroTik] >

im thinking its because as soon as i enable vlan filtering the bridge pvid=10 setting wont apply or am i missing something else?

Sob · December 24, 2021, 6:17pm

If you have ether5 as untagged member of vlan 10, then ether5 as bridge port should have pvid=10.

anav · December 24, 2021, 6:52pm

What I typically recommend,
is take an unused etherport let say ether5
rename it ether5-access
Remove ether5 from the bridge
add ether5-access to the LAN interface list as a member
give ether5-access an IP address of 192.168.5.2 network 192.168.5.0

Then setup your pc/laptop with ivp4 fixed of 192.168.5.5 with gateway of 192.168.5.1 and netmask 255.255.255.0
and you should then be able to access the router, and config the router regardless of what happens on the bridge…

(assumes LAN users have full access to the router via the input chain)

sky4 · December 25, 2021, 10:30am

thank you all for helping, everythings working now