Client connected to ROAS inaccessible

Wondering if I’m doing something wrong. No devices can communication with PC2. PC1, Bridge and Router can all communication on all vlans 10, 20 and 30.

I reviewed multiple configurations (I searched most of Google) and could not find a setup that shows a client connected to the Router (Router-on-a-stick).
I’m wondering if this is an invalid configuration at multiple levels.

Physical equipment, Bridge is RB4011 RouterOS 6.46.4 and Router is CCR1009 RouterOS 6.47.
Sniffer traces show PC1, Bridge and Router all know PC2 MAC address.
PC2 is connected on Router interface E2, access vlan10

Sniffer traces show traffic from PC2 is received on the Router interface E2 but no response from any device.

If PC2 to connected on Bridge interface in access vlan10, all works as expected.

Thanks for looking!!
Frank




Topology:
PC1-------vlan10-------Bridge-------trunk------Router------vlan10------PC2

Bridge:
interface bridge
add name=BR1 pvid=30 vlan-filtering=yes

/interface vlan
add interface=BR1 name=MGT vlan-id=30

/interface bridge port
add bridge=BR1 interface=E4
add bridge=BR1 interface=E2 pvid=10
add bridge=BR1 interface=E3 pvid=20

/interface bridge vlan
add bridge=BR1 tagged=E4 untagged=E2 vlan-ids=10
add bridge=BR1 tagged=E4 untagged=E3 vlan-ids=20
add bridge=BR1 tagged=BR1,E4 vlan-ids=30

/ip address
add address=192.168.0.46/28 interface=MGT network=192.168.0.32

/ip route
add distance=1 gateway=192.168.0.33

/system identity
set name=L2-Bridge


ROUTER:
interface bridge
add name=BR1 pvid=30 vlan-filtering=yes

/interface vlan
add interface=E4 name=MGT_30 vlan-id=30
add interface=E4 name=VLAN10 vlan-id=10
add interface=E4 name=VLAN20 vlan-id=20

/interface bridge port
add bridge=BR1 interface=E4
add bridge=BR1 interface=E2 pvid=10
add bridge=BR1 interface=E3 pvid=20

/interface bridge vlan
add bridge=BR1 tagged=E4 untagged=E2 vlan-ids=10
add bridge=BR1 tagged=E4 untagged=E3 vlan-ids=20
add bridge=BR1 tagged=E4,BR1 vlan-ids=30

/ip address
add address=192.168.0.1/28 interface=VLAN10 network=192.168.0.0
add address=192.168.0.17/28 interface=VLAN20 network=192.168.0.16
add address=192.168.0.33/28 interface=MGT_30 network=192.168.0.32

/system identity
set name=MK-RB1

You have several bits of logical nonsense in the configuration:

• on both devices, you’ve set pvid=30 on the CPU-facing port of the bridge, but at the same time you’ve put that port to the tagged list for the bridge for vlan-ids=30 in /interface bridge vlan and created an /interface vlan for vlan-id=30.

So either keep pvid=30 on the bridge, but in that case, the row in /interface bridge vlan must say bridge=BR1 tagged=E4 untagged=BR1 vlan-ids=30, the /ip address row for address=192.168.0.32/28 must be attached to the bridge itself, and the /interface vlan for vlan-id=30 must be removed.

Or set the pvid of the bridge back to the default value of 1 and keep the rest as is.

• to make the /interface vlan named VLAN10 and VLAN20 actually talk to the bridge, you have to add BR1 to the tagged list also on the rows with vlan-ids=10 and vlan-ids=20

But none of the above should explain why PC1 cannot see PC2, as VLAN 10 seems to be configured properly at both devices for the purpose of L2 transparency.

Have a look at this post regarding the ambiguous meaning of “bridge”.

As a side note in case anyone wants to compare physical equipment with virtual infrastructure.
I put these configurations into Oracle VirtualBox and VMware Workstation Pro 14.

MikroTik Cloud Hosted Router (CHR) in Oracle VirtualBox 6.1 did not work. I tried multiple Oracle VirtualBox NIC drivers and still no go. Basically, PC1 traffic reaches the router via the Bridge/Router E4 Trunk interface with correct .1q tag. The router forwards the reply out the E4 Trunk interface - sniffer traces show this transaction. The Bridge never sees the return traffic from the Router. Not sure where the traffic went but the sniffer running on the Bridge never sees it. Strange thing though the Router and Bridge do see CDP, LLDP, MTDP, and other neighbor related hellos from each other.

MikroTik Cloud Hosted Router (CHR) in VMware Workstation Pro 14. Experienced the same results as physical equipment in above message.

CHR RouterOS ver 6.47.10

OK Thanks, I just changed the Bridge (BR1) back to pvid=1
AND I added the bridge (BR1) to the tagged list for VLAN10 and VLAN20.

Note: All devices can ping the bridge (BR1, 192.168.0.46) if the bridge is added to the tagged Vlans VLAN10 or VLAN20 or not and also if the bridge (BR1) is assigned to pvid=30 or 1. No communication changes with these edits at this point.

BTW, MikroTiks and Wiki documents provided these configurations. Strange thing is, MikroTik author expresses great sadness that most people configure there devices incorrectly not realizing most folks are following their instructions - It is very strange they are confused as to why. LOL

I’ll look over your link, hopefully a fix!!!
Thanks
FRank

Regarding trouble with bridging on virtualization platforms, it’s a separate can of worms, see this post and some details in the subsequent discussion. Also tagged frames must be explicitly permitted on some virtualization platforms.