CRS125-24G-1S VLAN problem

RouterOS General
1

Hello,

I try to setup VLANs but I got a strange problem. This is my setup:

/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface bridge port
add bridge=bridge-net interface=ether22
add bridge=bridge-net interface=ether23
add bridge=bridge-net interface=ether24
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12 vlan-ids=100
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21 vlan-ids=200
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether2,switch1-cpu vlan-id=100
add tagged-ports=ether1,ether2,switch1-cpu vlan-id=200
/interface ethernet switch egress-vlan-translation
add customer-vid=200 customer-vlan-format=untagged-or-tagged new-customer-vid=0 ports=ether17 service-vlan-format=untagged-or-tagged
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=100 ports=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12
add customer-vid=0 new-customer-vid=200 ports=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,switch1-cpu vlan-id=100
add ports=ether1,ether2,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,switch1-cpu vlan-id=200
/ip address
add address=192.168.2.1/24 interface=vlan200 network=192.168.2.0
add address=192.168.1.1/24 interface=vlan100 network=192.168.1.0

No matter what, I cannot access device on port 17, which is a linux machine, sometimes it shows up in FDB with correct VLAN, in ARP list too, but I cannot ping it no matter I do.
I followed this wikis:
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Port_Based_VLAN
https://wiki.mikrotik.com/wiki/Manual:CRS_Router
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches
But I really dont know, what else could be wrong.

Thank you for any help.

2

Ist, I am sure the Mikrotik device is as confused as you are, you have Bridge Vlan and Switch Vlan config on the device.

2nd, You asking for help, but only posting part of the config

Decide which way you want to go, and clean up / configure accordingly. There are many posts here which explains both methods of configuring vlans, as well as on the Wiki articles.

3

OK, I want have switch vlan, so the part of bridge vlan is not active, because I do not have vlan filtering on bridge enabled. I am looking in forum for two days now, but nothing helps, that is why I wrote here.

4

Remove everything in the /interface bridge vlan and /interface ethernet switch egress-vlan-translation sections as they are redundant. The relevant configuration examples are https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_1_.28Trunk_and_Access_ports.29 and https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Tagged

It is difficult to see without the full configuration but there appears to be more than one bridge - on non-CRS devices only one bridge can be hardware accelerated, CRS1xx/2xx devices supposedly can handle multiple hardware-accelerated bridges but I don’t know if they need any additional configuration to operate correctly.

5

Yes already tried that. One more thing, I enable vlan filtering on bridge interface and now I can access the linux machine and everything seems to work fine now even if I reboot CRS, but as expected, there is much more CPU hit. The switch way is not working properly, or I missed something. There is only one bridge and all ports are switched together.

6

If I understand it correctly, VLANs are working in bridge way only if I enable vlan filtering on bridge … or switch way if I disable vlan filtering on bridge and have everything setup in switch vlan … is that correct?

This configuration work (I can access my linux machine on port 17 in vlan 200):

/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
add fast-forward=no name=bridge-net
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/ip pool
add name=dhcp_pool0 ranges=192.168.1.21-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.21-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 always-broadcast=yes disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool1 always-broadcast=yes disabled=no interface=vlan200 name=dhcp2
/interface bridge port
add bridge=bridge-net interface=ether22
add bridge=bridge-net interface=ether23
add bridge=bridge-net interface=ether24
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3 pvid=100
add bridge=bridge interface=ether4 pvid=100
add bridge=bridge interface=ether5 pvid=100
add bridge=bridge interface=ether6 pvid=100
add bridge=bridge interface=ether7 pvid=100
add bridge=bridge interface=ether8 pvid=100
add bridge=bridge interface=ether9 pvid=100
add bridge=bridge interface=ether10 pvid=100
add bridge=bridge interface=ether11 pvid=100
add bridge=bridge interface=ether12 pvid=100
add bridge=bridge interface=ether13 pvid=200
add bridge=bridge interface=ether14 pvid=200
add bridge=bridge interface=ether15 pvid=200
add bridge=bridge interface=ether16 pvid=200
add bridge=bridge interface=ether17 pvid=200
add bridge=bridge interface=ether18 pvid=200
add bridge=bridge interface=ether19 pvid=200
add bridge=bridge interface=ether20 pvid=200
add bridge=bridge interface=ether21 pvid=200
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12 vlan-ids=100
add bridge=bridge tagged=bridge,ether1,ether2 untagged=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21 vlan-ids=200
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether2,switch1-cpu vlan-id=100
add tagged-ports=ether1,ether2,switch1-cpu vlan-id=200
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=100 ports=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12
add customer-vid=0 new-customer-vid=200 ports=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,switch1-cpu vlan-id=100
add ports=ether1,ether2,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,switch1-cpu vlan-id=200

If I disable VLAN filtering on bridge, now I have filling my FDB with MAC addresses and their VLANs, and of course I see my linux machine on port 17 with its mac address but I cannot access it.

7

Yes. When vlan-filtering=yes the VLAN configuration is made under /interface bridge port and /interface bridge vlan, but when vlan-filtering=no the VLAN configuration is made under /interface ethernet switch …

8

This is obviously not true as your config. snippet includes bridges “bridge” and “bridge-net”.

Remove everything in the /interface bridge vlan and /interface ethernet switch egress-vlan-translation sections as they are redundant.

Take the advice. Then post the whole config. and stop information hiding.

9

OK thank you guys, it was my mistake, I didnt realize that I have two bridges :slight_smile: After removing second one and setup everything in switch vlan everything works fine now.