I’m really struggling with the ‘new’ VLAN implementation on my CRS328’s. My devices are RB4011<–>CRS328<–>CRS328. I have them joined using 10gbe DAC’s.
I have DHCP server setup on on the RB on VLAN200. I’ve then added the correct 10gbe ports to the bridge, added port 200 to the VLAN table. I’ve then configured ether1 on each CRS by adding the port to the bridges and adding it as untagged on VLAN200. If I then connect a machine to ether 1 on either switch I get an IP and can ping the RB. All great so far!
Where it all goes wrong is with the management port.
However when I do this I can never get to this IP. I’ve tried putting a DHCP client on this interface and it doesnt work either. However if I put a DHCP client on the SFP port it does. However this is only accessible from that ‘side’ of the bridge so I can’t use it for management.
Any ideas what I’m doing wrong? Looked at it so long I’m obviously missing something obvious but can’t see the wood for the trees.
Thank you.
‘Middle’ CRS config - 10.200.0.10 not reachable from other devices
Can anyone even give me a vote of confidence that my config looks roughly correct? Bit of a noob with Mikrotik so could be an obvious problem on my part.
I’m starting to think its a software bug not passing the VLAN’s to the CPU. I’ve disabled HW offloading and still get the same issue.
When configuring bridge with vlan-filtering=yes physical interfaces should be (tagged or untagged) members of said bridge … VLAN interfaces should then be anchored to bridge interface, not to bridge ports. In your case you should remove definition of vlan200-garageswitch and vlan200-mainrouter vlan interfaces. Remove excess DHCP clients as well.
Just to mention: it seems that sometimes after numerous reconfigurations some config gets mangled and device doesn’t perform according to visible configuration. The cure is to reset device to default config and re-apply custom setup (exporting config before reset helps the process).
I have done many many many resets! But a good reminder regardless.
I had tried with and without the VLAN interfaces on the bridge ports but still no luck. I guess I just had them there at this point for easy troubleshooting. What is odd is that when there is no bridge these port interfaces work as I expect, which at least helps me confirm the config on my router linking in to this switch is correct. However when I enable the VLAN interfaces on the bridge they do nothing. Wont work for DHCP client and can’t ping out if IP manually assigned either.
At present I have gone with the work around of setting the PVID on the bridge and applying the IP address directly to the bridge. This works fine but limits me to only having an IP on one VLAN.
I should then be able to ping to/from this interface over the trunk port?
PS the trunk ports work fine. They will correctly bridge traffic between the trunk ports and will also remove the vlan tags on access ports as expected. I just can’t get a management interface.
OK done another complete reset and start again, this time trunking port 10.
This time 3 configs;
No1. VLAN10 Interface on the port , no bridge. IP address applied to VLAN interface. - This works as expected. Can ping the router.
No2. VLAN10 Interface on the bridge instead of the port. IP address still applied to the VLAN interface - This DOES NOT work as expected. Cannot ping the router.
No3. No VLAN 10 Interface. PVID changed to 10 on the bridge. IP address applied to the bridge. - This also works as expected. Can ping the router.
I’m starting to get more confident this is a software issue but being a noob will still like some other options on this. Tried software from all 4 release channels today with essentially the same behaviour on each. I also swapped the CRS328’s around and tried a second brand new one. Still the same behavior.
For the sake of my sanity some one please confirm if I have this correct? Thank you.
What you’re missing in all setups is to add bridge1 interface as either tagged or untagged member of corresponding VLAN (just the way its done with physical interfaces).
It works when bridge1 interface is untagged member of a vlan (i.e. when it has pvid set) because untagged ports are added to the list of member ports implicitly… but you have to add tagged ports explicitly.
In MT world, bridge (as software entity) has two personalities:
switch-like personality
This is personality one probably has in mind when creating bridge. It, very much like a switch, spans member ports. Setting vlan-filtering to yes makes bridge VLAN-aware.
interface
This personality gets created automatically, so it’s not obvious. It is there for ROS, run by main CPU, to interact with bridge-connected networks … kind of CPU gateway to networks, connected to bridge (switch-like personality)
It’s this personality in the play whenever bridge is used where a physical (or virtual) interface would be used (e.g. it has address set, it’s used as anchor for vlan interfaces, a DHCP server is bound, etc)
In the example setup you posted it’s personality #1 referred in bridge=bridge1 part and personality #2 is refered in the list of (tagged) interfaces members of VLAN with specified VID.
If bridge passes multiple VLANs between member ports (e.g. it’s used as an ethernet switch) and device only has to interact with a few (e.g. management VLAN of a switch or it needs to perform routing for that VLAN), bridge interface needs to be member of only those select VLANs. Which makes device more secure.
Thank you Metod, a useful explanation that I’m sure will help others too. I wish this was included in the wiki.
The learning curve with Mikrotik really is steep. Some good hardware at a great price but losing time on challenges like this make it a tough entry point.