dot1q confusion

RouterOS Beginner Basics
1

hi,
after a few hours trying (and failing) to connect my RouterBOARD 962UiGS-5HacT2HnT running 6.45.5 to a L2 managed switch (slm2005) using a trunk port with two vlans, I need to get some help.

Let’s see. This is a home network, and I would like to segment the network because it’s flat and I feel increasingly uncomfortable with all different kind of devices that could (potentially) access other devices without me knowing it, so I want to isolate those IoT devices in isolated vlans.

So this is the working setup. A bridged subnet and a guest wifi subnet.

These are the members of the bridged interface:

> /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE     BRIDGE        HW  PVID PR  PATH-COST INTERNA...    HORIZON
 0 I H ;;; defconf
       ether4        bridge        yes    1 0x         10         10       none
 1     wlan1         bridge               1 0x         10         10       none
 2     wlan2         bridge               1 0x         10         10       none
 3   H ether3        bridge        yes    1 0x         10         10       none
 4   H ether2        bridge        yes    1 0x         10         10       none

I want ether2 to be the trunk interface to the L2 switch. Right now it’s disabled, but, obviously, when I try it the vlan interface is enabled:

> /interface vlan print 
Flags: X - disabled, R - running 
 #   NAME                  MTU ARP             VLAN-ID INTERFACE               
 1 X vlan4                1500 enabled               4 ether2

I remove too the interface from the bridge interface. The vlan4 interface gets ip 192.168.4.1/24 when the interface is enabled, and I have an address pool and a dhcp server listening on that interface.

On the L2 device I configure the same vlan4 on the uplink port, and set the PVID to 4 on the uplink and another port. When I try renewing a lease on the win10 device on that port, nothing happens, the host gets no ip address.

What am I doing wrong? Any help greatly appreciated

2

Can you post output of /interface export?

3 
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706C78CE1
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-onlyg country=\
    netherlands disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain installation=indoor mode=ap-bridge ssid=2ghz \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-eeeC country=netherlands disabled=no distance=\
    indoors frequency=auto frequency-mode=regulatory-domain installation=\
    indoor mode=ap-bridge ssid=5ghz wireless-protocol=802.11
/interface vlan
add disabled=yes interface=ether2 name=vlan4 vlan-id=4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=gast supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    xx:xx:xx:xx:xx:xx master-interface=wlan1 multicast-buffering=disabled \
    name=wlan3 security-profile=gast ssid=guest wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=LAN
add interface=ether2 list=LAN
4

If you wish to use ether4 as trunk port and any other port as access port, it is recommended to use bridge-vlan filtering, for example:

  1. Assign bridge ports, set access and trunk ports:
    /interface bridge port
    add bridge=bridge interface=ether2 pvid=10 <<== Access port for VLAN 10
    add bridge=bridge interface=ether3 pvid=20 <<== Access port for VLAN 20
    add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4 <<== Trunk

  2. Configure trunk port/-s
    /interface bridge vlan
    add bridge=bridge tagged=ether4,bridge vlan-ids=10
    add bridge=bridge tagged=ether4 vlan-ids=20
    *) Add Bridge port to “tagged” only then, if you need L3 functionality from the device in the specific VLAN

  3. Add VLAN interface to the bridge
    /interface vlan add interface=bridge name=vlan10-network vlan-id=10
    *) As mentioned in point 2, if you require L3 functionality from the device (example, on a switch you would not require to have an IP access for the device on each VLAN, but rather only one → management VLAN)

  4. Enable vlan-filtering (this should be done last as doing it first can lock you out of the device)
    /interface bridge set [find where name=bridge] vlan-filtering=yes

That’s it, now simply add IP address to the vlan interface and configure any service require on the vlan-interface (like seperate DHCP-Server’s etc.) Make sure to adjust firewall filter and NAT settings.

You can find more about common L2 misconfigurations here: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration
Or more about bridge-vlan filtering and scenarios here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

5

Actually the better reference with examples is this thread.
Follow it and you will be on the path to success!!

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1