ethernet port with tagged AND untagged traffic - SOLVED

beb · June 24, 2014, 4:10am

I am connecting an access point to an RB2011 with RouterOS 5.22 using VLANs to separate traffic from different SSIDs.

I’ve started with

/interface bridge port
	add interface=ether1           bridge=bridge-secure

which works fine, but obviously not for VLANs.

Then created VLANs and bridged those:

    /interface vlan
        add interface=ether1 vlan=10 name=vlan-10-unsecure
        add interface=ether1 vlan=20 name=vlan-20-secure
        add interface=ether1 vlan=50 name=vlan-50-guest
    /interface bridge port
	add interface=ether1           bridge=bridge-secure
        add interface=vlan-10-unsecure bridge=bridge-unsecure
        add interface=vlan-20-secure   bridge=bridge-secure
        add interface=vlan-50-guest    bridge=bridge-guest

Problem: once I add the VLANs, untagged traffic is no longer bridged to bridge-secure. The access point is using untagged traffic to get a DHCP address from the router (and who knows what else). Anyway, it’s not working if the router ignores untagged traffic. I know since I have a different access point (with other shortcomings) that allows me to set a vlan for management traffic, then all works (after removing the line “add interface=ether1 bridge=bridge-secure”).

Summary: how do I bridge both tagged and untagged traffic on ether1?

I’ve configured a DHCP server for each bridge (works fine).

leonset · June 24, 2014, 8:15am

I would suggest you to try an updated ROS version… sometimes they solve issues and do not mention it in the changelog.

beb · June 24, 2014, 2:21pm

I understand what you are saying. But V6 changed qos, and I rather keep my current qos setup unless I know the change really fixes my problem.

beb · June 24, 2014, 4:47pm

To reformulate the problem more concisely: I want a secure and unsecure (guest) wifi on my access point.

For this, I connected the wireless access point to bridge-unsecure on port ether1 without any VLAN traffic. This part works.

In addition, the access point sends tagged traffic (vlan-id=20). How do I “connect” this traffic to bridge-secure?

(I’ve setup up bridges bridge-unsecure and bridge-secure with dhcp and all, this part works fine).

All help is most gratefully appreciated!

beb · June 25, 2014, 3:10am

I’m adding my configuration. The first part just sets up two bridges with dhcp. The second part bridges ether1 to bridge-usecure, and sets up VLAN 20 on ether1 and bridges that to bridge-secure to route tagged traffic to the secure bridge. Untagged traffic gets to bridge-secure. Torch shows both untagged and tagged traffic, but tagged traffic “gets lost” and clients do not even get an IP address from the DHCP server.

Mikrotik Router Configuration RB2011

############################################################################################

Bridges & DHCP

/interface bridge
add name=bridge-unsecure disabled=no
add name=bridge-secure disabled=no

/ip pool
add name=pool-unsecure ranges=192.168.10.200-192.168.10.249
add name=pool-secure ranges=192.168.20.200-192.168.20.249

/ip address
add address=192.168.10.1/24 interface=bridge-unsecure
add address=192.168.20.1/24 interface=bridge-secure

/ip dhcp-server
add interface=bridge-unsecure name=dhcp-unsecure lease-time=1h disabled=no address-pool=pool-unsecure
add interface=bridge-secure name=dhcp-secure lease-time=1h disabled=no address-pool=pool-secure

/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1

############################################################################################

Ethernet

/interface ethernet
set 0 disabled=yes
set 1 name=ether1 master-port=none

SUPPOSED TO ROUTE TAGGED TRAFFIC ON ether1 - APPARENT DOES NOT

/interface vlan
add interface=ether1 vlan=20 name=vlan-20-secure

/interface bridge port

DOES NOT PASS TRAFFIC

add interface=vlan-20-secure   bridge=bridge-secure

PASSES (UNTAGGED) TRAFFIC

add interface=ether1           bridge=bridge-unsecureIf upgrading to ROS 6 really solves the problem I will try to do that. But I am concerned about what it breaks. At least qos.

I will be eternally grateful for your help!

beb · June 26, 2014, 1:01am

I bit the bullet and upgraded to V6: now indeed it’s working!!! Should have listened right away …
(but the upgrade did break quite a few things and took me several hours to fix - not sure I’m done yet).

beb · June 26, 2014, 1:01am

I bit the bullet and upgraded to V6: now indeed it’s working!!! Should have listened right away …
(but the upgrade did break quite a few things and took me several hours to fix - not sure I’m done yet).

jkarras · June 26, 2014, 3:09am

You should be able to now move your config away from bridges to just using the switch chip for VLAN tagging. This will speed up any L2 communications on your device.

beb · June 26, 2014, 4:21am

Not sure how to do this, or if it’s even possible: I’m using a firewall to regulate traffic between bridges: traffic can pass between some, not others, and it also depends on the service called.

jkarras · June 26, 2014, 4:35am

If your regulating the traffic via L2 bridge firewall rules then that make sense. If you are doing it at L3 which is what I assumed looking at the small config snip then you could move away from the bridges. That said it would probably only benefit you use multiple ports on your RB2011 to connect to upstream devices that may use the VLANs. This way any L2 switching would stay on the switch chip and not need to traverse the CPU thus freeing up CPU time and BW to the CPU.

If you don’t need to utilize the switch then removing the bridges will likely only free up CPU time because there would be fewer steps in the packet processing.

See this wiki article on configuring the switch chip.

http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Example_-_802.1Q_Trunking_with_Atheros_switch_chip_in_RouterOS_v6