From VLANs "old way" to "new way" (VLAN Filtering) - WINBOX IP Neighbor list problems nad RoMon issue.

RouterOS Beginner Basics
1

Hello Mikrotik Community.
My friends hotel has a network based on Mikrotik devices and one dlink switch. He asked me for help.
The network was configured 10 years ago in “old way”. Basically the whole network is divided into 2 vlans:
VLAN10 - 192.168.0.0/24 - Office Lan. Printers, computers, server etc. PLUS Mikrotik devices get also dynamic IP from DHCP from this network. They are accessible from office network and you can login and configure them.
VLAN20 - 10.0.0.0/23 - For hotel guests only
There are always two bridges on each device with correct vlans added to “TRUNK” physical interfaces and then to the correct bridges.

There are also two buildings connected with RBDynaDishG-5HacDr3.

This is a hardware diagram:

  • Main UNIT - CCR1016-12G - with two Bridges with DHCP Servers for VLAN10 (192.168.0.0/24) and VLAN20 (10.0.0.0/23)
    Connected to main UNIT:
    —> 1) CRS125-24G-1S-2Hnd ( office area)
    —> 2) CRS125-24G-1S-2Hnd (reception)
    —> 3) RBDynaDishG-5HacDr3 (other building)

Then, again to “TRUNK” ports in above units (with two vlans added to physical interface),the access points are connected to, for guestes and office wi-fi:
Office Area
1.1) 3 x RBwAP2nDr2
1.2) 2 x RBcAP2n
1.3) 1x RB Groove A-52Hn

Reception
2.1) 3x RBcAP2n
2.2) 3 x RBwAP2nDr2

3.1) WLAN connection between two buildings. The other building RBDynadish is plugged into dlink dwr 921 switch which forwards tagged vlans to another set of access points (10x RBcAP2n)

Steps made:

  1. I upgraded RouterOS and firmware in each device to version 6.47.1 (no problems)
  2. Main Unit reconfiguration. I replaced the Bridge20 (for guest network) for VLAN20 which I added to main Bridge. DHCP server for network 10.0.0.0/23 is working (no problem)
  3. I added VLANS in Bridge menu - Tagged 10 and Tagged 20 on TRUNK ports (no problems)
  4. I turned on the VLAN Filtering with PVID 10 on Bridge (no problem)

I got VLAN10 and VLAN20 transferred to other devices connected to main unit. Then i started to configure all the devices in scheme: Main Bridge with PVID10 and DHCP client and then Access Ports with PVID10 for office machines and TRUNK PORTS to acces points for Wi-FI (also with two vlans). It is working - the end devices get their IP and have internet access BUT:

Here are the problems:

  1. When i change the configuration on any device from “old way” to VLAN Filtering way, the bridge on this device gets IP from DHCP (office network 192…) but the device disappears from WINBOX IP/Neighbor discovery. When it disappears from WINBOX neighbor list I can check the device IP from the DHCP Lease Table in main unit or by login to device which is physically connected to with cable. But strange thing. I can see IP address and Identity of the device but I CAN’t see OS version, Board and UPTIME (the uptime is 00:00:00). The device is reachable but it would be great if it shows on winbox neighbors list. Something is blocked, I guess.

To ease my life I turned on RoMon service on each device. I can see the devices but only the ones in one building. The devices behind dlink switch (other building) are not shown in RoMON discovery so again I must check theirs IP (they are in DHCP Lease Table on main UNIT) and then connect via RoMON. Then i can see all the devices in RoMon discovery connected to dlink switch in other building.

Thank you for your interest. I don’t have professional knowledge. I am at this point only thanks to mikrotik wiki docs. But I’m stuck. Any help will be appreciated. The main point is to get the same working scenario but with VLAN Filtering ON on every devices bridge.
Regards
Luke

2

If you have changed the bridge PVID to 10 you almost certainly don’t need an interface for VLAN 10 too. Post the output of /export hide-sensitive and redact any other identifying data (e.g. public IPs).

3

Thanks! Hope I got all necessary data:
MAIN UNIT:

/interface bridge
add arp=proxy-arp fast-forward=no name=Bridge_T1_vlan10 pvid=10
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
00:23:F8:09:24:89 name=WAN speed=100Mbps
set [ find default-name=ether2 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether2-SERWIS speed=100Mbps
set [ find default-name=ether3 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether3-10 speed=100Mbps
set [ find default-name=ether4 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether4-10 speed=100Mbps
set [ find default-name=ether5 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether5-10 speed=100Mbps
set [ find default-name=ether6 ] name=ether6-20 speed=100Mbps
set [ find default-name=ether7 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether7-SERWER speed=100Mbps
set [ find default-name=ether8 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether8-TRUNK speed=100Mbps
set [ find default-name=ether9 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether9-TRUNK speed=100Mbps
set [ find default-name=ether10 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether10-TRUNK speed=100Mbps
set [ find default-name=ether11 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether11-TRUNK speed=100Mbps
set [ find default-name=ether12 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=
ether12-WOLNY speed=100Mbps

/interface vlan
add interface=Bridge_T1_vlan10 name=VLAN20 vlan-id=20

/ip pool
add name=T1 ranges=192.168.0.2-192.168.0.230
add name=G1 ranges=10.0.1.2-10.0.1.253

/ip dhcp-server
add address-pool=T1 authoritative=after-2sec-delay disabled=no interface=
Bridge_T1_vlan10 lease-time=1d name=B
/ip pool
add name=G next-pool=G1 ranges=10.0.0.2-10.0.0.253
/ip dhcp-server
add address-pool=G authoritative=after-2sec-delay disabled=no interface=
VLAN20 lease-time=12h name=G

/interface bridge port
add bridge=Bridge_T1_vlan10 interface=ether3-10 pvid=10
add bridge=Bridge_T1_vlan10 interface=ether4-10 pvid=10
add bridge=Bridge_T1_vlan10 interface=ether5-10 pvid=10
add bridge=Bridge_T1_vlan10 interface=ether6-20 pvid=20
add bridge=Bridge_T1_vlan10 interface=ether7-10 pvid=10
add bridge=Bridge_T1_vlan10 interface=ether8-TRUNK
add bridge=Bridge_T1_vlan10 interface=ether9-TRUNK
add bridge=Bridge_T1_vlan10 interface=ether10-TRUNK
add bridge=Bridge_T1_vlan10 interface=ether11-TRUNK
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge_T1_vlan10 tagged=
ether8-TRUNK,ether9-TRUNK,ether10-TRUNK,ether11-TRUNK vlan-ids=10
add bridge=Bridge_T1_vlan10 tagged=“ether8-TRUNK,ether9-TRUNK,ether10-TRUNK
,ether11-TRUNK,VLAN20,Bridge_T1_vlan10” vlan-ids=20
/interface detect-internet
set wan-interface-list=all

/ip address
add address=192.168.0.1/24 interface=Bridge_T1_vlan10 network=192.168.0.0
add address=10.0.0.1/23 interface=VLAN20 network=10.0.0.0


CRS125-24G-1S-2Hnd Device connected to MAIN UNIT:

/interface bridge
add fast-forward=no name=bridge10-w44 pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=POE-SERVICE
set [ find default-name=ether2 ] name=ether2-IN
set [ find default-name=ether3 ] name=ether3-10
set [ find default-name=ether4 ] name=ether4-10
set [ find default-name=ether5 ] name=ether5-10
set [ find default-name=ether6 ] name=ether6-10
set [ find default-name=ether7 ] name=ether7-10
set [ find default-name=ether8 ] name=ether8-10
set [ find default-name=ether9 ] name=ether9-10
set [ find default-name=ether10 ] name=ether10-10
set [ find default-name=ether11 ] name=ether11-10
set [ find default-name=ether12 ] name=ether12-10
set [ find default-name=ether13 ] name=ether13-10
set [ find default-name=ether14 ] name=ether14-10
set [ find default-name=ether15 ] name=ether15-10
set [ find default-name=ether16 ] name=ether16-10
set [ find default-name=ether17 ] name=ether17-TAG
set [ find default-name=ether18 ] name=ether18-TAG
set [ find default-name=ether19 ] name=ether19-TAG
set [ find default-name=ether20 ] name=ether20-TAG
set [ find default-name=ether21 ] name=ether21-TAG
set [ find default-name=ether22 ] name=ether22-TAG
set [ find default-name=ether23 ] name=ether23-TAG
set [ find default-name=ether24 ] advertise=
10M-half,10M-full,100M-half,100M-full name=ether24-TAG


/interface bridge port
add bridge=bridge10-w44 interface=ether2-IN
add bridge=bridge10-w44 interface=ether3-10 pvid=10
add bridge=bridge10-w44 interface=ether4-10 pvid=10
add bridge=bridge10-w44 interface=ether5-10 pvid=10
add bridge=bridge10-w44 interface=ether6-10 pvid=10
add bridge=bridge10-w44 interface=ether7-10 pvid=10
add bridge=bridge10-w44 interface=ether8-10 pvid=10
add bridge=bridge10-w44 interface=ether9-10 pvid=10
add bridge=bridge10-w44 interface=ether10-10 pvid=10
add bridge=bridge10-w44 interface=ether11-10 pvid=10
add bridge=bridge10-w44 interface=ether12-10 pvid=10
add bridge=bridge10-w44 interface=ether15-10 pvid=10
add bridge=bridge10-w44 interface=ether14-10 pvid=10
add bridge=bridge10-w44 interface=ether16-10 pvid=10
add bridge=bridge10-w44 interface=ether17-TAG
add bridge=bridge10-w44 interface=ether18-TAG
add bridge=bridge10-w44 interface=ether19-TAG
add bridge=bridge10-w44 frame-types=admit-only-vlan-tagged interface=
ether20-TAG
add bridge=bridge10-w44 interface=ether21-TAG
add bridge=bridge10-w44 interface=ether22-TAG
add bridge=bridge10-w44 interface=ether24-TAG
add bridge=bridge10-w44 interface=WLAN-GUESTS pvid=20
add bridge=bridge10-w44 interface=WLAN-OFFICE pvid=10
/interface bridge vlan
add bridge=bridge10-w44 tagged=“ether17-TAG,ether18-TAG,ether19-TAG,ether20-TA
G,ether21-TAG,ether22-TAG,ether23-TAG,ether24-TAG,ether2-IN” vlan-ids=10
add bridge=bridge10-w44 tagged=“ether17-TAG,ether18-TAG,ether19-TAG,ether20-TA
G,ether21-TAG,ether22-TAG,ether23-TAG,ether24-TAG,ether2-IN” vlan-ids=20
/ip dhcp-client
add disabled=no interface=bridge10-w44

4

A few minor things could do with tidying up, but nothing immediately jumps out.

Main unit:
Is there a reason for arp=proxy-arp on the bridge? There are some specific use cases, but not usually required.
The DHCP servers have authoritative=after-2sec-delay, this is historic and better set to authoritative=yes (the current default).
Under /interface bridge vlan the VLAN20 interface should not be included.
Some people have mentioned odd issues with /interface detect-internet, it may be better disabled unless you have a specific use for it.

CRS125:
You can use a VLAN-aware bridge but this disables hardware switching, the recommended setup for CRS1xx/2xx switches is a single non-VLAN-aware bridge plus switch configuration https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_1_.28Trunk_and_Access_ports.29 and https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Tagged
What are the /ip neighbor discovery-settings?

Discovery uses several protocols - LLDP, MNDP & CDP (listen only). Not all of them contain the same information so it could be some are being blocked and others are not changing the information reported. This could tie up with the islands of RoMON connectivity - this uses multicast so the D-link switch could be filtering it.

5

Thanks fot your feedback, tdw.
Main UNIT:
Proxy-ARP allow acces via pptp (VPN) to bridge.

Thanks for the rest tidying up tips!

CRS125-24G-1S-2Hnd
/ip neighbor discovery-settings> print
discover-interface-list: !dynamic

My thoughts. You first mentioned that i probably don’t need vlan10 interface. So if all the ports on the bridge are access ports with PVID10 and then i add tagged vlan20 on trunk ports maybe it would work? But there would be no security, I guess.

Maybe i should to this:

  1. Create VLAN10 interface on bridge for office LAN (transfer the dhcp server from bridge)
  2. SET PVID for all bridges at 99 (as a management vlan), geth dhcp working with network 192.168.55.0/24 and then somehow route to office LAN to be able to ping the office devices?
  3. ADD tagged vlan ID=99 to all TRUNK PORTS

But, still. No devices in IP neighbor discovery list in winbox and the devices physically connected to switch are shown on switch IP neighbors list but showing NO Platform, Version, Board Name and Uptime is 00:00:00

regards,
Luke

6

OK, that is the most common use for proxy-arp. I wouldn’t use PPTP for remote access, it is probably the easiest VPN type to setup but is very insecure.


CRS125-24G-1S-2Hnd
/ip neighbor discovery-settings> print
discover-interface-list: !dynamic

That should be fine.


My thoughts. You first mentioned that i probably don’t need vlan10 interface. So if all the ports on the bridge are access ports with PVID10 and then i add tagged vlan20 on trunk ports maybe it would work? But there would be no security, I guess.

Maybe i should to this:

  1. Create VLAN10 interface on bridge for office LAN (transfer the dhcp server from bridge)
  2. SET PVID for all bridges at 99 (as a management vlan), geth dhcp working with network 192.168.55.0/24 and then somehow route to office LAN to be able to ping the office devices?
  3. ADD tagged vlan ID=99 to all TRUNK PORTS

That was before seeing you configs, people often add a VLAN ID=x AND set the bridge PVID=x, which is incorrect.

Either

/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=bridge.41 vlan-id=41
add interface=bridge name=bridge.42 vlan-id=42
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=41
add bridge=bridge tagged=bridge vlan-ids=42
/ip address
add address=192.168.41.1/24 interface=bridge.41 network=192.168.41.0
add address=192.168.42.1/24 interface=bridge.42 network=192.168.42.0

or

/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes pvid=41
/interface vlan
add interface=bridge name=bridge.42 vlan-id=42
/interface bridge vlan
add bridge=bridge vlan-ids=41
add bridge=bridge tagged=bridge vlan-ids=42
/ip address
add address=192.168.41.1/24 interface=bridge network=192.168.41.0
add address=192.168.42.1/24 interface=bridge.42 network=192.168.42.0

are equally valid examples, it is mostly down to personal preference.


But, still. No devices in IP neighbor discovery list in winbox and the devices physically connected to switch are shown on switch IP neighbors list but showing NO Platform, Version, Board Name and Uptime is 00:00:00

Very odd, there have been odd cases mentioned in the forums where something stops working despite looking fine in Winbox / CLI after upgrading a big jump in versions. You might have to try Mikrotik support if no-one else has any suggestions.

7

Wow,
So tagging the bridge with specific vlan id is equal to setting PVID at the same value?
I’ll be there monday. Maybe, I’ll try to reconfigure the settings in the way, you showed in first example.
Many thanks!

8

When you create a bridge it has two roles - a switch-part for connecting interfaces together, and an interface-part for traffic between the CPU and switch-part. The name is the same for both these roles, RouterOS uses the appropriate one depending on the configuration context.

Under /interface bridge the pvid= parameter sets the PVID on the interface-part to the CPU, in the same way that under /interface bridge port the pvid= parameter sets the PVID on the attached interface (typically a physical ethernet port).

9

But, is this mean that setting PVID=10 for a bridge equals that the bridge is automatically “added” to VLAN 10 IDs? Because, i think, that the problem with IP Discovery list might be caused by DHCP server which should be set for new created VLAN10 not for Bridge (?)

10

Yes, unless frame-types=admit-only-vlan-tagged is specified pvid= will automatically add the bridge or bridge port as an untagged member of that VLAN. Look at Bridge > VLANs in Winbox - the Tagged and Untagged columns are the manually set members, Current Tagged and Current Untagged columns are the active, including dynamically added, members. You might have to add some columns to see all of these in Winbox, I don’t think all of them are shown by default. Command-line equivalent is /interface bridge vlan print detail

11

Thanks you for help.
Could you please explain what is the effect of adding VLAN20 and Bridge to tagged vlan-IDs=20 from my config below:

/interface bridge vlan
add bridge=Bridge_T1_vlan10 tagged=
ether8-TRUNK,ether9-TRUNK,ether10-TRUNK,ether11-TRUNK vlan-ids=10
add bridge=Bridge_T1_vlan10 tagged=“ether8-TRUNK,ether9-TRUNK,ether10-TRUNK
,ether11-TRUNK,VLAN20,Bridge_T1_vlan10” vlan-ids=20

Still looking for things that block discovery.

12

VLAN20 should not be present, and as that interface is [correctly] not a added as a member under /interface bridge port has no effect.
Bridge_T1_vlan10 should be present as a tagged interface so VLAN ID 20 is permitted via the interface-like role of the bridge, without it traffic will not reach the VLAN20 interface


Still looking for things that block discovery.

What is the output of /ip neighbor print detail on both devices?

13

CRS125:
/ip neighbor print detail
0 interface=ether2-IN,bridge10-w44 address=192.168.0.1 address4=192.168.0.1 mac-address=xxx identity=“xxxxx” platform=“” version=“” unpack=none age=9s interface-name=“Bridge_Twins_vlan10/ether11-TRUNK” system-description=“MikroTik RouterOS 6.47.1 (stable) CCR1016-12G” system-caps=bridge,router system-caps-enabled=bridge,router

1 interface=ether2-IN,bridge10-w44 address=192.168.0.75 address4=192.168.0.75 mac-address=xxxxidentity=“Serwxxx” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=45s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

2 interface=ether2-IN,bridge10-w44 address=192.168.0.75 address4=192.168.0.75 mac-address=xxxx identity=“Serxxx” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=45s uptime=15h11m15s software-id=“12EA-G6NW” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

3 interface=ether2-IN,bridge10-w44 address=192.168.0.77 address4=192.168.0.77 mac-address=xx identity=“157-160” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=1s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

4 interface=ether2-IN,bridge10-w44 address=192.168.0.77 address4=192.168.0.77 mac-address=xx identity=“157-160” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=1s uptime=9h4m15s software-id=“GLKI-L1Y0” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

5 interface=ether2-IN,bridge10-w44 address=192.168.0.79 address4=192.168.0.79 mac-address=xxx identity=“161-164” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=0s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

6 interface=ether2-IN,bridge10-w44 address=192.168.0.79 address4=192.168.0.79 mac-address=xxx identity=“161-164” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=0s uptime=9h4m16s software-id=“BFA7-F1UP” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

7 interface=ether2-IN,bridge10-w44 address=192.168.0.80 address4=192.168.0.80 mac-address=xxx identity=“269-272” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=45s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

8 interface=ether2-IN,bridge10-w44 address=192.168.0.80 address4=192.168.0.80 mac-address=xxxx identity=“269-272” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=45s uptime=15h11m16s software-id=“PHZQ-3MZ8” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

9 interface=ether2-IN,bridge10-w44 address=192.168.0.84 address4=192.168.0.84 mac-address=xxx identity=“265-268” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=44s uptime=23h59m50s software-id=“X0E6-8K26” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

10 interface=ether2-IN,bridge10-w44 address=192.168.0.84 address4=192.168.0.84 mac-address=xxxx identity=“265-268” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=44s uptime=15h11m16s software-id=“X0E6-8K26” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

11 interface=ether2-IN,bridge10-w44 address=192.168.0.88 address4=192.168.0.88 mac-address=xxx identity=“Koxxxxxx” platform=“MikroTik” version=“6.40.5 (stable)” unpack=none age=43s uptime=15h11m17s software-id=“7KPR-YNTZ” board=“RBwAP2nD” ipv6=no interface-name=“bridge10” system-caps=“” system-caps-enabled=“”

12 interface=ether17-TAG,bridge10-w44 address=192.168.0.28 address4=192.168.0.28 mac-address=xxxx identity=“W44 2/3” platform=“” version=“” unpack=none age=45s interface-name=“bridge10/ether1” system-description=“MikroTik RouterOS 6.47.1 (stable) RBcAP2n” system-caps=bridge,wlan-ap,router system-caps-enabled=bridge,wlan-ap,router

13 interface=ether18-TAG,bridge10-w44 address=192.168.0.61 address4=192.168.0.61 mac-address=xxxx identity=“W44 Rexxxxxx” platform=“” version=“” unpack=none age=46s interface-name=“bridge10/ether1” system-description=“MikroTik RouterOS 6.47.1 (stable) RBcAP2n” system-caps=bridge,wlan-ap,router system-caps-enabled=bridge,wlan-ap,router

14 interface=ether19-TAG,bridge10-w44 address=192.168.0.50 address4=192.168.0.50 mac-address=xxxx identity=“W44 1p lxxxxx” platform=“” version=“” unpack=none age=48s interface-name=“bridge10/ether1” system-description=“MikroTik RouterOS 6.47.1 (stable) RBwAP2nDr2” system-caps=bridge,wlan-ap,router system-caps-enabled=bridge,wlan-ap,router

15 interface=ether20-TAG,bridge10-w44 address=192.168.0.53 address4=192.168.0.53 mac-address=xxxx identity=“W44 1p xxxxxx” platform=“” version=“” unpack=none age=49s interface-name=“bridge10/ether1” system-description=“MikroTik RouterOS 6.47.1 (stable) RBwAP2nDr2” system-caps=bridge,wlan-ap,router system-caps-enabled=bridge,wlan-ap,router

  1. Hmmmm, the ones with system-caps-enabled not showing all data…

  2. The ones that showing all datas are still configured in “old way” and are visible in winbox and in RoMon. Thanks!

14

MAIN UNIT

/ip neighbor print detail
0 interface=ether9-TRUNK,Bridge_Twins_vlan10 address=192.168.0.25 address4=192.168.0.25 mac-address=xsxsxs identity=“W44-REC-24G” platform=“” version=“” unpack=none age=59s interface-name=“bridge10-rec/ether2-IN-ROOT” system-description=“MikroTik RouterOS 6.47.1 (stable) CRS125-24G-1S-2HnD” system-caps=bridge,router
system-caps-enabled=bridge,router

1 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.75 address4=192.168.0.75 mac-address=scscscsc6 identity=“Serwerownia” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=35s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

2 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.75 address4=192.168.0.75 mac-address=scscscscs identity=“Serwerownia” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=35s uptime=10h10m15s software-id=“12EA-G6NW” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

3 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.77 address4=192.168.0.77 mac-address=scscscs identity=“157-160” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

4 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.77 address4=192.168.0.77 mac-address=scscsc identity=“157-160” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s uptime=2h33m16s software-id=“GLKI-L1Y0” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

5 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.79 address4=192.168.0.79 mac-address=scscsc identity=“161-164” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

6 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.79 address4=192.168.0.79 mac-address=scscsccs identity=“161-164” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s uptime=2h33m15s software-id=“BFA7-F1UP” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

7 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.80 address4=192.168.0.80 mac-address=scscscsc identity=“269-272” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=33s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

8 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.80 address4=192.168.0.80 mac-address=scsccscscs identity=“269-272” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=33s uptime=10h10m16s software-id=“PHZQ-3MZ8” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

9 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.84 address4=192.168.0.84 mac-address=Escscscs identity=“265-268” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=34s interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

10 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.84 address4=192.168.0.84 mac-address=scscsscsc identity=“265-268” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=34s uptime=10h10m15s software-id=“X0E6-8K26” board=“RBcAP2n” ipv6=no interface-name=“bridge10/vlan10 eth1” system-caps=“” system-caps-enabled=“”

11 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.88 address4=192.168.0.88 mac-address=scscss identity=“Kominkowa” platform=“MikroTik” version=“6.40.5 (stable)” unpack=none age=31s uptime=10h10m17s software-id=“7KPR-YNTZ” board=“RBwAP2nD” ipv6=no interface-name=“bridge10” system-caps=“” system-caps-enabled=“”

12 interface=ether10-TRUNK,Bridge_Twins_vlan10 address=192.168.0.95 address4=192.168.0.95 mac-address=scscscscsc4 identity=“W44-ANTENA” platform=“” version=“” unpack=none age=13s interface-name=“bridge/ether1” system-description=“MikroTik RouterOS 6.47.1 (stable) RBDynaDishG-5HacDr3” system-caps=bridge,wlan-ap,router
system-caps-enabled=bridge,wlan-ap,router

13 interface=ether11-TRUNK,Bridge_Twins_vlan10 address=192.168.0.27 address4=192.168.0.27 mac-address=scscscscscsc identity=“W44-BEssss” platform=“” version=“” unpack=none age=57s interface-name=“bridge10-w44/ether2-IN” system-description=“MikroTik RouterOS 6.47.1 (stable) CRS125-24G-1S-2HnD” system-caps=bridge,wlan-ap,router
system-caps-enabled=bridge,wlan-ap,router

14 interface=VLAN20 mac-address=scscscscscs identity=“Kominsssss” platform=“MikroTik” version=“6.40.5 (stable)” unpack=none age=31s uptime=10h10m17s software-id=“7KPR-YNTZ” board=“RBwAP2nD” ipv6=no interface-name=“bridge20” system-caps=“” system-caps-enabled=“”

15 interface=VLAN20 mac-address=dscdscdscdscds identity=“161-164” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

16 interface=VLAN20 mac-address=dscdscdscdscdsc identity=“161-164” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s uptime=2h33m15s software-id=“BFA7-F1UP” board=“RBcAP2n” ipv6=no interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

17 interface=VLAN20 mac-address=dscscdscdsc identity=“269-272” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=33s interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

18 interface=VLAN20 mac-address=dscdscdscdscidentity=“269-272” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=33s uptime=10h10m16s software-id=“PHZQ-3MZ8” board=“RBcAP2n” ipv6=no interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

19 interface=VLAN20 mac-address=dscdscdscdsc identity=“383-384” platform=“MikroTik” version=“6.40.5 (stable)” unpack=none age=7s uptime=23h44m23s software-id=“XCHI-4KAQ” board=“RBcAP2n” ipv6=no interface-name=“bridge20” system-caps=“” system-caps-enabled=“”

20 interface=VLAN20 mac-address=dscdscdscdsc identity=“265-268” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=34s interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

21 interface=VLAN20 mac-address=dscdscsdcdscdsc identity=“265-268” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=34s uptime=10h10m15s software-id=“X0E6-8K26” board=“RBcAP2n” ipv6=no interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

22 interface=VLAN20 mac-address=sdcdscdscdscidentity=“157-160” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

23 interface=VLAN20 mac-address=efefefefef identity=“157-160” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=5s uptime=2h33m16s software-id=“GLKI-L1Y0” board=“RBcAP2n” ipv6=no interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

24 interface=VLAN20 mac-address=efefefe identity=“Serwerownia” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=35s interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

25 interface=VLAN20 mac-address=efefefef identity=“Serwerownia” platform=“MikroTik” version=“6.47.1 (stable)” unpack=none age=35s uptime=10h10m15s software-id=“12EA-G6NW” board=“RBcAP2n” ipv6=no interface-name=“bridge20/vlan20 eth1” system-caps=“” system-caps-enabled=“”

15

As I’ve mentioned previously there are several discovery protocols - LLDP information should only be seen on physically connected interfaces, MNDP is broadcast across the layer-2 network. LLDP contains the system-caps and system-caps enabled information not present in MNDP, and similarly MNDP contains the board name, software ID and uptime not present in LLDP.

I suspect that setting the bridge PVID to something other than 1 has side-effect, IIRC there has been mention of loop protect not working for example. You could move VLAN ID 10 off the bridge onto an actual VLAN interface, on the main unit something along the lines of:
/interface bridge
add arp=proxy-arp fast-forward=no name=Bridge_T1_vlan10 pvid=1 vlan-filtering=yes

/interface vlan
add arp=proxy-arp interface=Bridge_T1_vlan10 name=VLAN10 vlan-id=10
add interface=Bridge_T1_vlan10 name=VLAN20 vlan-id=20

/ip dhcp-server
add address-pool=T1 authoritative=after-2sec-delay disabled=no interface=VLAN10 lease-time=1d name=B
add address-pool=G authoritative=after-2sec-delay disabled=no interface=VLAN20 lease-time=12h name=G

/interface bridge vlan
add bridge=Bridge_T1_vlan10 tagged=ether8-TRUNK,ether9-TRUNK,ether10-TRUNK,ether11-TRUNK,Bridge_T1_vlan10 vlan-ids=10
add bridge=Bridge_T1_vlan10 tagged=ether8-TRUNK,ether9-TRUNK,ether10-TRUNK,ether11-TRUNK,VLAN20,Bridge_T1_vlan10 vlan-ids=20

/ip address
add address=192.168.0.1/24 interface=VLAN10 network=192.168.0.0
add address=10.0.0.1/23 interface=VLAN20 network=10.0.0.0

plus any other references to the bridge, in firewall/NAT rules for example.

16

I’ll check it in couple of days and report back. Many thanks!

17

Hi tdw,
What about bridges settings in all other units?
Should the bridge be set to PVID=10?
I try to add bridge to tagged vlan=10 but I cannot get ip for CPU from dhcp server.

edit:
FINALLY!
I added the VLAN10 interface to bridge on random unit and set DHCP Client on VLAN10. The CPU got the IP and the device is seen in winbox LIST! Now, I’ll reconfigure every unit but I guess we found the problem. Bridges should be PVID=1!
Thank you, tdw!

regards
Luke