Got locked out because of Frame-type setting on vlan-aware interface/bridge

So I think I have made a problematic mistake and I’m wondering if I can regain control again.

Context: I manage a network for a small business home owner, remotely, with Mikrotik-only equipment. The main core-router is a CCR-1036, which connects to three CRS328-24P-4S+ switches. From those switches both access as trunk ports are defined via the bridge-VLAN table.

To keep it simple, not too many vlans are defined;

10 - trusted network

20 - guest network

30 - iot network

40 - cameras

100 - management

Patched on the CRSes are also several CAP-AC accesspoints delivering somewhat complete wifi coverage - at least inside. Outside a few WAP-AC’s are mounted but for specific spots only - which is fine.

The CAP-ACs are managed by Capsman but since the new wifi-qcom-ac driver, configuring vlans on the CAP side changed a bit. They’re connected on the CRS via trunk port, with dhcp client on vlan 100 and sending out different SSIDs for vlan 10 and 20.

Now, on one specific CAP-AC, I was trying to also add vlan 30 to that list because I had to include some Shelly energy meters over wifi (the rest of devices on vlan 30 so far had been connected over ethernet). I couldn’t get it to work, probably missing something obvious. Mind you, I was doing this stuff remotely and yeah yeah… I know that’s not the smartest thing to do when fiddling around with bridge vlan settings…

Now, the last change I (accidently) made was to change the Interface Bridge Frame types setting. When in my mind I was changing this on port-level, apparently the setting also exists on interface/bridge level. I had changed it to ‘admit only untagged and priority tagged’ - a setting of which I don’t understand the consequences. Well, other than me being totally locked out of the CAP.

Easy enough, rolling back that setting gets me there. But my no means have I got luck getting back into the AP. It’s got no ip from dhcp, it’s only found in the ip-neighbours list via LLDP but that doesn’t give me the ability to connect over MAC/Layer-2. I can’t ping its MAC, can’t telnet into it, …

Not completely understanding what the frame-type setting means, I thought I could get there by changing how the CAP was connected to the CRS, eg. by changing it from trunk port to untagged/access port. But that also doesn’t give any more connectivity options.

Wondering what to do next, other than the need to drive over there. The home owner is able to help for non-technical stuff - so he could do a remote reset for example but not sure if I need to be onsite to then get it connected anyway…

Does someone have any ideas or explanation of what the specific frame type setting on the interface level means?

Edit: all devices are on 7.19.3

The easiest is likely reset the cAP back to defaults, and replace the config.

If you have a saved config, be able to say more or perhaps suggest a path in. But in terms of the effect, you're essentially limiting to untagged packets, so no VLAN will work since they go via the bridge interface/port. Beyond that, there is also pvid= on bridge interface (default is 1), ether1/2 bridge port settings, and auto-mac=/admin-mac= settings that could all play a role in what exactly happens & how to get in. Anyway, it was a bad one to get wrong, and hard to explain exactly what's going on .

And some bridge setting could also effect MAC access (WinBox or MAC Telnet), beyond that MAC access needs to be enabled on the interface-list used.

I'd recommend enabling RoMON in future. If that was already enabled, you should be able to get in via another MikroTik. But in defaults, RoMON is disabled.

You my man are a life saver. I did enable RoMon in the past and that got me connected right away!

Still eager to find out more about what this setting actually does but first lets revert and never touch it again Thanks.

Good to hear. Yeah RoMON is super useful for getting out of these "bad bridge" configurations.

At end of day, it's the "duality" of the "switch CPU port" that it is both a bridge port and parent interface, see RouterOS bridge mysteries explained and Bridging and Switching - RouterOS - MikroTik Documentation with the gory details.

If I have to guess... presumably you were on your VLAN 10 and/or VLAN 100 when trying access it. And since VLAN interface go through the "switch CPU port", there going get dropped by the frame-type to admin-only-untagged... on bridge interface, so VLAN packets from CPU (which includes any /interface/vlan's) aren't going to get into the bridge. Why I said "no VLAN will work".

Perhaps, if you had an /ip/address defined on the bridge interface and/or used an untagged path from any AP/switches to the router you might have been able to get in without RoMON.

You're welcome to post config from export file=config.rsc. But it's kinda like on a test on how well you understand internals of Bridge VLAN filtering, and specific matter to answer more exactly.