hapLite VLAN trunk fails with no default vlan defined.

amcrs · April 27, 2022, 7:04pm

I’m trying to get a trunk working between a hapLite and a CRS 125. The hapLite is the Atheros 8227 chipset, which should work.

I have 2 vlans (2 and 17) defined on the hap Lite. I want vlan 2 on eth1, and vlan 17 on eth 2, with the trunk on eth4 (trunked to the CRS 125)

/interface bridge
add name=bridgeVLAN
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add ports=ether4,ether1,switch1-cpu switch=switch1 vlan-id=2
add ports=ether2,switch1-cpu,ether4 switch=switch1 vlan-id=17

The above config works, because of this line:
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure

A vlan 2 system on eth1 can ping across the trunk to an IP address on the CRS or laptop plugged into vlan 2 or 17 on the CRS.

However, a vlan 17 system on eth2 can’t ping across the trunk.

If I change that line to vlan 0 (or 1):
set 3 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure

then the eth1 vlan 2 system can no longer ping across the trunk. The configs I find on line don’t specify a default-vlan-id, but in my case, if it’s not default to vlan 2, ping fails.

Ideas? that one change on the hapLite makes the trunk fail makes me think it’s on the hapLite side of the config.

amcrs · April 27, 2022, 8:31pm

Well, I though Id’ found what I’d forgotten:

/interface bridge vlan
add bridge=bridgeVLAN tagged=vlanGUEST vlan-ids=17
add bridge=bridgeVLAN tagged=vlanLAN vlan-ids=2

/interface bridge port
add bridge=bridgeVLAN interface=ether1 pvid=2
add bridge=bridgeVLAN interface=ether2 pvid=17
add bridge=bridgeVLAN interface=ether4

but it didn’t make any difference. Still doesn’t work
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure
works for vlan 2, but I can’t change that to default-vlan-id=1.

amcrs · April 27, 2022, 9:37pm

/interface bridge port
add bridge=bridgeVLAN interface=vlanGUEST pvid=17
add bridge=bridgeVLAN interface=vlanLAN pvid=2

Now I’m probably making a mess of things, but still not helping.

anav · April 27, 2022, 10:31pm

When you decide NOT to use these settings I can certainly help.
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure

As well I would have to see the complete config
/export hide-sensitive file=anynameyouwish (and just ensure no public iP addresses are displayed).

Buckeye · April 27, 2022, 10:34pm

The problem my be the 8227 switch chip, if I understood what @tdk said about them in post #79 of this thread Vlan configuration issue

This is the relevant part:

On ether2 is vlan 17 untagged or tagged? Have you tried making it a pure trunk with both 2 and 17 tagged? What type of access point do you have?

amcrs · April 27, 2022, 10:45pm

I’m glad to use any settings that will work! I pulled those settings from the wiki:
https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

it just won’t let me not set the default-vlan-id for interface 3 (eth4). If I set it for 2, vlan 2 works. If I set it for 17, vlan 17 works.

# jan/02/1970 20:42:13 by RouterOS 6.49.6
# software id = 2UIZ-IVIF
#
# model = RB941-2nD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=17 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN interface=ether1 pvid=2
add bridge=bridgeVLAN interface=ether2 pvid=17
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=vlanGUEST pvid=17
add bridge=bridgeVLAN interface=vlanLAN pvid=2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridgeVLAN tagged=vlanGUEST vlan-ids=17
add bridge=bridgeVLAN tagged=vlanLAN vlan-ids=2
/interface ethernet switch vlan
add ports=ether4,ether1,switch1-cpu switch=switch1 vlan-id=2
add ports=ether2,switch1-cpu,ether4 switch=switch1 vlan-id=17
/ip address
add address=192.168.2.3/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.3/24 interface=vlanGUEST network=192.168.17.0
/system identity
set name=B941-2nD

amcrs · April 27, 2022, 10:49pm

I have a haplite. I need you to tell me if it’s tagged or untagged. The config is above

In theory I want ether 4 to be the trunk.

rextended · April 27, 2022, 10:53pm

For your security, remove serial number from export…

tdw · April 27, 2022, 11:14pm

The entire /interface bridge vlan section and the pvid= settings in the /interface bridge port are ignored when the bridge has vlan-filtering=no.

The switching setup should work with
/interface ethernet switch port
…
set 3 vlan-header=add-if-missing vlan-mode=secure
i.e. with default-vlan-id=0. Are you sure the CRS configuration is correct?

Buckeye · April 27, 2022, 11:22pm

Watch this youtube video. It is using two hap lites with trunk from one to the other. The haplite on the right should be similar to your haplite, the haplite on the left is more like your CRS 125 switch.

Configuring VLAN’s on MikroTik RouterBoard using the Switch Chip by Maher Haddad.

amcrs · April 28, 2022, 12:01am

Well, I would say yes with the obvious caveat that the darned thing doesn’t work , which means it’s broken somewhere.

Here are the configs of the two devices. I’ve removed the changes I noted, and watched the video, where I think everything is right on the hAP Lite side.

Same problem. If I set the default vlan id on the hAPLite on the trunk interface to a particular vlan, it works for that vlan only. Setting it to 0 it doesn’t work.

# jan/02/1970 21:55:47 by RouterOS 6.49.6
# software id = 2UIZ-IVIF
#
# model = RB941-2nD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN interface=ether1 pvid=2
add bridge=bridgeVLAN interface=ether2 pvid=17
add bridge=bridgeVLAN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add ports=ether4,ether1,switch1-cpu switch=switch1 vlan-id=2
add ports=ether2,switch1-cpu,ether4 switch=switch1 vlan-id=17
/ip address
add address=192.168.2.3/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.3/24 interface=vlanGUEST network=192.168.17.0
/system identity
set name=B941-2nD

And the CRS

 jan/02/1970 07:30:56 by RouterOS 6.49.6
# software id = AKR0-XZSF
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolLAN ranges=192.168.2.100-192.168.2.199
add name=poolGUEST ranges=192.168.17.100-192.168.17.199
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=vlanLAN name=dhcpLAN
add address-pool=poolGUEST disabled=no interface=vlanGUEST name=dhcpGUEST
/interface bridge port
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
add bridge=bridgeVLAN interface=ether9
add bridge=bridgeVLAN interface=ether10
add bridge=bridgeVLAN interface=ether11
add bridge=bridgeVLAN interface=ether12
add bridge=bridgeVLAN interface=ether13
add bridge=bridgeVLAN interface=ether14
add bridge=bridgeVLAN interface=ether15
add bridge=bridgeVLAN interface=ether16
add bridge=bridgeVLAN interface=ether17
add bridge=bridgeVLAN interface=ether18
add bridge=bridgeVLAN interface=ether20
add bridge=bridgeVLAN interface=ether21
add bridge=bridgeVLAN interface=ether22
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=sfp1
add bridge=bridgeVLAN interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether23,switch1-cpu vlan-id=2
add tagged-ports=ether23,switch1-cpu vlan-id=17
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=2 ports=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
add customer-vid=0 new-customer-vid=17 ports=\
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
add customer-vid=0 new-customer-vid=2 ports=\
    ether17,ether18,ether20,ether21,ether22,ether24
/interface ethernet switch vlan
add ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether17,ether\
    18,ether20,ether21,ether22,ether24,switch1-cpu" vlan-id=2
add ports="ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether2\
    4,switch1-cpu" vlan-id=17
/ip address
add address=192.168.2.1/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.1/24 interface=vlanGUEST network=192.168.17.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1 netmask=24
add address=192.168.17.0/24 dns-server=8.8.8.8 gateway=192.168.17.1 netmask=24
/system identity
set name=RS125-24G-1S-2

With the goal to have a trunk between the two on hAPLite: ether 4 and CRS125 on ether 24 for VLANs 2 and 17, with (for the moment) full connectivity across all the ports and vlans. I’m using ether3 on the hAP to manage it, and ether 19 on the CRS, specifically so I don’t cut myself off at the knees with other configuration.

rextended · April 28, 2022, 12:16am

For your security, remove serial number from export… also from previous posts…

tdw · April 28, 2022, 12:33am

ether23 is missing from the definitions under /interface ethernet switch vlan on the CRS

amcrs · April 28, 2022, 12:34am

I did that on my most previous post, and just did for the earlier one.

While I do appreciate your point, why does my serial make the device less secure?

amcrs · April 28, 2022, 12:38am

Good catch, but you caught my typo, not my problem. I updated the above post to correct that my trunk should be on eth24 on the CRS. (Mikrotik has the ports upsidedown from what I’m used to)

amcrs · April 28, 2022, 12:47am

well, the CRS had ether24 configured for Ingress VLAN translation under Switch > In. Vlan Trans, which as a trunk port it shouldn’t have? Removed it. Didn’t fix things, but perhaps a step closer.

amcrs · April 28, 2022, 4:49am

Seeing several threads here about the Atheros 8227 chipset and VLAN issues, I replaced my hAP Lite with a hAP AC (QCA 8337 chip) and effectively dropped the config in place onto the (blank) hAP AC.

I still have that same problem. The only difference is that the hAP AC permits me to set the VLAN to blank for switch > port > ether4 on the hapAC. I’d get an error trying that on the hAP lite.

amcrs · April 28, 2022, 6:42pm

It’s clear to me that tagging is wrong somewhere, because I’m assigning a tag to ether 4 if there isn’t one, and that “add if missing” default vlan ID when added works for that vlan

		vlan-id=2	vlan-id=17	vlan-id=0
192.168.2.34 (hapAC, eth1, vlan 2)				
	192.168.2.1	-	+	-
	192.168.2.3	+	+	+
	192.168.2.34			
	192.168.2.100	-	+	-
	192.168.17.1	-	+	-
	192.168.17.3	-	+	-
	192.168.17.35	-	+	-
192.168.17.35 (hAP AC, eth 2, vlan 17)				
	192.168.2.1	+	-	
	192.168.2.3	-	+	
	192.168.2.34	+	-	
	192.168.2.100	+	-	
	192.168.17.1	+	-	
	192.168.17.3	+	+	
	192.168.17.35			
192.168.2.100 (CRS, eth8, vlan 2)				
	192.168.2.1	+	+	+
	192.168.2.3	-	+	-
	192.168.2.34	-	+	-
	192.168.2.100			
	192.168.17.1	+	+	+
	192.168.17.3	+	-	-
	192.168.17.35	+	-	-

So traffic exiting out of ether4 isn’t tagged?

Yet:
/interface ethernet switch vlan ports=ether4, ether1, switch-cpu switch=switch1 vlan-id=2
/interface ethernet switch vlan ports=ether4, ether2, switch-cpu switch=switch1 vlan-id=17

If I enable vlan-filtering on the hAP AC and CRS
/interface bridge name=bridge1 vlan-filtering=yes
I lose connectivity. Which I think makes sense, because enabling that would be using CPU instead of the switch chip.

tdw · April 28, 2022, 8:39pm

With the gigabit atheros switch chips you should leave vlan-header=leave-as-is as described in the documentation.

Enabling VLAN filtering on the bridge will disable hardware switching, so you will not get wire-speed switching between ports, and requires the bridge port PVID and bridge VLANs to be defined. Do not attempt to mix software VLAN filtering and hardware switch configuration, they interact in undocumented ways.

rextended · April 28, 2022, 8:42pm

If I reveal something, can be use against users…
But obviously someone can track you with that information…