Hello, I’m a beginner and am using a Hex as a simple Switch albeit with a few VLANs.
I have allocated Port 1 as the Input (from OPNSense virtualized on Proxmox), and am able to get VLANs 10 (Port 2), 20 (Port 3), and 30 (Port 4) to work. The issue however is I am “unable” to access Winbox under these three (3) ports. Only Port 5 provides access to WinBox.
Would greatly appreciate any assistance; the intention is to eventually allocate Port 5 to VLAN 99 (for Management Access).
/interface bridge
add name=bridge vlan-filtering=yes
/interface list
add name=WAN
add name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether4 pvid=30
add bridge=bridge interface=ether5
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether3 vlan-ids=20
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=30
add bridge=bridge vlan-ids=1
add bridge=bridge tagged=ether1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
Your are missing the bridge-to-cpu port, the /interface bridge vlan entries tagged=ether1 should be tagged=bridge,ether1. You also need /interface vlan entries to remove tags on egress from the bridge-to-cpu port / add them on ingress to the port, plus IP addresses.
Well you do not state the purpose of ether5 clearly, as its another trunk port. One has to assume its thus going to another smart device and will have to carry the trusted LAN to the next smart device as each smart device should get an IP address on the trusted subnet.
Why would you bother putting the management vlan on ether5. You should be able to reach the hex switch from behind the upstream router if your PC is on the management (trusted subnet on the upstream router) at your regular PC connection.
I would personally take ether5 off the bridge give it an Ip address of 192.168.55.1/30 and then plug my laptop into it, change IVP4 settings to 192.168.55.2 and config the hex peacefully from off the bridge.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge-5
Hi thanks for the help / support; the new configuration is below.
I've given up on the Management VLAN; but I still have Either5 that isn't tagged. If / when I add it as a bridge port, I loose access to Winbox (get locked I believe). I am also not able to access Winbox from Either 2, 3, or 4.
How do i utilize the last Port / Ether 5 i.e. assign a Vlan to it, and use this (or any port) to access Winbox.
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether4 pvid=30
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=10
add bridge=bridge tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=30
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
Your setup is not quite there… this would be correct…
(1) only entry required on bridge setting is turning vlan filtering on.
(2) I prefer manually entering the untagged and that way it shows up on config exports and can match visually with bridge port settings.
(3) Address for the device belongs to the vlan interface not the bridge.
I still think putting ether5 as part of the managment vlan is a waste of time.
You should always be able to access the device through the management vlan at any other location.
If there is a problem with the device its likely not going to be accessible through the bridge and thus an OFF BRIDGE ether5 solution is better as its independent of bridge config which is easy to screw up.
I was curious about the untagged addition you made to the configuration here. Is there a reason you do that? I was looking at the Router on a Stick configuration here: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and noticed the untagged addition isn’t included apart of the config. Curious on if that’s needed for my config since I am trying to do something similar
In a vlan filtering scenario, when a device is acting as a switch or AP switch only the trusted or base vlan needs to be tagged in /interface bridge vlan settings.
As for untaggings, technically nothing needs to be untagged if the pvid has been entered on the port in /interface bridge port settings as the router dynamically assigns the untagging.
I prefer to write down the untagging manually so it shows up in config and one can assess if the person understands vlan filtering more easily also makes for a good cross-check practice.
In the case above, the only reason to show that was that the OP probably was going to have a management port on ether5. I prefer having an Off Bridge port for access and configuration.