How to remove 802.1Q header on "untagged" bridge egress

rpress · September 8, 2020, 3:30pm

It really doesn’t matter what VLAN ID is used as default VLAN ID for untagged-only traffic as it’s used only internally to unit (be it mikrotik or any other managed switch). Which means that traffic on ethernet cable between MT and switch doesn’t (or at least should not) have VLAN tags if traffic belongs to “default” VLAN. Unless that VLAN is configured as tagged on a port. So you could have default VLAN set to 1000 on one device and default VLAN set to 1 on the other device and they would still happily exchange (untagged) frames on their interconnect.

Which brings us back to suggestion to not use VLAN ID 1 on ROS configs because it’s used in many places by default and makes hard to debug config … And my personal suggestion: when starting to use VLANs, never use untagged traffic (read: default VLAN) on LAN devices interconnections. Only use untagged on access ports.

I found pages like this https://0x2142.com/whats-wrong-with-vlan-1 which seem to say VLAN 1 is “bad” because it’s commonly used so a hacker can try VLAN 1 first. Changing it to something else is simply security through obscurity. The real fix is to be careful which ports are allowed to be trunk ports.

I use untagged (hybrid VLANs) because I have many virtual machines, some on different VLANs. I don’t want to configure the host machine to be only on a VLAN, for a variety of reasons.

I use the same VLAN 1 as used by default on my Dell switch. So far, nobody here has said why VLAN 1 is “bad”, if you have a very good example please post that. But we are already very off topic here; using VLAN 1 is not the reason my packets have an 802.1Q header with VLAN ID 0.

I don’t know why @anav keeps trolling. Just stop posting to my thread.

CZFan · September 8, 2020, 4:26pm

That’s the dude from the Patrick Swayze movie “Road House”, cool movie

anav · September 8, 2020, 4:52pm

Did you not see the avatar, I do not even come close to resembling a troll, quite insulting to us induced ovulators ( for the layperson - calmidae family).
Perhaps you need to chill just a bit more,
A classic!!
https://www.youtube.com/watch?v=Pe2K5iT8lwE

PS. Take your vlan1 and put it where the sun don’t shine! In plain english, vlanX (where x does not =0,2-9) not good!!

Seriously, if it works for you, then thats great! It has given me problems in the past and we all strive for happy outcomes..

rpress · September 8, 2020, 6:54pm

I couldn’t use ether3 but I did add a different port ether5. Here is the config:

/interface bridge
add admin-mac=52:54:00:17:DE:AD auto-mac=no igmp-snooping=yes name=bridge1-lan vlan-filtering=yes
/interface bridge port
add bridge=bridge1-lan interface=ether3-plato
add bridge=bridge1-lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=1000
add bridge=bridge1-lan interface=ether2-shop
add bridge=bridge1-lan interface=ether1-switch
add bridge=bridge1-lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether-vm-lan
add bridge=bridge1-lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=1000
/interface bridge vlan
add bridge=bridge1-lan comment=lan tagged=ether1-switch,ether2-shop untagged=ether4 vlan-ids=1
add bridge=bridge1-lan comment=wanonly tagged=bridge1-lan,ether1-switch,ether2-shop vlan-ids=2
add bridge=bridge1-lan comment=lanonly tagged=bridge1-lan,ether1-switch,ether2-shop vlan-ids=3
add bridge=bridge1-lan comment=privvpn tagged=bridge1-lan,ether3-plato vlan-ids=44
add bridge=bridge1-lan untagged=ether4,ether5 vlan-ids=1000

And here is the result, the same 802.1Q header with VLAN ID 0. This is tcpdump from a PC on the ether4 side, pinging to a PC on ether5:

14:46:17.976459 00:23:54:8c:62:93 (oui Unknown) > 74:d4:35:e7:f3:98 (oui Unknown), ethertype IPv4 (0x0800), length 98: archimedes > 10.10.10.1: ICMP echo request, id 2, seq 175, length 64
14:46:17.977432 74:d4:35:e7:f3:98 (oui Unknown) > 00:23:54:8c:62:93 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 0, p 0, ethertype IPv4, 10.10.10.1 > archimedes: ICMP echo reply, id 2, seq 175, length 64

awbl · September 9, 2020, 6:40am

In the meantime, did you try assigning a PVID (e.g., 1000) to ether3 and ether4 in the bridge port config and then assigning ether3 and ether4 as untagged members of that bridge VLAN (plus any other necessary changes like creating the virtual VLAN interface)? That would effectively turn ether3 and ether4 into access ports for a VLAN that only exists in the router. I’d expect that to work, since it’s not all that dissimilar from what I have working. If it does work, it may not necessarily give you a fix, but it’d at least narrow down the potential problem scenario(s).

I couldn’t use ether3 but I did add a different port ether5. Here is the config:
/interface bridge
add admin-mac=52:54:00:17:DE:AD auto-mac=no igmp-snooping=yes name=bridge1-lan vlan-filtering=yes
/interface bridge port
add bridge=bridge1-lan interface=ether3-plato
add bridge=bridge1-lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=1000
add bridge=bridge1-lan interface=ether2-shop
add bridge=bridge1-lan interface=ether1-switch
add bridge=bridge1-lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether-vm-lan
add bridge=bridge1-lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=1000
/interface bridge vlan
add bridge=bridge1-lan comment=lan tagged=ether1-switch,ether2-shop untagged=ether4 vlan-ids=1
add bridge=bridge1-lan comment=wanonly tagged=bridge1-lan,ether1-switch,ether2-shop vlan-ids=2
add bridge=bridge1-lan comment=lanonly tagged=bridge1-lan,ether1-switch,ether2-shop vlan-ids=3
add bridge=bridge1-lan comment=privvpn tagged=bridge1-lan,ether3-plato vlan-ids=44
add bridge=bridge1-lan untagged=ether4,ether5 vlan-ids=1000
And here is the result, the same 802.1Q header with VLAN ID 0. This is tcpdump from a PC on the ether4 side, pinging to a PC on ether5:
14:46:17.976459 00:23:54:8c:62:93 (oui Unknown) > 74:d4:35:e7:f3:98 (oui Unknown), ethertype IPv4 (0x0800), length 98: archimedes > 10.10.10.1: ICMP echo request, id 2, seq 175, length 64
14:46:17.977432 74:d4:35:e7:f3:98 (oui Unknown) > 00:23:54:8c:62:93 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 0, p 0, ethertype IPv4, 10.10.10.1 > archimedes: ICMP echo reply, id 2, seq 175, length 64

Nothing in that bit of code looks odd to me. I tried to break VLAN 1 and couldn’t. I was consistently able to ping from one computer to another. The only other random place I can think to look is at your switch settings in ROS to be sure the VLAN header setting isn’t set to Add if Missing and to be sure VLAN 0 isn’t assigned to any ports in the switch VLAN settings assuming you’re using a device with a switch chip that supports VLAN table. Beyond that, I’m out of ideas.

robertkjonesjr · September 9, 2020, 11:31am

Its well known in the network world to avoid tagging with VLAN 1. Different vendors treat this in different ways and causes all sorts of hassles so most just avoid it.

Usually a tagged frame with vlan.id 0 is used for QoS - this allows the priority to come through without actually assigning a vlan. I see you are using tcpdump on a host - though a I am a big proponent of packet capture, I suggest that you take it to the next level - remove the end host behavior (is this a VM, perhaps?) and use a tap and grab the traffic off the link, not via the end host nor the transmitting device. Best to get a third party view of the problem at this point.