"Hybrid" Vlan Configuration on 6.41.1

RouterOS General
1

Dear Mikrotik Community,

I’m trying to configure a rather simple VLAN set-up with my new Routerboard - CRS326 running RouterOS 6.42.1.
Got two cAP ACs running nicely over POE with a IoT device attached.
This IoT device should be in a separate VLAN. So I set up a untagged VLAN on the cAP AC, a bridge and a trunk to the CRS.

/interface vlan
add interface=ether1 name=ether1-vlan100 vlan-id=100

/interface bridge
add name=bridge-IoT protocol-mode=none pvid=100 vlan-filtering=yes
/interface bridge port
add bridge=bridge-IoT interface=ether2 pvid=100
add bridge=bridge-IoT interface=ether1-vlan100 pvid=100
/interface bridge vlan
add bridge=bridge-IoT tagged=bridge-IoT untagged=ether2,ether1-vlan100 vlan-ids=100

Then on my CRS I created the same trunk and a bridge.

/interface vlan
add interface=ether24 name=eth24-vlan100 vlan-id=100
/interface bridge
add comment="IoT devices" name=bridge-IoT pvid=100 vlan-filtering=yes
add admin-mac=CC:2D:E0:02:49:F0 auto-mac=no comment=VNET name=bridge-VNET \
    vlan-filtering=yes
/interface bridge port
add bridge=bridge-IoT interface=eth24-vlan100 pvid=100
/interface bridge vlan
add bridge=bridge-IoT tagged=eth24-vlan100 untagged=bridge-IoT vlan-ids=100

This is fine so far. I am able to ping the IP-address on the cAP AC bridge and the IoT device itself.

Here comes thing I don’t understand. I want to a specific VM on port ethernet23 in that VLAN and so be able to talk to the IoT device.
There are other VMs on port ethernet23 that should not be affected and stay in the default VLAN.

How would I achieve that?

Things I already tried:

  • trunk port on ethernet23 and configure 8021q with the linux vm using vconfig
  • add a switch rule to change the VLAN ID and the port
  • add a host entry under bridge hosts to set the VLAN ID using the source MAC address.

Best thing (IMHO) would be to let the port ethernet23 in two bridges (IoT bridge and normal).
It is also possible that I did a misconfiguration. Reading the posts from sindy in this Thead http://forum.mikrotik.com/t/mikrotik-rb2011uias-vlan-tagging-bridge/119001/6
there are many options for a proper VLAN configuration.

Thanks in advance,
kind regards,
Peter

2

Now the VLAN Tag is correctly set on my VM.
/interface ethernet switch host print

 
 #   SWITCH                      MAC-ADDRESS       PORTS                     TIMEOUT DROP MIRROR VLAN-ID
18 D switch1                     2A:D5:E0:77:8A:86 ether23                   0s      no   no         100

How would I put this specific MAC/VLAN Tag on my bridge?

3

You cannot make the same interface a member of two bridges simultaneously. So if you need to make ****

ether23

a hybrid port, i.e. to let packets belonging to one VLAN come and leave tagless and packets for other VLAN(s) come and leave tagged, you must make both

ether23

and

ether24

member ports of a bridge, configure

ether24

as an access port for VLAN 100 and work with VLANs on that bridge, something like:

/interface bridge
add name=common-bridge vlan-filtering=no

/interface bridge port
add bridge=common-bridge interface=ether23
add bridge=common-bridge interface=ether24 pvid=100

The above is enough for your VM to see the IoT devices; if you want the Mikrotik to see them as well, you need to add

/interface vlan
add name=vlan-iot vlan-id=100 interface=common-bridge

/ip address add address=some.ip.add.ress/pref-len interface=vlan-iot

The ip address previously attached to

ether23

has to be attached to

bridge-common

instead, so make sure that you don’t use it to connect to the CRS while configuring it, otherwise you’ll cut your access.

With ****

vlan-filtering=no

, all ports of a bridge are open for forwarding frames with any vlan id as well as tagless packets (unlike other switches, Mikrotik does support tagless packets internally), and the settings in

/interface bridge port

determine which vlan will be “native” (tagged on ingress, untagged on egress) on a given port.

The settings in ****

/interface bridge vlan

are only necessary when ****

vlan-filtering=yes

, but I’m not sure how packets which do not get tagged on ingress are handled when

vlan-filtering=yes

. Based on the fact that setting

pvid=1

in

/interface bridge port

makes ingress tagless packets remain tagless inside the bridge, I would assume that a rule for

vlan-ids=1

in

/interface bridge vlan

controls this, but it is just a speculation.

4

Dear sindy,

thanks a lot for this explanation and the clarification. In fact I need the “/interface vlan” configuration for DHCP.
The really important thing here was “vlan-filtering=no”. Which makes it possible to “work with VLANs on that bridge”.
I thought somehow that I would need two bridges but I don’t.

There is another MikroTik switch (CSS106) on port interface ethernet24 which is somehow seen by the VLAN100 VM.
Not sure where this is coming from, but the VLAN setup is working so far.

Thanks.
Kind regards,
Peter

5

With ****

vlan-filtering=yes

, you can work with VLANs on a bridge too, but you have to properly configure the admission rules under

/interface bridge vlan

. There are some advantages in doing so, but for your simple setup it seemed better to me not to scare you with the additional complexity, especially as I haven’t tested myself yet how to set the filtering rules properly for tagless packets. The very idea of tagless packets inside a VLAN-enabled bridge is hard to adapt to, altough it permits to overcome some limitations of the low-end switch chips to a certain degree.


I thought somehow that I would need two bridges but I don’t.

It was also possible to do it the following way:

  • make ****
ether23

a member of one brigde (or attach the IP configuration to it directly),

  • create ****
/interface vlan name=vlan-iot vlan-id=100

with

interface=ether23

or

interface=the-bridge-of-which-ether23-is-a-member

accordingly

  • create another bridge, called e.g. ****
bridge-iot
  • make ****
ether24

and

vlan-iot

the member interfaces of

bridge-iot

.

What worked in older versions of ROS was to have

ether23

a member of some (single!) bridge and at the same time make

ether23

alone a carrier interface of some

/interface vlan

, but if I remember well even there it was possible to configure but it behaved strange.


There is another MikroTik switch (CSS106) on port interface ethernet24 which is somehow seen by the VLAN100 VM.
Not sure where this is coming from

In your current setup, ****

ether24

is an accesss port to VLAN 100, so any tagless packet received on it gets tagged with VLAN ID 100. So whatever you connect to

ether24

and talks tagless will be seen by the VM in VLAN 100 at L2.