Interface / VLAN Configuration

Hi Guys,

Please help me with the missing link. To be honest I tried several things and mostly get locked out on my own
My current interface config is

/interface bridge add name=LAN priority=0x1E pvid=10 vlan-filtering=yes
/interface ethernet set [ find default-name=sfp1 ] name=TRUNK
/interface vlan add interface=TRUNK name=IOT vlan-id=20
/interface vlan add interface=TRUNK name=MGMT vlan-id=10
/interface vlan add interface=TRUNK name=UPC vlan-id=100
/interface bridge port add bridge=LAN frame-types=admit-only-vlan-tagged interface=TRUNK
/interface bridge vlan add bridge=LAN tagged=LAN untagged=ether1,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/interface bridge vlan add bridge=LAN tagged=LAN vlan-ids=100
/interface bridge vlan add bridge=LAN tagged=LAN vlan-ids=20

/ip address add address=192.168.100.254/24 interface=MGMT network=192.168.100.0
/ip address add address=192.168.101.254/24 interface=IOT network=192.168.101.0

Why does the device which I do connect to ether1 ist not reachable via pvid 10 ? I don’t get it
On the TRUNK Port (SFP) there is a CSS326-24G-2S+ which currently hosts all my network devices and does vlan “untagging” well.

Thx for any help!

Most of that is incorrect. You don’t say which model Mikrotik, so I’m assuming a 2011/3011/4011 as there are ten ethernet ports and an SFP mentioned - the full reference for VLAN-aware bridges for non-CRS devices is here https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

Firstly, for compatibility with standards the bridge priority should be a multiple of 4096, i.e. 0x1000, 0x2000, …, 0xF000. The bridge PVID should not be set to the same value as an VLAN interface attached to the bridge.
/interface bridge
add name=LAN priority=0x1E0xN000 pvid=101 vlan-filtering=yes

Under /interface vlan the VLANs should be attached to the parent interface, not members. So in your case the bridge LAN, not the member TRUNK.

You have only added one interface, the SFP one named TRUNK to the bridge, likely all of the ethernet ports should also be members:
/interface bridge port
add bridge=LAN interface=ether1 pvid=10
…
add bridge=LAN interface=ether10 pvid=10

Under /interface bridge vlan you have to specify any tagged VLAN memberships, including the bridge itself for traffic to reach the attached /interface vlan, so:
/interface bridge vlan
add bridge=LAN tagged=LAN,TRUNK untagged=ether1,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
add bridge=LAN tagged=LAN,TRUNK vlan-ids=20
add bridge=LAN tagged=LAN,TRUNK vlan-ids=100
Whilst it is possible to add untagged memberships as well these will be added dynamically from the pvid= settings under the /interface bridge port and /interface bridge sections, this eliminates the possibility of specifying a different PVID and untagged membership which will prevent correct operation.

Hi,

yes you’re right it’s a RB3011UiAS. I configured all as you stated

This is the output now (just configured ethernet1 for testing)

/interface bridge add name=LAN priority=0xF000 vlan-filtering=yes
/interface bridge port add bridge=LAN frame-types=admit-only-vlan-tagged interface=TRUNK
/interface bridge port add bridge=LAN interface=ether1 pvid=10
/interface bridge vlan add bridge=LAN tagged=LAN,TRUNK vlan-ids=10
/interface bridge vlan add bridge=LAN tagged=LAN,TRUNK vlan-ids=100
/interface bridge vlan add bridge=LAN tagged=LAN,TRUNK vlan-ids=20

Still the device which I attached to ether1 is not reachable with pvid10 and is stated as “disabled port” via winbox. Did I miss something?

Cheers & Thx for your help!

Presumably that is in the Role column on Bridge > Ports. What is the status (the column to the left of the Interface one)?
The output of /interface ethernet print and /interface bridge port print may be useful.

Here we go …

[admin@router-main] > /interface ethernet print    
Flags: X - disabled, R - running, S - slave 
 #    NAME                                                           MTU MAC-ADDRESS       ARP             SWITCH                                                        
 0 RS TRUNK                                                         1500 C4:AD:34:0F:A7:F3 enabled        
 1 RS ether1                                                        1500 C4:AD:34:0F:A7:EE enabled         switch1                                                       
 2    ether2                                                        1500 C4:AD:34:0F:A7:EF enabled         switch1                                                       
 3    ether3                                                        1500 C4:AD:34:0F:A7:F0 enabled         switch1                                                       
 4    ether4                                                        1500 C4:AD:34:0F:A7:F1 enabled         switch1                                                       
 5    ether5                                                        1500 C4:AD:34:0F:A7:F2 enabled         switch1                                                       
 6    ether6                                                        1500 C4:AD:34:0F:A7:F4 enabled         switch2                                                       
 7    ether7                                                        1500 C4:AD:34:0F:A7:F5 enabled         switch2                                                       
 8    ether8                                                        1500 C4:AD:34:0F:A7:F6 enabled         switch2                                                       
 9    ether9                                                        1500 C4:AD:34:0F:A7:F7 enabled         switch2                                                       
10    ether10                                                       1500 C4:AD:34:0F:A7:F8 enabled         switch2                                                       
[admin@router-main] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                             BRIDGE                                            HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0     TRUNK                                                 LAN                                               yes    1     0x80         10                 10       none
 1     ether1                                                LAN                                               yes   10     0x80         10                 10       none

This is the reference I use…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

and post complete config
/export hide-sensitive file=anynameyouwish

Thx for this - I looked at the Switch.rsc and from my point of perspective (thx for the previous talker) it’s exactly configured as there. (except of the vlan-security settings which I guess are not really needed for the basic functionatliy)


Complete Config (only stripped the firewall part):

# oct/06/2020 13:24:39 by RouterOS 6.47.4
# software id = LVGI-H82J
#
# model = RouterBOARD 3011UiAS
# serial number = B8950BD1D59A
/interface l2tp-server add name=l2tp-client-florian.mulatz user=florian.mulatz
/interface l2tp-server add name=l2tp-client-martina.mulatz user=martina.mulatz
/interface bridge add name=LAN priority=0xF000 vlan-filtering=yes
/interface bridge add name=ospf
/interface bridge add name=ospf-internal
/interface bridge add name=tunnel
/interface ethernet set [ find default-name=sfp1 ] name=TRUNK
/interface ovpn-server add name=ovpn-client-florian.mulatz.ovpn user=florian.mulatz.ovpn
/interface vlan add interface=TRUNK name=IOT vlan-id=20
/interface vlan add interface=TRUNK name=MGMT vlan-id=10
/interface vlan add interface=TRUNK name=UPC vlan-id=100
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256,3des name=l2tp-vpn-peer-profile
/ip ipsec proposal add enc-algorithms=aes-256-cbc,3des name=l2tp-vpn-proposal pfs-group=none
/ip pool add name=dhcp-lan ranges=192.168.100.1-192.168.100.49
/ip pool add name=dhcp-iot ranges=192.168.101.1-192.168.101.200
/ip pool add name=dhcp-ondemand ranges=192.168.102.1-192.168.102.14
/ip dhcp-server add address-pool=dhcp-lan disabled=no interface=MGMT name=DHCP-LAN
/ip dhcp-server add address-pool=dhcp-iot disabled=no interface=IOT name=DHCP-IOT
/ip ipsec mode-config add address-pool=dhcp-ondemand name=l2tp-vpn-mode-config
/ppp profile add change-tcp-mss=yes local-address=192.168.102.254 name=l2tp-vpn-profile remote-address=dhcp-ondemand use-compression=yes use-encryption=required use-mpls=yes
/ppp profile add change-tcp-mss=yes name=SSTP-Windows-Client use-encryption=required use-mpls=yes
/ppp profile add change-tcp-mss=no local-address=192.168.102.254 name=SSTP-server-profile only-one=no remote-address=192.168.102.253 use-compression=yes use-encryption=yes use-mpls=yes use-upnp=no
/queue tree add limit-at=9700k max-limit=9700k name=queue1 parent=UPC queue=default
/queue tree add disabled=yes limit-at=6200k max-limit=6200k name=prio5-streaming packet-mark=streaming parent=queue1 priority=5 queue=default
/queue tree add disabled=yes limit-at=100k max-limit=9500k name=prio8-untagged packet-mark=no-mark parent=queue1 queue=default
/queue tree add limit-at=1G max-limit=1G name=prio3-gaming packet-mark=gaming parent=queue1 priority=3 queue=default
/queue tree add disabled=yes limit-at=1G max-limit=1G name=prio2-misc-fast packet-mark=misc-fast parent=queue1 priority=2 queue=default
/queue tree add disabled=yes limit-at=100k max-limit=9500k name=prio6-http packet-mark=http parent=queue1 priority=6 queue=default
/routing ospf instance set [ find default=yes ] disabled=yes redistribute-connected=as-type-1 router-id=10.255.255.1
/routing ospf instance add distribute-default=if-installed-as-type-1 name=internal router-id=10.255.254.1
/routing ospf area add area-id=0.0.0.1 instance=internal name=internal
/system logging action add bsd-syslog=yes name=synology remote=192.168.100.251 target=remote
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/user group add name=prometheus policy=read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp
/interface bridge port add bridge=LAN frame-types=admit-only-vlan-tagged interface=TRUNK
/interface bridge port add bridge=LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=10
/ip neighbor discovery-settings set discover-interface-list=all
/ip settings set rp-filter=loose tcp-syncookies=yes
/interface bridge vlan add bridge=LAN tagged=LAN,TRUNK vlan-ids=10
/interface bridge vlan add bridge=LAN tagged=LAN,TRUNK vlan-ids=100
/interface bridge vlan add bridge=LAN tagged=LAN,TRUNK vlan-ids=20
/interface ethernet switch vlan add independent-learning=yes ports=ether1 switch=switch1 vlan-id=10
/interface l2tp-server server set allow-fast-path=yes authentication=mschap2 default-profile=l2tp-vpn-profile max-mru=1460 max-mtu=1460 one-session-per-host=yes use-ipsec=yes
/interface ovpn-server server set auth=sha1 certificate="VPN Server" cipher=aes256 enabled=yes port=8443
/interface sstp-server server set authentication=mschap2 default-profile=SSTP-server-profile enabled=yes force-aes=yes max-mru=1600 max-mtu=1600 mrru=1600 pfs=yes port=55555 tls-version=only-1.2
/ip address add address=192.168.100.254/24 interface=MGMT network=192.168.100.0
/ip address add address=192.168.101.254/24 interface=IOT network=192.168.101.0
/ip address add address=10.255.255.1 interface=ospf network=10.255.255.1
/ip address add address=10.255.254.1 interface=ospf-internal network=10.255.254.1
/ip address add address=192.168.100.246/24 comment=DNS disabled=yes interface=MGMT network=192.168.100.0
/ip cloud set ddns-enabled=yes update-time=no
/ip dhcp-client add disabled=no interface=UPC use-peer-dns=no
/ip dhcp-server lease add address=192.168.100.50 mac-address=D8:8F:76:68:1F:A5 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.52 mac-address=BC:E1:43:4A:6C:C9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.53 mac-address=AC:CF:5C:A4:37:B7 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.54 mac-address=98:FE:94:52:23:B6 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.55 mac-address=5C:F5:DA:15:12:50 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.60 mac-address=3C:71:BF:22:80:79 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.61 mac-address=F0:FE:6B:31:1D:66 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.62 mac-address=F0:FE:6B:31:1D:78 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.63 mac-address=70:EE:50:18:FB:3C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.64 mac-address=EC:B5:FA:02:8D:5E server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.65 mac-address=00:04:20:F1:EC:C7 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.68 mac-address=68:37:E9:39:93:04 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.69 mac-address=44:00:49:80:A4:88 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.197 mac-address=44:D9:E7:F6:5D:9A server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.198 mac-address=44:D9:E7:F6:5D:89 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.200 mac-address=10:4F:A8:D6:95:1D server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.202 mac-address=00:0C:29:5D:85:DA server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.203 mac-address=A4:38:CC:8F:68:CE server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.207 mac-address=00:05:CD:AA:7C:6C server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.208 mac-address=00:1E:06:33:E2:9F server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.209 mac-address=B8:27:EB:4B:20:57 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.212 mac-address=78:C2:C0:98:7D:29 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.213 mac-address=00:09:B0:C9:83:C6 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.215 mac-address=A8:E3:EE:C9:0C:15 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.216 mac-address=00:09:34:2B:D9:14 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.217 mac-address=00:1D:EC:14:56:7B server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.246 mac-address=00:0C:29:5A:C6:61 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.248 mac-address=D4:CA:6D:68:EE:35 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.249 mac-address=D4:CA:6D:85:67:C9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.250 mac-address=64:D1:54:C3:01:66 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.251 mac-address=00:0C:29:45:73:56 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.51 mac-address=70:85:C2:B8:BA:C9 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.242 client-id=1:0:50:56:99:6f:ec mac-address=00:50:56:99:6F:EC server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.56 client-id=1:50:7a:c5:5:a1:e1 mac-address=50:7A:C5:05:A1:E1 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.70 mac-address=08:12:A5:54:50:76 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.101.100 mac-address=84:F3:EB:09:6A:70 server=DHCP-IOT
/ip dhcp-server lease add address=192.168.101.101 mac-address=2C:3A:E8:3B:77:F5 server=DHCP-IOT
/ip dhcp-server lease add address=192.168.101.102 mac-address=2C:3A:E8:3B:7E:F4 server=DHCP-IOT
/ip dhcp-server lease add address=192.168.100.66 client-id=ff:12:34:56:78:0:3:0:6:68:a4:e:e:ca:f0 mac-address=68:A4:0E:0E:CA:F0 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.201 client-id=1:4:e:3c:59:5d:6e mac-address=04:0E:3C:59:5D:6E server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.244 mac-address=00:0C:29:D2:E9:2F server=DHCP-LAN
/ip dhcp-server lease add address=192.168.101.103 mac-address=3C:71:BF:22:80:79 server=DHCP-IOT
/ip dhcp-server lease add address=192.168.100.67 client-id=1:40:a2:db:b4:18:2d mac-address=40:A2:DB:B4:18:2D server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.245 client-id=ff:29:b5:58:80:0:1:0:1:26:57:8b:41:0:c:29:b5:58:80 mac-address=00:0C:29:B5:58:80 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.57 client-id=1:3c:f0:11:c8:c1:a2 mac-address=3C:F0:11:C8:C1:A2 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.241 client-id=1:0:26:b9:7e:4e:d2 mac-address=00:26:B9:7E:4E:D2 server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.58 client-id=1:80:e8:2c:96:5a:2b mac-address=80:E8:2C:96:5A:2B server=DHCP-LAN
/ip dhcp-server lease add address=192.168.100.247 client-id=1:0:7:43:7:23:1c mac-address=00:07:43:07:23:1C server=DHCP-LAN
/ip dhcp-server network add address=192.168.100.0/24 dns-server=192.168.100.246 domain=mulatz.lan gateway=192.168.100.254 netmask=24
/ip dhcp-server network add address=192.168.101.0/24 dns-server=192.168.100.246 domain=mulatz.lan gateway=192.168.101.254 netmask=24
/ip dns set servers=1.1.1.1,9.9.9.9
/ip ipsec policy set 0 disabled=yes
/ip ipsec policy add dst-address=0.0.0.0/0 proposal=l2tp-vpn-proposal src-address=0.0.0.0/0 template=yes
/ip proxy set anonymous=yes port=3128
/ip proxy access add src-address=192.168.100.0/24
/ip route add distance=1 dst-address=192.168.103.0/24 gateway=192.168.102.253
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set api address=192.168.100.0/24,192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.104.0/24 disabled=yes
/ip service set winbox address=192.168.100.0/24,192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.104.0/24
/ip ssh set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ip traffic-flow set cache-entries=8k
/ip upnp set enabled=yes
/ip upnp interfaces add interface=UPC type=external
/ip upnp interfaces add interface=MGMT type=internal
/ppp secret add name=florian.mulatz profile=l2tp-vpn-profile
/ppp secret add disabled=yes name=martina.mulatz profile=l2tp-vpn-profile service=l2tp
/ppp secret add name=florian.mulatz.ovpn profile=l2tp-vpn-profile service=ovpn
/ppp secret add name=aws.router profile=SSTP-server-profile remote-address=192.168.102.253
/routing ospf interface add network-type=broadcast
/routing ospf network add area=backbone network=192.168.100.0/24
/routing ospf network add area=backbone network=192.168.101.0/24
/routing ospf network add area=backbone network=10.255.255.1/32
/routing ospf network add area=backbone network=192.168.102.254/32
/routing ospf network add area=internal network=192.168.100.0/24
/snmp set contact="Florian Mulatz" enabled=yes location="Ebentaler Strasse 31"
/system clock set time-zone-name=Europe/Vienna
/system clock manual set dst-delta=+01:00 dst-end="oct/27/2019 03:00:00" dst-start="mar/31/2019 02:00:00"
/system identity set name=router-main
/system logging set 0 disabled=yes
/system logging set 2 disabled=yes
/system logging add disabled=yes topics=debug,ovpn
/system ntp client set enabled=yes primary-ntp=37.252.187.111 secondary-ntp=193.171.23.163
/tool bandwidth-server set authenticate=no enabled=no
/tool e-mail set address=smtp.mailgun.org from=void@mulatz.at port=587 start-tls=yes user=postmaster@mulatz.at
/tool romon set enabled=yes
/tool sniffer set filter-interface=UPC streaming-enabled=yes streaming-server=192.168.100.242
/tool traffic-generator packet-template add data=random header-stack="" name=packet-template1
/tool traffic-generator stream add mbps=200 name=str1 packet-size=1500 tx-template=packet-template1

…

You haven’t changed the VLAN interfaces to the parent which can cause odd behaviour:
/interface vlan add interface=TRUNKLAN name=IOT vlan-id=20
/interface vlan add interface=TRUNKLAN name=MGMT vlan-id=10
/interface vlan add interface=TRUNKLAN name=UPC vlan-id=100

I would remove the switch chip setting /interface ethernet switch vlan add independent-learning=yes ports=ether1 switch=switch1 vlan-id=10 - you can either use a vlan-aware bridge without the switch chip, or a non-vlan-aware bridge with hardware switching and VLAN filtering, but mixing some configuration from both methods can cause odd behaviour.

There is nothing obvious as to why the port status should be disabled as the ethernet port is running and the bridge port is not inactive, normally you would see a status of disabled if the bridge port were either disabled or inactive.

Unrelated to the issue at hand, the bridge port frame-types= setting has no effect unless ingress-filtering=yes is specified:
/interface bridge port add bridge=LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=TRUNK

If going the bridge vlan filtering route (vice switch chips), then one only needs one bridge… at least from my limited experience.

The change with the VLANs to the LAN-Bridge was the “magic” trick! Now also the device connected to ether1 is reachable as expected!
Thx for all of your really experienced help!

Now it’s working as expected for me!
Thx again