Is WebFig bugged with vlan interfaces on RB5009UG+S+IN?

Hi Folks,

I have taken my new router back to defaults to try to troubleshoot this. I can’t get webfig to load, when i’m trying to access it via a vlan interface as below.

Am I misunderstanding something? or might this be a bug? I tried the beta 7.21 firmware, with no difference, so have gone back to 7.20.6 arm64.

Does anybody have any useful thoughts/comments?

I have taken ports ether5-7 out of the defconf bridge, and added them as members of a new br_lan bridge.

(the mac address chosen is from my ether7)

/interface bridge add admin-mac=04:F4:1C:61:4D:88 auto-mac=no name=br_lan vlan-filtering=yes

/interface bridge port

add bridge=br_lan comment=defconf interface=ether5
add bridge=br_lan comment=defconf interface=ether6
add bridge=br_lan comment=defconf interface=ether7

Using br_lan, I created vlan2005 and assigned some IP’s.

/interface bridge vlan
add bridge=br_lan tagged=br_lan,ether7,ether6,ether5 vlan-ids=2005
/interface vlan
add comment=v2005-GW interface=br_lan name=v2005 vlan-id=2005
/ip address
add address=10.8.99.240/24 interface=br_lan network=10.8.99.0
add address=10.8.5.240/24 interface=v2005 network=10.8.5.0

I have also added both br_lan and v2005 to the LAN interface list.

/interface list member
add interface=br_lan list=LAN
add interface=v2005 list=LAN

Now, plugged into ether7 - without vlan tagging, I can access webfig via http to 10.8.99.240. BUT I cannot access, when i am tagged with vlan 2005 - http 10.8.5.240.

10.8.5.240 is pingable. The http server is up - i can telnet port 80 to it, and eg talk http. But if I try to access webfig, the connection just hangs - the router doens’t display a login page.

Not necessarily related to your issues, but there are a lot of reports of various Webfig connection issues since 7.20.x. (up to 7.19.6 it should work normally)

Any reason why you cannot use Winbox?

We almost never use winbox. The RouterOS settings are accessed via http, https, or if we’re feeling particularly insane -ssh.

Typically we’re using a macos to manage these things, ..

.. but to update, i have just now downgraded to 7.19.6; same behaviour, the router can’t be admin’ed using vlan2005 on port ether7. Webfig just times out, and winbox won’t log in either.

I can ping the v2005 ip address - 10.8.5.240, so it’s carrying traffic.

If I re-enable untagged traffic, I can access the admin page using br_lan (vlan1) - 10.8.99.240.

In the fullness of time, we’re intending to put the br_lan across all interfaces, and take the internet feed in via port ether8 – but that’s another story. We were hoping to not present untagged ports to the lan for this installation.

You could (should) try Winbox (good ol' version 3 under WINE if you have time to configure it) or current v 4 (beta) that comes also in a "native" Macintosh version, as I see it the issue could be either:

1. a specific issue with Webfig on VLAN
2. is a generic issue that prevents access to any management tool through VLAN

In both cases you should open a support ticket, for #1 (IMHO) with very little chances to have it fixed quickly, for #2 it could be a more serious bug and (still IMHO) likely with a higher priority.

Thanks, i’ve opened a support ticket. I think it’s probably (1)

I am able to SSH on my vlan 2005 tagged interface.

But it won’t let me connect if i want to use webfig or winbox. So maybe there’s a bug preventing those services from running on top of a vlan interface.

I have simplified the config to just have bridge br_lan and vlan interface, and nothing else :

# 2025-12-03 12:21:32 by RouterOS 7.20.6
# software id = XXXX-XXXX
#
# model = RB5009UG+S+
# serial number = XXXXX
/interface bridge
add admin-mac=04:F4:1C:61:4D:88 auto-mac=no name=br_lan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1596
set [ find default-name=ether2 ] l2mtu=1596
set [ find default-name=ether3 ] l2mtu=1596
set [ find default-name=ether4 ] l2mtu=1596
set [ find default-name=ether5 ] l2mtu=1596
set [ find default-name=ether6 ] l2mtu=1596
set [ find default-name=ether7 ] l2mtu=1596
set [ find default-name=ether8 ] comment=WAN l2mtu=1596
set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1596
/interface pppoe-client
add add-default-route=yes comment="WAN via PPPoE" interface=ether8 name=pppoe-out1 user=user@notyetactive.com
/interface vlan
add comment=v2005-GW interface=br_lan name=v2005 vlan-id=2005
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/disk settings
set auto-media-interface=*B auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=br_lan interface=ether2
add bridge=br_lan interface=ether3
add bridge=br_lan interface=ether4
add bridge=br_lan interface=ether5
add bridge=br_lan interface=ether6
add bridge=br_lan interface=ether7
add bridge=br_lan interface=ether1
add bridge=br_lan interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br_lan tagged=br_lan,ether7,ether6,ether5,ether4,ether3,ether2,ether1,sfp-sfpplus1 vlan-ids=2005
/interface list member
add comment=WAN interface=ether8 list=WAN
add interface=br_lan list=LAN
add interface=v2005 list=LAN
add comment=WAN interface=pppoe-out1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=sfp-sfpplus1 list=LAN
/ip address
add address=10.8.99.240/24 interface=br_lan network=10.8.99.0
add address=10.8.5.240/24 interface=v2005 network=10.8.5.0
/ip dhcp-client
# Interface not active
add comment="WAN via DHCP" default-route-tables=main interface=ether8
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Further information, I find kind of interesting. It might not just be isolated to vlan interfaces on a bridge.

I removed my ether7 from the br_lan bridge, to become a standalone interface. I added ether7 to an interface-list called INFRA and gave it a static ip address on a new internal /24 network.

Firewall rules were created in the input chain explicitly to allow all traffic from any to any, on intra.

Now, when plugged into the ether7 and using my infra subnet - I still coudn’t bring up webfig or winbox to the router’s ip.

It looks like the http server is listening, and is reachable via telnet and manual http commands. but the application that processes http and the winbox api won’t start, it just hangs. when i write a get / http/1.1 command..