Issue with bridge vlan filtering

Fraction · July 11, 2022, 9:32pm

Hi,

I’m trying to setup rb5009 for vlan’s and intervlan routing using bridge vlan filtering. My laptop is connected to ether1 and ether7 is trunk to older hex r3, which is running dhcp-server and also routing at the moment. I’m able to get ip from dhcp for my laptop through access port, but for some reason I’m not able to add ip to router from the same vlan (and later to be used as gateway). Any ideas what I’m doing wrong?

 /interface/bridge/print
Flags: X - disabled, R - running
 0 R name="vlan-bridge" mtu=auto actual-mtu=1500 l2mtu=1514 arp=enabled
     arp-timeout=auto mac-address=DC:2C:6E:43:E2:A4 protocol-mode=rstp
     fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m
     priority=0x8000 max-message-age=20s forward-delay=15s
     transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1
     frame-types=admit-all ingress-filtering=yes dhcp-snooping=no

 /interface/bridge/port/print
Flags: H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#   INTERFACE  BRIDGE       HW   PVID  PRIORITY  PATH-COST  IN  HORIZON
0 H ether1     vlan-bridge  yes    14  0x80             10  10  none
..
3 H ether7     vlan-bridge  yes     1  0x80             10  10  none

/interface/bridge/vlan/print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE       VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   vlan-bridge        14  ether7          ether1
..
4 D vlan-bridge         1                  vlan-bridge
                                                      ether7
                                                      
 /interface/vlan/print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME     MTU  ARP      VLAN-ID  INTERFACE
0 R vlan14  1500  enabled       14  vlan-bridge

/ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS             NETWORK        INTERFACE
1   192.168.84.2/24     192.168.84.0   vlan-bridge
2   192.168.14.10/24    192.168.14.0   vlan14
 
/ping 192.168.14.1
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.14.1                                                 timeout
    1 192.168.14.1                                                 timeout
    2 192.168.14.1                                                 timeout
    3 192.168.14.10                              84  64 154ms54us  host unreachable
    sent=4 received=0 packet-loss=100%

Same than from my laptop (which was connected to ether1 on rb5009):

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : ..
   IPv4 Address. . . . . . . . . . . : 192.168.14.197
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.14.1
   
 C:\WINDOWS\system32>ping 192.168.14.1

Pinging 192.168.14.1 with 32 bytes of data:
Reply from 192.168.14.1: bytes=32 time<1ms TTL=64
Reply from 192.168.14.1: bytes=32 time<1ms TTL=64
Reply from 192.168.14.1: bytes=32 time<1ms TTL=64
Reply from 192.168.14.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.14.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

What I’m missing, why that vlan-interface can’t get connection to gateway nor my laptop and vice versa, any ideas, any one? I would say that vlan configuration on bridge side have to be ok, as the access port for laptop works fine, but what i’m missing from that interface-side vlan-interface?

Thank you for your help and sorry about the bad english.

Sob · July 11, 2022, 9:52pm

The vlan-bridge interface must be listed as tagged for vlan 14 in /interface/bridge/vlan.

Fraction · July 12, 2022, 4:22am

Thank you!

Fraction · July 14, 2022, 6:08am

Few more issues in the same project, if something sees something weird in my configurations..

I’m trying to move DHCP-server from hex to rb5009, but for some reason clients can’t reach the new server although configurations should be quite identical. Everything works well, as far as server is enabled on hex, but after I disable it from there and keep only this one active, clients just hangs in “searching” state.

/ip dhcp-server
add address-pool=pool-vlan14 authoritative=after-2sec-delay disabled=no interface=vlan14 lease-time=4d name=dhcp-vlan14

/ip dhcp-server network
add address=192.168.14.0/24 dns-server=192.168.14.1 gateway=192.168.14.1

/ip pool
add name=pool-vlan14 ranges=192.168.14.120-192.168.14.254

/interface bridge
add name=vlan-bridge vlan-filtering=yes
/interface bridge port
add bridge=vlan-bridge interface=ether1 pvid=14

/interface bridge vlan
add bridge=vlan-bridge comment=vlan14 tagged=ether7,vlan-bridge vlan-ids=14

I’m also trying to setup CAPSman (rb5009) and one Omnitik and few hap ac3’s as AP’s.

/caps-man configuration
add country=finland datapath.local-forwarding=yes .vlan-id=14 .vlan-mode=use-tag hide-ssid=yes name=Config_vlan14 security.authentication-types=wpa2-psk ssid=vlan14

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_vlan14

Provisioning config to ap’s works, I can see SSID and also connect to that using PSK, but can’t get ip from wlan (although hex should provide working dhcp-server to that wlan, so this is probably also vlan issue). I tried to add wlan interfaces as tagged ports to vlan-bridge, but it didn’t done the trick so probably something else is also needed. Physical access ports on ap’s works fine so the trunk and vlan’s in general should be ok.

/interface bridge
add name=vlan-bridge vlan-filtering=yes
/interface bridge port
add bridge=vlan-bridge ingress-filtering=no interface=ether1
add bridge=vlan-bridge interface=wlan1
/interface bridge vlan
add bridge=vlan-bridge comment=vlan14 tagged=ether1,vlan-bridge,wlan1 vlan-ids=14

Thank you in advance, if somebody sees something weird in these configs!