Issue with PVID and untagged ports.

RouterOS Beginner Basics
1

Hello!
This is my first time with RouterOS, always used OpenWRT, so please excuse me if i have done some mistakes, which i probably did.

My idea is to have, on my router (RB5009), various isolated VLANs for different classes of devices. So far i am just testing out with one VLAN for now.

I have followed this guide: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Adapting from the RouterSwitchAP.rsc config, but without the Wi-Fi part (since the rb5009 has not wifi).

I have a bridge for all ports which are also on the hardware switch. On most ports i have not defined any VLAN and PVID is = 1.
I have created a vlan (93) on bridge, along with a DHCP server and dedicated subnet.

/interface vlan
add comment=IoT interface=bridge name=vlan_iot vlan-id=93
/ip dhcp-server
add address-pool=pool_iot interface=vlan_iot name=dhcp1

When I use non-VLAN aware devices on the ports, they correctly use the DHCP server and network i defined on the bridge directly.
When i use VLAN aware devices and set the VLAN to 93, then i correctly get an IP from the DHCP server running on vlan_poe.

I would like to configure two access ports so that my cameras can access the VLAN. These are non-VLAN aware devices, so i:

  • added PVID = 93 to the ports (so that outbound packets with 93 are stripped of the vlan)
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6_iot pvid=93
  • added VLAN 93 to the bridge, untagged = access ports, tagged = bridge (so that inbound packets from those ports are tagged with 93)
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5_iot,ether6_iot vlan-ids=93

However, on these access ports all traffic seems to be dropped. TORCH sees some 802.11 frames and that’s it, every packet has no response, so the only way to access the VLAN is to explicitly tag the packets.

What am i doing wrong?

Attached is my full config (redacted of private things)
rb5009.rsc (10.2 KB)

2

Hi, there is no need of setting untagged ports in the Bridge VLAN table because they are added dynamically due to the pvid. If you want to use VLAN 93 on all of the other ports in the bridge, you could make them trunk ports, so that VLAN aware devices can use the VLAN and the rest of the devices use the pre-defined address on the bridge through VLAN 1:

/interface bridge set bridge vlan-filtering=no

/interface bridge vlan
remove [find untagged=ether5_iot,ether6_iot]
set [find tagged=bridge] tagged=bridge,ether3,ether4,ether7,ether8

/interface bridge set bridge vlan-filtering=yes
3

Not putting the untagged ports especially when learning how to setup vlans is not recommended.
Even with much experience I still prefer to put them in as whenever I do an export of the config they are visible and easy to cross check with bridge ports.
Many times a misconfigured config for vlans is harder to discern when people dont untagg.
Also when doing the config they forget for pvids that are untagged, that they still need to be tagged to the bridge (even if there are no tagged ports for that vlan id ).

Once you go vlans, dont mix and match gets confusing.
So create all the special vlans you need but also include the HOME vlan which is typically untagged on ports as they are going to home PCs for example.
So bridge just does bridging no dhcp services etcc…

4

Yes i know, but i added them anyway since they didn’t show up in /export and i was not 100% sure those rules were applied.


If you want to use VLAN 93 on all of the other ports in the bridge, you could make them trunk ports, so that VLAN aware devices can use the VLAN and the rest of the devices use the pre-defined address on the bridge through VLAN 1

The plan is to have every subnet inside of a VLAN, so that untagged packets do not get any kind of answer at all. However, I don’t want to disrupt the network and this is why I am in this sort of hybrid setup.


See above.

However, the setup i have posted does not seem to work (no vlan traffic at all on the untagged ports). And i don’t understand what’s wrong :\

5

Did you follow @TheCat12’s instructions and try to run the commands they posted? I think they already provided you with the working solution. Under /interface bridge vlan you have two entries for the same vlan-ids=93. You should remove the 2nd one. You can add untagged=ether5_iot,ether6_iot to the first entry if you wish (it’s not necessary).

6

Oh! I did but i forgot to commit (i had safe mode enabled and forgot to disable it)

So now:

  • VLAN 1, no tagged, untagged = bridge, ether4/7/8
  • VLAN 93, tagged bridge, ether4/7/8, untagged ether 5/6

And indeed now it works! But still, i don’t understand what was the missing piece - untagging ports on VLAN 1 or tagging every other port on VLAN 93?
Since I had already tried to tag the bridge and untag the ethernet ports i wanted in one single rule, but that still did not work.

7

From my experience, if you don’t have the need to have VLAN 93 tagged on the other ports, and only need to use it as untagged on ether5 and ether6, just this entry is enough

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=93

Provided that pvid=93 is already set under /interface bridge port for ether5 and ether6. You can optionally add untagged=ether5_iot,ether6_iot to that SAME entry (not a separate entry) for clarity, but this is not a requirement. And of course, if you need VLAN 93 tagged for other ports then you need to add them, but also to the same entry.

The VLAN entry for ID 1 under /interface bridge vlan is normally dynamically created by RouterOS and you shouldn’t manually edit it. Your original export didn’t work because it had two entries for the same vlan-ids=93.

8

This was the last final try before posting here. Otherwise, I just had one rule and it didn’t work.
The VLAN entry under ID 1 was not created, or at least, it was not visible in Winbox.