Issues with Bridge VLAN Filtering setup

y64xkuo · April 24, 2023, 3:11pm

Hi,

I’m trying to get Bridge VLAN Filtering to work in a fairly easy setup, that consists of a hEX and two Ubiquiti nanoHD, but for some reason, I can’t pull this off.. I have tried to replicate the setup used in the documentation (https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering under VLAN Example - Trunk and Hybrid Ports) in order to allow untagged (VLAN 1) and tagged (VLAN 11) traffic between my access points and router. VLAN 1 flows accordingly, but not VLAN 11.

I would be grateful if anyone could help me out. Thanks in advance!

/interface vlan
add interface=bridge name=vlan11 vlan-id=11

/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/interface bridge vlan
add bridge=bridge tagged=ether2,ether3,bridge vlan-ids=11

/ip address 
add address=192.168.11.254/26 interface=bridge network=192.168.11.192
add address=10.0.0.1/26 interface=bridge network=10.0.0.0

elbob2002 · April 24, 2023, 3:20pm

You need to tag your bridge under vlan 1 instead of untagged.

anav · April 24, 2023, 3:30pm

Once i go vlans I go full vlan!!
vlan1 should not be used as it implied workign in the background.
sorry for the guessing but since your post lacks useful information…

/interface vlan
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan10 vlan-id=10
/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge interface=ether2 pvid=10 {hybrid port}
add bridge=bridge interface=ether3 pvid=10 {hybrid port}
add bridge=bridge interface=ether4 pvid=10 {access port}
add bridge=bridge interface=ether5 pvid=11 {access port)

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=10

/ip address
add address=192.168.11.254/26 interface=vlan11 network=192.168.11.192
add address=10.0.0.1/26 interface=vlan10 network=10.0.0.0

y64xkuo · April 24, 2023, 5:10pm

Hehe! I haven’t tried to go full VLAN yet, but shouldn’t my setup be sufficient for what I’m trying to achieve? What information is missing?

y64xkuo · April 24, 2023, 5:12pm

Like this? This doesn’t work.

elbob2002 · April 24, 2023, 5:54pm

What are your firewall rules? can you run:

/ip/firewall/filter export

y64xkuo · April 24, 2023, 6:24pm

Only the default:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

anav · April 24, 2023, 7:07pm

Great for default setup but once you add stuff, one should really modify.
https://forum.mikrotik.com/viewtopic.php?t=180838

Buckeye · April 24, 2023, 8:54pm

Without seeing the whole export, this is only a guess. You didn’t add vlan11 to the LAN interface list. I think your original vlan setup looks like it should work. The bridge interface is sending untagged traffic over the “internal trunk link” to the integrated switch ASIC (assuming you have the RB750Gr3). And that means that the 02.jpg config is correct, and the 03.jpg config is incorrect. Because you don’t have a vlan1 interface, and the vlan interface is what adds a vlan tag on egress and removes the tag on ingress. in other words, the “port on the switch-asic that is connected to the CPU” normally has pvid=1 and expects traffic from vlan 1 to be untagged, not tagged as was hinted by this post.

When I first got my hEX S, and before playing with the vlan-filtering bridge, I removed ether5 from the bridge to have a safe place to work from (so I didn’t saw off the branch I was sitting on). However, even though I could get an ip address from the ether5 interface, I could not get things to work.

The fact that I was able to get an ip address via DHCP tricked me into thinking the firewall was allowing access, but DHCP gets access before the firewall.

Here’s the post where I described the problem, and this is the “extracted portion”

I removed ether5 from the bridge, added an ip address, and dhcp server, but I was still locked out from ether5, even though I was able to get an ip address from the dhcp server. The problem was that I hadn’t added ether5-LAN1 to the LAN interface list, and the default firewall blocks all input to the router if it is not coming from the LAN interface list. After I added ether5-LAN1 to the LAN interface list, I was able to log in from the “emergency access port”, and now I am ready to start playing with adding vlans to the bridge.

Buckeye · April 25, 2023, 7:20am

Here is another thread you may find interesting.

And this and the post following it are my interpretations (what I would change in @sindy’s excellent RouterOS bridge mysteries explained post.