MAC based VLAN rules don't applied on CRS326-24G-2S+RM

baks · April 18, 2019, 4:36pm

HI Guys,

I have a problem with using MAC based VLAN feature on my CRS326-24G-2S+RM

My setup is the following:
‘dhcp-server5-guest’ listens on ‘vlan32-guest’ VLAN interface (VLAN-ID=32) created on top of ‘br0-local’ bridge(PVID=30).
Behind one of the access ports ‘eth24-mgmt’(PVID=99), placed WIFI router (3C:97:0E:56:E6:5C) which should be automatically assigned to the GUEST VLAN (VLAN-ID=32)

Current result: DHCP requests from WiFi router go to the VLAN-ID=99 network and finally reaches wrong DHCP server.
Expected result: Once incoming packet from WiFi router enters ‘eth24-mgmt’ port, port’s default PVID=99 gets overrided by switch rule, packet is assigned VLAN-ID=32 tag and forwarded to GUEST VLAN. Packet from other hosts behind ‘eth24-mgmt’ port, marked with VLAN-ID=99 tag.

Any suggestions appreciated. Thank you.

Configuration details can be found below:

[admin@crs] > /system resource print       
                   uptime: 2h2m16s
                  version: 6.44.2 (stable)
               build-time: Apr/01/2019 12:47:57
        ...
               board-name: CRS326-24G-2S+
                 platform: MikroTik

[admin@crs] > /system package print  
Flags: X - disabled 
 #   NAME                                                                       VERSION                                                                       SCHEDULED              
 0   routeros-arm                                                               6.44.2                                                                                               
 1   system                                                                     6.44.2                                                                                               
 2 X ipv6                                                                       6.44.2                                                                                               
 3 X wireless                                                                   6.44.2                                                                                               
 4 X hotspot                                                                    6.44.2                                                                                               
 5 X mpls                                                                       6.44.2                                                                                               
 6 X routing                                                                    6.44.2                                                                                               
 7   ppp                                                                        6.44.2                                                                                               
 8   dhcp                                                                       6.44.2                                                                                               
 9   security                                                                   6.44.2                                                                                               
10   advanced-tools                                                             6.44.2 

[admin@crs] > /interface ethernet switch rule print detail 
Flags: X - disabled, I - invalid, D - dynamic 
 0    switch=switch1 ports=eth24-mgmt src-mac-address=3C:97:0E:56:E6:5C/FF:FF:FF:FF:FF:FF copy-to-cpu=no redirect-to-cpu=no mirror=no new-vlan-id=32
 
[admin@crs] > /interface bridge vlan print detail 
Flags: X - disabled, D - dynamic 
 0   ;;; MGMT private segment
     bridge=br0-local vlan-ids=99 tagged=br0-local,bond0-multivan untagged="" current-tagged=br0-local,bond0-multivan current-untagged=eth5-multivan-ipmi,eth24-mgmt 
...
 5   ;;; GUEST private segment
     bridge=br0-local vlan-ids=32 tagged=br0-local untagged=eth24-mgmt current-tagged=br0-local current-untagged=eth23,eth24-mgmt   

[admin@crs] > /interface bridge port print detail 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 0   H interface=eth24-mgmt bridge=br0-local priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=99 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes 
       tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

[admin@crs] > /interface bridge print detail 
Flags: X - disabled, R - running 
 0 R name="br0-local" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=64:D1:54:D8:7B:72 protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=no 
     admin-mac=64:D1:54:D8:7B:72 ageing-time=5m vlan-filtering=yes ether-type=0x8100 pvid=30 frame-types=admit-all ingress-filtering=no dhcp-snooping=no
     
 5 R name="vlan32-guest" mtu=1500 l2mtu=1588 mac-address=64:D1:54:D8:7B:72 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=32 interface=br0-local use-service-tag=no

baks · April 24, 2019, 3:08pm

Hi,

I have tried to set 'pvid=1' for the access port from my example (eth24-mgmt) as suggested by guy from Russian mikrotik chat in Telegram, but it didn't change situation much, switch rule still ignored and override by port's pvid.

I have also made several packets sniff over 'br0-local' bridge , wire-shark displayed all packets tagged by 99 vlan-tag.

The only place where 32 vlan-tag is observed is:
[admin@crs] /> /interface bridge host print where mac-address=3C:97:0E:56:E6:5C
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external

MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE

0 D E 3C:97:0E:56:E6:5C 92 eth24-mgmt br0-local
1 D 3C:97:0E:56:E6:5C 99 eth24-mgmt br0-local 37s

However host entry for VID 99 is continuously updating...

I have asked my colleagues who are using CRS326-24G-2S+RM on RoS 6.41.2 and it seems that similar scenario (RouterOS - RouterOS - MikroTik Documentation) works as expected.

Is it RoS code logic regression?

baks · May 13, 2019, 8:54pm

JFH:

From [Ticket#2019050122001921]

Unfortunately, it seems that MAC-based VLAN setup is not possible when packets are forwarded to switch CPU port (bridge),
it works as expected when forwarding between switch ports. We will see if this could be improved in further RouterOS versions, but I cannot provide any ETA yet.