Mikrotik RB2011UiAS Vlan tagging bridge

RouterOS General
1

Hello everyone,

I have Mikrotik RB2011UiAS (firmware v.6.42.1) connected to L3-switch DLINK DGS-3120 through tagged trunk port. I configured mikrotik as described in manual VLAN Example #2 (Trunk and Hybrid Ports) witch enabled vlan filtring.
I created management port as described here for recovery purposes.
IP address for created bridges and def.route created too.

The problem is inaccessible mikrotik IP bs-bridge1 (192.168.111.231) from outside of native subnet (192.168.111.0/24). When I try ti ping other subnets from mikrotik’s GUI (source bs-bridge1) it fails too. What I need to do to make it working properly?

My config (conf.cfg.rsc) in attachment.
Portbased-vlan2.png
conf.cfg.rsc (4.83 KB)

2

In ****

/interface bridge vlan

, you must add the bridge itself (in your case,

bs-bridge1

) to the list of tagged member ports of the bridge. The documentation states that but doesn’t stress is so it is easy to miss, especially as this is only necessary when you need a local interface in the VLAN so in some example lines the bridge is not added as a tagged member of itself.

In case of vlan 111, you probably have to add the bridge itself as a non-tagged member.

As for access to subnets in the other two VLANs, if something else (the D-Link) is routing between them, it is enough how it is if you have a route towards the D-Link for these subnets; if not, you have to create an ****

/interface vlan name=vlanX vlan-id=X interface=bs-bridge1

for each of them and assign an IP address from the corresponding subnet to each of them.

3

Thank you very much for your reply, sindy.
I’ve just tried your advise. I’ve added bs-bridge1 to tagged ports list with vlan ID 111. Now I have there 2 interfaces (ether2 and bs-bridge1).
I rebooted mikrotik and cleaned mac address table on Dlink on the port where mikrotik connected.

Now I cannot ping mikrotik IP (192.168.111.234) even from native subnet. I tried to ping mikrotik from uplink side and from access ports behind mikrotik. =(
Hosts behind mikrotik are still accesble in all vlans.

4

It’s very sad to see your updates after changes of my config. Okay I’ll try to change bs-bridge1 membership from tagged to untagged state.
Unfortunately I will be after weekends.
Thank your very much for your help anyway!

5

Yes, I’ve edited my previous answer after reading better what you wrote and you may have missed the edit as you were writing the answer, but I still may have missed something. Plus there is a mystery around the meaning of the pvid parameter of the bridge itself which I haven’t understood yet.

In short, the ****

pvid

in

/interface bridge port

determines how received tagless packets will be tagged before getting to the bridge.
So taking your configuration as an example:

/interface bridge port
add bridge=bs-bridge1 interface=ether2-master
add bridge=bs-bridge1 interface=ether1 pvid=111

tagless packets coming from outside via

ether2

become tagged with VLAN ID 1 inside the bridge, and tagless packets coming from outside via

ether1

become tagged with VLAN ID 111.

The IP address attached to the bridge itself works with tagless packets on the bridge. So if you want the packets from VLAN 111 to live inside the bridge tagged, you have to create an ****

/interface vlan

with

vlan-id=111

using that bridge as a carrier interface and attach the IP address

192.168.111.234

to that

/interface vlan

instead of the bridge itself.

Now coming back to the pvid parameter of the bridge itself, it is possible that it interacts with the pvid parameters of member ports, but I have to do some tests. As you won’t continue today, I have some time to do that :slight_smile:

The idea is that possibly if the

pvid

of the

/interface bridge

itself and the

pvid

of the

/interface bridge port

match, the tagless packets coming through that port do not get tagged when entering the bridge. But as said I have to test that.

6

OK, so not to confuse you any more by editing an existing post, I write a new one.

The role of the ****

pvid

attribute of a bridge remains a mystery to me, and so does the magic value of

pvid=1

for

/interface bridge port

.

On 6.42.1 in particular (and likely ever before),

  • regardless what you set the bridge’s ****
pvid

value to (1 or 200 in my test), the IP configuration attached to the bridge itself can be reached only by tagless packets,

  • if you set ****
pvid=1

in

/interface bridge port

, tagless packets which come in through that port remain tagless on the bridge (while if you set

pvid=200

, the packets are sent to the bridge tagged with an 802.1Q tag with VID=200).

So for your scenario:

  • create
/interface vlan add name=vlan-one-one-one vlan-id=111 interface=bs-bridge1
  • move the IP address from the bridge to the vlan interface:
/ip address set [find address="192.168.111.231/24"] interface=vlan-one-one-one
  • keep the ****
pvid

values in your ****

/interface bridge port

items as they are

  • keep ****
bs-bridge1

on the tagged list of the

vlan-ids=111 bridge=bs-bridge1

line in

/interface bridge vlan

That should be enough so that you could reach

192.168.111.231

via

ether2

by tagged packets and via

ether1

and other ports by tagless packets.

Then, depending on whether you need IP addresses from subnets of the other two VLANs on the Mikrotik itself or not, either replicate the settings above also for the other two VLANs, or remove ****

bs-bridge1

from the member list of these

vlan-ids

in the

/interface bridge vlan

list (it may be harmless to keep it there but it may also mean some throughput reduction, I have no idea, in my view it should not be necessary at all but for some reasons it is if you want that VLAN to be accessible locally).

7

Hmm, I’ve created vlan111 interface by your commands above. Now I can access my mikrotik from untagged inside ports (1 and 3-9) and from outside in vlan111 of my network. But I tried to ping 192.168.111.231 from my other subnets and it still not working. My be I did mistake?
My config in attach if needed.
Thank you very much fo your help, sindy!
231.cfg.rsc (4.92 KB)

8

ADD:
I tried to access my mikrotik from Wifi subnet (vlan177) of this device and it’s not working too.

9

You have activated vlan-filtering on bs-bridge1. However, there is no direct path between the switch (sub)chip and the wireless (sub)chip, the packets between the two must be forwarded by the CPU.

This means that if you want to make a wireless interface a member of the same VLAN like some Ethernet ports, you must also add the bs-bridge1 itself to the list of tagged ports in the mapping rules in /interface bridge vlan, much the same as when you need to make that VLAN accessible for L3 using /interface vlan.

As said multiple times, I don’t get why RouterOS doesn’t find out this need automatically, but that’s how it works for the moment. So it should start working properly once you modify your settings the following way:

/interface bridge vlan
set [find bridge="bs-bridge1" vlan-ids="177"] tagged="ether1,ether2-master,ether3,ether4,ether5,ether6-master,ether7,ether8,ether9,bs-bridge1"
set [find bridge="bs-bridge1" vlan-ids="189"] tagged="ether2-master,bs-bridge1"

There is also a possibility to add the VLAN tag already on the wireless interface, which has the advantage that you can assign different VLAN tags to different clients associated to the same SSID using /wireless access-list rules. To do it this way, you would

  • set the default vlan-id under /interface wireless,
  • add the wireless interfaces as member ports of bs-bridge1 with pvid=1 under /interface bridge port,
  • put the wireless interfaces as tagged VLAN members under /interface bridge vlan.