Need some help wrapping my head around (and configuring) a VLAN

RouterOS General
1

I have a pfsense router/gateway and a dd-wrt access point. Following this guide http://phil.lavin.me.uk/2012/10/creating-a-guest-wifi-with-802-1q-vlan-tagging-in-pfsense-and-dd-wrt/ I created a guest network on the AP and assigned it to vlan4. I then created a vlan and an interface in pfsense and set up a DHCP server on it. However, I believe my switch (model CRS226-24G-2S+) is preventing my access point and router from communicating over that vlan. I created a bridge (bridge-vlan4) and two vlan interfaces (eth1-vlan4, eth6-vlan4) on my switch, but that doesn’t seem to have helped so far. I posted what I hope are the relevant configs below. I just updated to RouterOS 6.42.9 (from 6.40.8 ) so if any of this is the “old way” of doing things I’d love to know that as well. Any help is greatly appreciated, and please let me know if you would like to see any more configurations.

/interface bridge print     
Flags: X - disabled, R - running 
 0 R name="bridge-vlan4" mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled arp-timeout=auto mac-address=4C:5E:0C:9B:CD:68 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m 
     priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes pvid=4 

 1 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1588 arp=enabled arp-timeout=auto mac-address=4C:5E:0C:9B:CD:68 protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=no admin-mac=4C:5E:0C:9B:CD:68 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no 

/interface vlan print
Flags: X - disabled, R - running 
 #   NAME                                                                                   MTU ARP             VLAN-ID INTERFACE                                                                               
 0 R eth1-vlan4                                                                            1500 enabled               4 ether1                                                                                  
 1 R eth6-vlan4                                                                            1500 enabled               4 ether6                                                                                  

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                BRIDGE                                                                HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether1                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 1     eth1-vlan4                                                               bridge-vlan4                                                                 4     0x80         10                 10       none
 2     eth6-vlan4                                                               bridge-vlan4                                                                 4     0x80         10                 10       none
 3   H ether2                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 4   H ether3                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 5   H ether4                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 6 I H ether5                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 7   H ether6                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 8 I H ether7                                                                   bridge1                                                               yes    1     0x80         10                 10       none
 9   H ether8                                                                   bridge1                                                               yes    1     0x80         10                 10       none
10   H ether9                                                                   bridge1                                                               yes    1     0x80         10                 10       none
11 I H ether10                                                                  bridge1                                                               yes    1     0x80         10                 10       none
12 I H ether11                                                                  bridge1                                                               yes    1     0x80         10                 10       none
13 I H ether12                                                                  bridge1                                                               yes    1     0x80         10                 10       none
14   H ether13                                                                  bridge1                                                               yes    1     0x80         10                 10       none
15 I H ether14                                                                  bridge1                                                               yes    1     0x80         10                 10       none
16   H ether15                                                                  bridge1                                                               yes    1     0x80         10                 10       none
17 I H ether16                                                                  bridge1                                                               yes    1     0x80         10                 10       none
18   H ether17                                                                  bridge1                                                               yes    1     0x80         10                 10       none
19 I H ether18                                                                  bridge1                                                               yes    1     0x80         10                 10       none
20 I H ether19                                                                  bridge1                                                               yes    1     0x80         10                 10       none
21   H ether20                                                                  bridge1                                                               yes    1     0x80         10                 10       none
22 I H ether21                                                                  bridge1                                                               yes    1     0x80         10                 10       none
23   H ether22                                                                  bridge1                                                               yes    1     0x80         10                 10       none
24 I H ether23                                                                  bridge1                                                               yes    1     0x80         10                 10       none
25 I H ether24                                                                  bridge1                                                               yes    1     0x80         10                 10       none
26   H sfp1                                                                     bridge1                                                               yes    1     0x80         10                 10       none
27 I H sfp2                                                                     bridge1                                                               yes    1     0x80         10                 10       none
2

You cannot make ether1 a member port of a bridge (here called bridge1) and at the same time a bearer port of an /interface vlan.

So just removing the two /interface vlan and keeping vlan-filtering=no on bridge1 would allow frames tagged with VID 4 to flow between ether1 and ether6 - in fact, frames with any VID flow freely between any pair of member ports of the same bridge when vlan-filtering is set to no.

If you want to precisely control which VLANs are permitted on which ports and whether they are tagged or tagless on these ports, you have to set vlan-filtering to yes on the bridge, but before doing that, you have to use /interface bridge vlan to configure port membership in VLANs and /interface bridge port to configure pvid for each port.

So for your case, you would have to remove the two /interface vlan and the /interface bridge name=bridge-vlan4, and set

/interface bridge vlan
add vlan-ids=1 bridge=bridge1 untagged=bridge1,ether1,ether2,…,sfp2
add vlan-ids=4 bridge=bridge1 tagged=ether1,ether6

/interface bridge port
add bridge=bridge1 interface=ether1 pvid=1

add bridge=bridge1 interface=sfp2 pvid=1

And, finally,
/interface bridge set bridge1 pvid=1 vlan-filtering=yes.


This way, you’d make ingress tagless frames on any port remain tagless on the bridge because the pvid of the ports and the pvid of the bridge is the same (this is something that doesn’t happen on usual switches where everything must be tagged internally), and permit frames tagged with VID 4 on ether1 and ether6.

A bridge itself must be present in the list of tagged or untagged ports of itself under /interface bridge vlan if you want to attach an IP configuration to it. That’s why I’ve put it to the untagged list on the row for vlan-ids=1