I'm doing a very basic self contained test here where I have a CRS309 running v7.1 and a single laptop connected to a port. I then created a new VLAN, e.g. 53 using the default bridge as Interface, and then created an SVI equivalent, e.g. 192.168.53.1. I then set the interface the laptop is connected to using the default bridge, even untagged vlan 53 though according to the documentation that is unnecessary if the PVID is already set to that vlan. Either way, my laptop has an IP of 192.168.53.11 so same /24 and all works well. I can ping the laptop from the SVI no problem. I can create a new SVI on another vlan on the same bridge and no issues pinging.
The problem comes when I make a new bridge, because I want to leave the default bridge as is and make my changes on a new one. I created a new bridge (Custom1), moved the VLAN interface over, the physical interface where the laptop is connected to, as well as where you untag your vlans in. Pings stop working. When I check the arp table, I can clearly see ARP is a problem
[user@crs309test] /ip/arp> print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
ADDRESS MAC-ADDRESS INTERFACE
3 D 192.168.53.11 Custom1
[user@crs309test] /interface/bridge/vlan> /ping 192.168.53.11 src-address=192.168.53.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.53.11 timeout
1 192.168.53.11 timeout
I switch it all back to default bridge, arp works again and the switch can associate IP with mac, and all is good. Just to reiterate these are just tests from the same switch. Any ideas??
Multiple bridges is generally a bad idea as you will loose the hardware-offloaded wirespeed switching on all but the first bridge, and interfaces may only be assigned to one bridge.
Here’s the config. To clarify, I am using a lacp trunk port to my laptop for testing (Po78), but either way, this works with default bridge but not the Custom1 bridge. Thanks for calling out the hardware offloading though. I didn’t realize that’s not supported on custom bridges. Only reason I did that is because the documentation to setting up vlans did define a custom bridge, so I assumed it was best practice not to touch the default one…
/interface bridge
add admin-mac=DC:2C:6E:26:43:90 auto-mac=no comment=defconf name=bridge
add admin-mac=DC:2C:6E:26:43:91 auto-mac=no name=Custom1
add name=mgmt
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=Eth1
set [ find default-name=sfp-sfpplus2 ] name=Eth2
set [ find default-name=sfp-sfpplus3 ] name=Eth3
set [ find default-name=sfp-sfpplus4 ] name=Eth4
set [ find default-name=sfp-sfpplus5 ] name=Eth5
set [ find default-name=sfp-sfpplus6 ] name=Eth6
set [ find default-name=sfp-sfpplus7 ] name=Eth7
set [ find default-name=sfp-sfpplus8 ] name=Eth8
set [ find default-name=ether1 ] name=mgmt0
/interface vlan
add interface=Custom1 name=HomeWiFi vlan-id=51
add interface=Custom1 name=HomeWired vlan-id=50
add interface=Custom1 name=Storage vlan-id=53
/interface bonding
add mode=802.3ad name=Po78 slaves=Eth7,Eth8 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=Eth1
add bridge=bridge comment=defconf interface=Eth2
add bridge=bridge comment=defconf interface=Eth3
add bridge=bridge comment=defconf interface=Eth4
add bridge=bridge comment=defconf interface=Eth5
add bridge=bridge comment=defconf interface=Eth6
add bridge=mgmt interface=mgmt0
add bridge=Custom1 edge=yes ingress-filtering=no interface=Po78 pvid=53
/ip settings
set arp-timeout=4h
/interface bridge vlan
add bridge=bridge untagged=Po78 vlan-ids=53
/ip address
add address=192.168.15.11/24 interface=mgmt network=192.168.15.0
add address=192.168.53.1/24 interface=Storage network=192.168.53.0
add address=192.168.1.160/24 interface=Eth1 network=192.168.1.0
add address=192.168.51.1/24 interface=HomeWiFi network=192.168.51.0
add address=192.168.50.1/24 interface=HomeWired network=192.168.50.0
/ip dns
set servers=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no tls-version=only-1.2
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=crs309test
/system routerboard settings
set boot-os=router-os
Regarding point 2, the default bridge also has vlan filtering set to off. Just to confirm that needs to be enabled or it only applies for “new” bridges you create?
All bridges need vlan-filtering=yes for VLAN tagging/untagging to happen on member ports. If vlan-filtering is not enabled, then bridge leaves VLAN tags unchanged … sometimes things seem to work but that’s pure coincidence.
Thank you. I’ll test this when I’m able to again. Just to confirm as well, the new offload to hardware from cpu in v7 for intervlan traffic only applies for default bridge and not to custom set bridges? If that’s true, then there’s no reason for me not to leave my setup on the default bridge then.
Thank you. Also highlights another important thing there I didn’t know where you have to disable it when making l2 changes… and then re-enable after. Yikes. I guess that begs the question, what happens then if you’ve already made changes without disabling it. Can you just simply issue commands to disable then re-enable after? Or you have to undo your config, and start over?
Ok, I just tested again tagging bridge and if I enable vlan filtering, then pings stop working from local svi on switch to the host. If I disable it, it works.
/interface bridge
add admin-mac=DC:2C:6E:26:43:90 auto-mac=no name=bridge
add name=mgmt
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=Eth1
set [ find default-name=sfp-sfpplus2 ] name=Eth2
set [ find default-name=sfp-sfpplus3 ] name=Eth3
set [ find default-name=sfp-sfpplus4 ] name=Eth4
set [ find default-name=sfp-sfpplus5 ] name=Eth5
set [ find default-name=sfp-sfpplus6 ] name=Eth6
set [ find default-name=sfp-sfpplus7 ] name=Eth7
set [ find default-name=sfp-sfpplus8 ] name=Eth8
set [ find default-name=ether1 ] name=mgmt0
/interface vlan
add interface=bridge name=Storage vlan-id=53
/interface bonding
add mode=802.3ad name=Po78 slaves=Eth7,Eth8 transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=Eth1
add bridge=bridge comment=defconf interface=Eth2
add bridge=bridge comment=defconf interface=Eth3
add bridge=bridge comment=defconf interface=Eth4
add bridge=bridge comment=defconf interface=Eth5
add bridge=bridge comment=defconf interface=Eth6
add bridge=mgmt interface=mgmt0
add bridge=bridge edge=yes ingress-filtering=no interface=Po78 pvid=53
/ip settings
set arp-timeout=4h
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=Po78 vlan-ids=53
/ip address
add address=192.168.15.11/24 interface=mgmt network=192.168.15.0
add address=192.168.53.1/24 interface=Storage network=192.168.53.0
add address=192.168.1.160/24 interface=Eth1 network=192.168.1.0
/ip dns
set servers=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no tls-version=only-1.2
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=crs309test
/system routerboard settings
set boot-os=router-os
EDIT: Nevermind, I tagged that vlan on the client side which was something I was testing with and forgotten about. Removed that and all is well. Thanks so much for the help.