No Truking on VLAN with VLAN filtering

diasdm · October 10, 2024, 2:14am

I’ve been trying to set up a standard VLAN configuration for my RB5009UPr router with VLAN filtering, but I can’t seem to get it to work.
To help me better visualize how I want to configure things, I’ve drawn a little diagram of my local network.

My switch is configured as in the picture.

sg350x#sh vlan
Vlan       Name           Tagged Ports      UnTagged Ports      Created by
---- ----------------- ------------------ ------------------ ----------------
 1           1                            tw1/0/1,tw1/0/5-6,        D
                                                (...)
 7         VLAN7             tw1/0/8            tw1/0/2              S
 8         VLAN8             tw1/0/8       tw1/0/3-4,tw1/0/7         S
 9         VLAN9             tw1/0/8                                 S

sg350x#sh ip int
    IP Address        I/F    I/F Status  Type   Directed  Prec Redirect Status
                             admin/oper         Broadcast
------------------ --------- ---------- ------- --------- ---- -------- ------
192.168.7.254/24   vlan 7    UP/UP      Static  disable   No   enable   Valid
192.168.8.254/24   vlan 8    UP/UP      Static  disable   No   enable   Valid
192.168.9.254/24   vlan 9    UP/UP      Static  disable   No   enable   Valid

sg350x#sh int switchport tw1/0/8 | inc Mode|Trunk
Administrative Mode: trunk
Access Mode VLAN: 1
Trunking Native Mode VLAN: 1
Trunking VLANs: 1,7-9

This way, by changing my PC’s IP, I can reach the switch’s VLANs from their respective ports.
As for the router, I tried to follow some of Mikrotik guides, including the videos:

This is the bridge configuration:

[RB5009] > interface/bridge/print
 0 R ;;; defconf
     name="bridge" mtu=auto actual-mtu=1500 l2mtu=1514 arp=enabled arp-timeout=auto 
     mac-address=78:9A:18:39:5D:BC protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no 
     admin-mac=78:9A:18:39:5D:BC ageing-time=5m priority=0x8000 max-message-age=20s 
     forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no

[RB5009] > interface/bridge/port/print
#    INTERFACE     BRIDGE  HW   PVID  PRIORITY  HORIZON
;;; defconf
0 IH ether2        bridge  yes     1  0x80      none
;;; defconf
1 IH ether3        bridge  yes     1  0x80      none
;;; defconf
2 IH ether4        bridge  yes     1  0x80      none
;;; defconf
3 IH ether5        bridge  yes     1  0x80      none
;;; defconf
4 IH ether6        bridge  yes     1  0x80      none
;;; defconf
5  H ether7        bridge  yes     1  0x80      none
;;; defconf
6 IH ether8        bridge  yes     9  0x80      none
;;; defconf
7 X  sfp-sfpplus1  bridge          1  0x80      none
8  H ether1        bridge  yes     1  0x80      none

These are the bridge VLANs.

[RB5009] > interface/bridge/vlan/print detail 
 0   ;;; Bridge_VLAN7
     bridge=bridge vlan-ids=7 tagged=ether1,bridge 
     untagged=ether2,ether3,ether4,ether5,ether6,ether7 mvrp-forbidden="" 
     current-tagged=bridge,ether1 current-untagged=ether7 

 1   ;;; Bridge_VLAN8
     bridge=bridge vlan-ids=8 tagged=ether1,bridge untagged="" mvrp-forbidden="" 
     current-tagged=bridge,ether1 current-untagged="" 

 2   ;;; Bridge_VLAN9
     bridge=bridge vlan-ids=9 tagged=ether1,bridge untagged=ether8 mvrp-forbidden="" 
     current-tagged=bridge,ether1 current-untagged="" 

 3 D bridge=bridge vlan-ids=1 tagged="" untagged=bridge,ether7 mvrp-forbidden="" current-tagged="" 
     current-untagged=bridge,ether7

And these are the IP VLANs.

[RB5009] > interface/vlan/print
#   NAME         MTU  ARP      VLAN-ID  INTERFACE
;;; VLAN7 PC
0 R VLAN7_PC    1500  enabled        7  bridge
;;; VLAN8
1 R VLAN8       1500  enabled        8  bridge
;;; VLAN9
2 R VLAN9       1500  enabled        9  bridge

[RB5009] > ip/address/print
# ADDRESS          NETWORK       INTERFACE 
;;; IP Address for VLAN7 PC
0 192.168.7.1/24   192.168.7.0   VLAN7_PC
;;; IP Address for VLAN8
1 192.168.8.1/24   192.168.8.0   VLAN8
;;; IP Address for VLAN9
2 192.168.9.1/24   192.168.9.0   VLAN9
;;; IP Address for default Bridge
3 192.168.88.1/24  192.168.88.0  bridge

After all this, I can only reach the router by connecting my PC directly to it, and only through MAC.
VLAN trunking does not work.

I guess I must be doing something wrong, but I just can’t see it.
Any suggestions?

anav · October 10, 2024, 10:51am

Standard config view please.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

This is the defacto bible on explaining the setup …
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

diasdm · October 10, 2024, 10:02pm

I see.

Here’s the full configuration export. It is mostly default for now.

# 1970-01-02 00:02:51 by RouterOS 7.15.3
# software id = 
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add admin-mac=78:9A:18:39:5D:BC auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-WAN \
    service-name="" use-peer-dns=yes user=
/interface vlan
add comment="VLAN7 PC" interface=bridge name=VLAN7_PC vlan-id=7
add comment="VLAN8" interface=bridge name=VLAN8 vlan-id=8
add comment="VLAN9" interface=bridge name=VLAN9 vlan-id=9
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.7.101-192.168.7.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=9
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Bridge_VLAN7 tagged=ether1,bridge untagged=\
    ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=7
add bridge=bridge comment=Bridge_VLAN8 tagged=ether1,bridge vlan-ids=8
add bridge=bridge comment=Bridge_VLAN9 tagged=ether1,bridge untagged=ether8 \
    vlan-ids=9
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-WAN list=WAN
add comment="VLAN7 PC in LAN" interface=VLAN7_PC list=LAN
/ip address
add address=192.168.7.1/24 comment="IP Address for VLAN7 PC" interface=\
    VLAN7_PC network=192.168.7.0
add address=192.168.8.1/24 comment="IP Address for VLAN8" interface=\
    VLAN8 network=192.168.8.0
add address=192.168.9.1/24 comment="IP Address for VLAN9" interface=\
    VLAN9 network=192.168.9.0
add address=192.168.88.1/24 comment="IP Address for default Bridge" \
    interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.7.0/24 comment=defconf dns-server=192.168.7.1 gateway=\
    192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.7.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · October 11, 2024, 1:27am

Missing IP pool for the two vlans.
Why do you have the bridge doing dhcp??
You need dchp server and dhcp server network for all three vlans!

/ip pool
add name=dhcp ranges=192.168.7.101-192.168.7.199
add name=pool-8 ranges=192.168.8.101-192.168.8.199
add name=pool-9 ranges=192.168.9.101-192.168.9.199

/ip dhcp-server
add address-pool=dhcp interface=VLAN7_PC name=defconf
add address-pool=pool-8 interface=VLAN8 name=server8
add address-pool=pool-9 interface=VLAN9 name=server9

/ip dhcp-server network
add address=192.168.7.0/24 dns-server=192.168.7.1 gateway=192.168.7.1
add address=192.168.8.0/24 dns-server=192.168.8.1 gateway=192.168.8.1
add address=192.168.9.0/24 dns-server=192.168.9.1 gateway=192.168.9.1

FIXED up your bridge ports!!

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=7
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=7
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=7
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=7
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=7
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=7
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=9
Interface bridge vlans were already in good shape!!
/interface bridge vlan
add bridge=bridge comment=Bridge_VLAN7 tagged=ether1,bridge untagged=
ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=7
add bridge=bridge comment=Bridge_VLAN8 tagged=ether1,bridge vlan-ids=8
add bridge=bridge comment=Bridge_VLAN9 tagged=ether1,bridge untagged=ether8
vlan-ids=9

/interface list member
add interface=pppoe-WAN list=WAN
add comment=“VLAN7 PC in LAN” interface=VLAN7_PC list=LAN
add interface=VLAN8 list=LAN
add interface=VLAN9 list=LAN

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

Get rid of 192.168.88 IP address, as far as I see it does nothing…

See how far that gets you and we can go from there…
One thing I have to ask is what is your management or Trusted vlan ( where all smart devices should get there IP address from ) ??

diasdm · October 16, 2024, 11:45pm

At the time, I didn’t finish the configurations due to the failed VLAN setup.

That was the router’s default configuration. Again, I didn’t finish configuring the router.
The next step would be to configure DHCP.

I’ve removed it.

I think my bridge ports were misconfigured.
With your help, I’ve managed to set everything up as adivised, and the VLANs are now working.

Thank you