Odd issue with RB2011, bridging and SLAAC

RouterOS General
1

So I’ve been following the examples here:

https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExample

My uplink port is a trunk with native/untagged vlan of 100.
My management interface is Vlan101.

Assigning ipv4 (static) to Vlan101 interface works as expected. However setting SLAAC on in the ipv6 settings (accept-router-advertisements=yes) takes advertisements on the UNTAGGED vlan and assigns them to my vlan 101 interface!!!

Here is my “/export hide-sensitive”:

[admin@MikroTik] > export hide-sensitive 
# jan/02/1970 00:55:35 by RouterOS 7.6
# software id = IIBP-GWHC
#
# model = RB2011UiAS-2HnD
# serial number = 63FB05144B00
/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=Vlan101 vlan-id=101
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 default-vlan-id=100 vlan-mode=secure
set 6 vlan-mode=secure
set 7 vlan-mode=secure
set 8 vlan-mode=secure
set 9 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
set 12 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes forward=no
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=10
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=16
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=90
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=99
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=100
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=101
add ports=switch2-cpu switch=switch2 vlan-id=10
add ports=switch2-cpu switch=switch2 vlan-id=16
add ports=switch2-cpu switch=switch2 vlan-id=90
add ports=switch2-cpu switch=switch2 vlan-id=99
add ports=switch2-cpu switch=switch2 vlan-id=100
add ports=switch2-cpu switch=switch2 vlan-id=101
add ports=switch2-cpu switch=switch2 vlan-id=102
/ip address
add address=192.168.131.39/27 interface=Vlan101 network=192.168.131.32
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.131.33 routing-table=main \
    suppress-hw-offload=no

With the manually set ipv4 address, I can ping it fine.
However if I ping the slaac address it if course doens’t work as the subnet is wrong!

My personal linux computer is in Vlan100 (eg: untagged for the rb2011):

rob2@daisy:~$ ip -6 addr show dev wlan0 | grep fd4a
    inet6 fd4a:ea50:349f:a0:2286:f3f7:35d1:c5d8/64 scope global temporary dynamic 
    inet6 fd4a:ea50:349f:a0:8038:e68d:852c:898c/64 scope global dynamic mngtmpaddr noprefixroute

Note my laptop addresses are in fd4a:ea50:349f:a0::/64

Here is the slaac address of the vlan101 interface:

[admin@MikroTik] > /ipv6/address/print 
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
#    ADDRESS                                  INTERFACE  ADVERTISE
0 DL fe80::e68d:8cff:fe3c:1e9/64              bridge1    no       
1 DL fe80::e68d:8cff:fe3c:1e9/64              Vlan101    no       
2 DG fd4a:ea50:349f:a0:e68d:8cff:fe3c:1e9/64  Vlan101    no

As you can see, address2 is on Vlan101 but has the vlan100 /64 for some reason.

However Vlan101 seems to function fine with static ipv4. I can ping it, connect to it, etc.
If I turn off RA in ipv6 settings and assign it static ip, everything works fine. Any idea why untagged RA’s (vlan 100) coming into the bridge are being sent to Vlan101 interface?

2

The bridge1 is missing vlan-filtering=yes .. consequently it doesn’t do anything about VLAN tags and misbehaves in random ways.

3

Thank you I’ll give that a shot!

Edit: Added that to the bridge config & lost connectivity to the RB2011. The upstream switch (brocade) does learn a mac on vlan 100 (aka - untagged), but winbox can’t find it.

Any ideas what I might be doing wrong here or what addtl config I might need? The bridge only exists to be able to shuttle packets between the two switch chips when needed (which should be fairly rare).

Also: I did try to do it this way but it didn’t seem to work…

4

To make things simpler, I’ve taken the bridge out of the equation. I’m only using the first switch.

Config:

# jan/02/1970 00:36:30 by RouterOS 7.6
# software id = IIBP-GWHC
#
# model = RB2011UiAS-2HnD
# serial number = 63FB05144B00
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=ether5 name=eth5.101 vlan-id=101
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 default-vlan-id=100 vlan-mode=secure
set 6 vlan-mode=secure
set 7 vlan-mode=secure
set 8 vlan-mode=secure
set 9 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
set 12 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/ipv6 settings
set accept-redirects=no accept-router-advertisements=yes forward=no
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=10
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=16
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=90
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=99
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=100
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=101
add ports=switch2-cpu switch=switch2 vlan-id=10
add ports=switch2-cpu switch=switch2 vlan-id=16
add ports=switch2-cpu switch=switch2 vlan-id=90
add ports=switch2-cpu switch=switch2 vlan-id=99
add ports=switch2-cpu switch=switch2 vlan-id=100
add ports=switch2-cpu switch=switch2 vlan-id=101
add ports=switch2-cpu switch=switch2 vlan-id=102
/tool sniffer
set filter-interface=ether5 filter-ip-protocol=icmpv6 filter-ipv6-address=ff02::1/128

Edit: My CHR was misconfigured & handing out an incorrect address. removing the incorrect address & RA’s fixed the issue for “single switch” config as shown above.

I still need to try joining the two switches together in a bridge to see if that works.

5

Sorry, I wasn’t paying attention when I first checked the configuration you have. So I missed that you’re (trying to) dealing with VLANs on switch chip. So scrap the instruction to enable vlan-filtering on bridge.

Your latest try won’t work … without bridge ports are not members of same L2 group anymore, settings under /interface ethernet switch are not enough to group ports as switched ports. So if you want to use ether1 and ether5 as VLAN-enabled switched ports, then you still need bridge with ether1 and ether3 as members.

Current configuration makes VLAN100 “native” on switch1-cpu interface. I’d rather go with tagged … by removing “default-vlan-id” from port 5 under /interface ethernet switch port (after all, switch2-cpu has it configured as tagged). If router has to interact with VLAN 100, then create vlan100 interface and use it.

6

Yep, saw exactly that with a single client & no bridge. Didn’t work.

Where do you see switch1 cpu as native vlan 100? I don’t see that in winbox nor in the output. I only set defaultt-vlan id on eth1/eth5 as 100. the rest are either “auto” .

It seems the default for the first switch is “auto” including the cpu, and the 2nd switch is “0” (including the switch2-cpu)

Here is my output:

[admin@MikroTik] /interface/ethernet/switch/port> print
Columns: NAME, SWITCH, VLAN-MODE, VLAN-HEADER, DEFAULT-VLAN-ID
 # NAME         SWITCH   VLAN-MODE  VLAN-HEADER  DEFAULT-VLAN-ID
 0 sfp1         switch1  secure     leave-as-is  auto           
 1 ether1       switch1  secure     leave-as-is  100            
 2 ether2       switch1  secure     leave-as-is  auto           
 3 ether3       switch1  secure     leave-as-is  auto           
 4 ether4       switch1  secure     leave-as-is  auto           
 5 ether5       switch1  secure     leave-as-is  100            
 6 ether6       switch2  secure     leave-as-is  0              
 7 ether7       switch2  secure     leave-as-is  0              
 8 ether8       switch2  secure     leave-as-is  0              
 9 ether9       switch2  secure     leave-as-is  0              
10 ether10      switch2  secure     leave-as-is  0              
11 switch1-cpu  switch1  secure     leave-as-is  auto           
12 switch2-cpu  switch2  secure     leave-as-is  0
7

Huh, previous export used indices and I (turns out wrongly) assumed that index 5 refers to switch1-cpu port. I’d change default VID setting from auto to 0 … who knows what “auto” actually does …

8

Fair point, indeed. I appreciate all the help. I think index0 is the “sfp” and then index 1-5 are the ethernet ports & I think under 7.6 the switch[12]-cpu is like at the very end…

I’m not a huger fan of the indexes and would prefer the interface name. I don’t know what auto does either. Everything is working now thanks to your tips.