Problem pinging IP assigned to bridge, on tagged port - works fine for other hosts

chris_taylor_NC · June 18, 2025, 3:56am

I have a really basic question that I’m having trouble with. I have one bridge created that’s working fine with tagged and untagged ports. I created an IP address 192.168.100.253/24 and assigned the bridge as it’s interface, as tagged.

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                       
 0   192.168.100.253/24 192.168.100.0   bridge2VLANCluster                                                                                                                                                                                                              
 1 D 192.168.1.236/24   192.168.1.0     ether24

[admin@MikroTik] > /interface bridge vlan print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                                                                 VLAN-IDS  CURRENT-TAGGED                                                                               CURRENT-UNTAGGED                                                                               
 0   bridge2VLANCluster                                                                     100       bridge2VLANCluster                                                                           
                                                                                                      ether2                                                                                       
                                                                                                      ether3                                                                                       
                                                                                                      ether4                                                                                       
                                                                                                      ether1                                                                                       
 1   bridge2VLANCluster                                                                     200       ether1                                                                                       bridge2VLANCluster                                                                             
                                                                                                                                                                                                   ether10                                                                                        
                                                                                                                                                                                                   ether11                                                                                        
                                                                                                                                                                                                   ether12                                                                                        
 2 D bridge2VLANCluster                                                                     1                                                                                                      bridge2VLANCluster                                                                             
                                                                                                                                                                                                   ether24                                                                                        
                                                                                                                                                                                                   ether1

Hosts on ether1,2,3 and 4 can ping each other fine on the 192.168.100.0 network but from my host on ether1, which has a tagged interface 192.168.100.10, I’m not able to ping 192.168.100.253. What am I doing wrong? I want to have 192.168.100.253 available as an address for hosts isolated on 192.168.100.0 to use services like NTP. I don’t have any firewall rules configured on the MikroTik or the hosts.

RouterOS v6.49.18 (long-term)
Architecture Name arm
Board Name CRS326-24G-2S+

mkx · June 18, 2025, 5:00am

If bridge CPU-facing port is tagged, then you have to create VLAN interface (under /interface/vlan), anchor it to bridge CPU-facing port with corresponding VLAN ID set and use that interface to set up IP address (etc.). Setting IP address directly on bridge switch-facing interface works only if bridge is (also) untagged.

chris_taylor_NC · June 18, 2025, 6:14pm

What if the bridge is a hybrid, tagged and untagged ports?

lurker888 · June 18, 2025, 6:34pm

Not all that unexpected: untagged packets are available on the “bridge” interface for processing in the ip stack. Tagged packets are extracted (and encapsulated in the other direction) by the vlan interfaces and are available there.

Having a hybrid cpu port (“bridge” as port) isn’t really a common configuration, but it works in the expected manner.

chris_taylor_NC · June 18, 2025, 7:47pm

Do you mean like this? I created a new interface, ‘vlan100interface’ and added my 192.168.100.253 IP to it but I get this error-

[admin@MikroTik] > /interface vlan print 
Flags: X - disabled, R - running 
 #   NAME                                                                                                                                         MTU ARP             VLAN-ID INTERFACE                                                                                                                                      
 0 R vlan100interface 
                                                                                                                           1500 enabled             100 bridge2VLANCluster                                                                                                                             
[admin@MikroTik] > /ip address print  
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                                                                            
 0   192.168.100.253/24 192.168.100.0   vlan100interface                                                                                                                                                                                                                                                                     
 1 D 192.168.1.236/24   192.168.1.0     ether24 
                                                                                                                                                                                                                                                                             
[admin@MikroTik] > /interface bridge vlan print  
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                                                                          VLAN-IDS  CURRENT-TAGGED                                                                                        CURRENT-UNTAGGED                                                                                        
 0   bridge2VLANCluster                                                                              100       ether2                                                                                                
                                                                                                               ether3                                                                                                
                                                                                                               ether4                                                                                                
                                                                                                               ether1                                                                                                
 1   bridge2VLANCluster                                                                              200       ether1                                                                                                bridge2VLANCluster                                                                                      
                                                                                                                                                                                                                     ether10                                                                                                 
                                                                                                                                                                                                                     ether11                                                                                                 
                                                                                                                                                                                                                     ether12                                                                                                 
 2 D bridge2VLANCluster                                                                              1                                                                                                               bridge2VLANCluster                                                                                      
                                                                                                                                                                                                                     ether24                                                                                                 
                                                                                                                                                                                                                     ether1                                                                                                 

[admin@MikroTik] > /interface bridge vlan add tagged=vlan100interface vlan-ids=100 bridge=bridge2VLANCluster  
failure: vlan already added

lurker888 · June 18, 2025, 8:06pm

Bridge2vlancluster has to be added as tagged port, not the vlan interface. (To itself…)

If you’re running a fairly recent software, this is added automatically as a dynamic vlan entry when you add the vlan interface.

Otherwise you’re on the right path.

chris_taylor_NC · June 18, 2025, 10:13pm

EDIT: now I think it’s working - I added bridge2VLANCluster to itself.

Thanks for your help on this. I tried this but it still isn’t working-

[admin@MikroTik] > /interface bridge port add bridge=bridge2VLANCluster frame-types=admit-only-vlan-tagged interface=vlan100interface pvid=100 hw=yes  
[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                                                                                                      BRIDGE                                                                                                                      HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON 
 0   H ether2                                                                                                                         bridge2VLANCluster                                                                                                          yes  100     0x80         10                 10       none 
 1   H ether3                                                                                                                         bridge2VLANCluster                                                                                                          yes  100     0x80         10                 10       none 
 2   H ether4                                                                                                                         bridge2VLANCluster                                                                                                          yes  100     0x80         10                 10       none 
 3   H ether10                                                                                                                        bridge2VLANCluster                                                                                                          yes  200     0x80         10                 10       none 
 4   H ether11                                                                                                                        bridge2VLANCluster                                                                                                          yes  200     0x80         10                 10       none 
 5   H ether12                                                                                                                        bridge2VLANCluster                                                                                                          yes  200     0x80         10                 10       none 
 6   H ether1                                                                                                                         bridge2VLANCluster                                                                                                          yes    1     0x80         10                 10       none 
 7   H ether24                                                                                                                        bridge2VLANCluster                                                                                                          yes    1     0x80         10                 10       none 
 8     vlan100interface                                                                                                               bridge2VLANCluster                                                                                                               100     0x80         10                 10       none

lurker888 · June 18, 2025, 10:38pm

Again, you don’t enroll the vlan interface as a port. You enroll the bridge interface.

Remove the vlan interface from bridge ports. (Assuming that numbering remains the same.)
/interface bridge port remove 8
Add the bridge as tagged port to itself.
/interface bridge vlan add bridge=bridge2VLANCluster tagged=bridge2VLANCluster vlan-ids=100
Configure the bridge cpu port to accept the frames: (Assuming you only have the one bridge, otherwise renumber.)
/interface bridge set 0 frame-types=admit-only-vlan-tagged ingress-filtering=yes

chris_taylor_NC · June 19, 2025, 12:13am

Awesome! Thank you