Problem with VLANs and VLAN filtering on the Bridge

Niffchen · June 23, 2018, 11:51am

Hello,

I try to implement VLANs into my network. But I doesn’t get the traffic routed between some VLANs and to the internet. I hope somebody of you has any suggestions for me.

My first setup only deals with VLANs, access to the internet for the VLANs and the management of the hEX has to be separated from VLAN traffic. There will be no access for the VLANs to the management address of the hEX. After this I will implement CAPsMAN with 2 hAP und 1 wAP, but this is the second step.

This is what I want to do first:

I have different VLANs which are connected to the hEX via trunk port. The switch has a trunk port defined and tags all traffic with the correct VLAN-ID. The trunk Port is Ether2
The port Ether1 ist for access to the internet. The stuff of my provider is connected at this port.
The ports Ether3 and Ether5 are for CAPsMAN at the second step. At the moment I choose port Ether4 as my configuration port outside any bridges and VLANs.

Now in some words what I have done and after this I show you the configuration.
I created a bridge called “MainBridge”. This should be for the VLANs and to connect them and the internet. All LAN ports (not Ether4 and Ether1) are configured as ports of the “MainBridge”. THE PVID is the same as the PVID of the bridge.
I created a VLAN-Interface for every VLAN/PVID and located this interface on the bridge. Every VLAN-Interface got a IP adress - for example VLAN 150 and address 192.168.150.1/24.
For every VLAN I created a DHCP-Server which generates dynamic adresses for the connected devices.
The last step was to tell the bridge which VLAN is connected at which port and if it is tagged or antagged on this port (Bridge - VLAN).
Now I activated the checkbox “VLAN filtering”. This was my first approach.

If I connect a PC to one of the VLANs it gets a correct adress from the DHCP-Server. This works fine.
Now I treid to connect to the internet or other devices in different VLANs and this doesn’t work. I’m also not able to ping the gateway of VLAN150 from PC in VLAN150. I always get a “request timeout”.

I tried to configure different filter rules at the bridge, activated IP firewall and configured some FW rules without success. I think I’m missing some knowledge about what to do next to get the traffic fully routed.

This is my configuration:

# jun/23/2018 13:20:31 by RouterOS 6.42.4
# software id = G7JR-VZNY
#
# model = 960PGS
# serial number = 89F908AE5EB1
/interface bridge
add admin-mac=CC:2D:E0:68:3D:3E auto-mac=no comment=defconf name=MainBridge \
    pvid=5 vlan-filtering=yes
add fast-forward=no name=SubBridge
/interface vlan
add interface=MainBridge name=VLAN5 vlan-id=5
add interface=MainBridge name=VLAN40 vlan-id=40
add interface=MainBridge name=VLAN110 vlan-id=110
add interface=MainBridge name=VLAN120 vlan-id=120
add interface=MainBridge name=VLAN130 vlan-id=130
add interface=MainBridge name=VLAN140 vlan-id=140
add interface=MainBridge name=VLAN150 vlan-id=150
add interface=MainBridge name=VLAN160 vlan-id=160
add interface=MainBridge name=VLAN170 vlan-id=170
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.110.150-192.168.110.200
add name=dhcp_pool2 ranges=192.168.120.150-192.168.120.200
add name=dhcp_pool3 ranges=192.168.130.150-192.168.130.200
add name=dhcp_pool4 ranges=192.168.140.150-192.168.140.200
add name=dhcp_pool5 ranges=192.168.150.150-192.168.150.200
add name=dhcp_pool6 ranges=192.168.160.150-192.168.160.200
add name=dhcp_pool7 ranges=192.168.170.150-192.168.170.200
add name=dhcp_pool8 ranges=192.168.40.150-192.168.40.200
/ip dhcp-server
add address-pool=default-dhcp interface=MainBridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN110 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN120 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=VLAN130 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=VLAN140 name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=VLAN150 name=dhcp5
add address-pool=dhcp_pool6 disabled=no interface=VLAN160 name=dhcp6
add address-pool=dhcp_pool7 disabled=no interface=VLAN170 name=dhcp7
add address-pool=dhcp_pool8 disabled=no interface=VLAN40 name=dhcp8
/interface bridge port
add bridge=MainBridge comment=defconf interface=ether2 pvid=5
add bridge=MainBridge comment=defconf interface=ether3 pvid=5
add bridge=MainBridge comment=defconf interface=ether5 pvid=5
add bridge=MainBridge comment=defconf disabled=yes interface=sfp1 pvid=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=SubBridge tagged=ether2 untagged=ether3,ether5 vlan-ids=40
add bridge=MainBridge tagged=ether2 vlan-ids=110
add bridge=MainBridge tagged=ether2 vlan-ids=120
add bridge=MainBridge tagged=ether2 vlan-ids=130
add bridge=MainBridge tagged=ether2 vlan-ids=140
add bridge=MainBridge tagged=ether2 vlan-ids=150
add bridge=MainBridge tagged=ether2 vlan-ids=160
add bridge=MainBridge tagged=ether2 vlan-ids=170
add bridge=MainBridge untagged=ether3,ether5 vlan-ids=5
/interface list member
add comment=defconf interface=MainBridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether4 list=LAN
/ip address
add address=192.168.5.10/24 interface=MainBridge network=192.168.5.0
add address=192.168.15.15/24 interface=ether4 network=192.168.15.0
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.110.1/24 interface=VLAN110 network=192.168.110.0
add address=192.168.120.1/24 interface=VLAN120 network=192.168.120.0
add address=192.168.130.1/24 interface=VLAN130 network=192.168.130.0
add address=192.168.140.1/24 interface=VLAN140 network=192.168.140.0
add address=192.168.150.1/24 interface=VLAN150 network=192.168.150.0
add address=192.168.160.1/24 interface=VLAN160 network=192.168.160.0
add address=192.168.170.1/24 interface=VLAN170 network=192.168.170.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.40.1,192.168.2.1 gateway=\
    192.168.40.1
add address=192.168.110.0/24 dns-server=192.168.110.1,192.168.2.1 gateway=\
    192.168.110.1
add address=192.168.120.0/24 dns-server=192.168.120.1,192.168.2.1 gateway=\
    192.168.120.1
add address=192.168.130.0/24 dns-server=192.168.130.1,192.168.2.1 gateway=\
    192.168.130.1
add address=192.168.140.0/24 dns-server=192.168.140.1,192.168.2.1 gateway=\
    192.168.140.1
add address=192.168.150.0/24 dns-server=192.168.150.1,192.168.2.1 gateway=\
    192.168.150.1
add address=192.168.160.0/24 dns-server=192.168.160.1,192.168.2.1 gateway=\
    192.168.160.1
add address=192.168.170.0/24 dns-server=192.168.170.1,192.168.2.1 gateway=\
    192.168.170.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I hope you understand what I try to achieve.
If you have any questions …

Thanks,
Jens

CZFan · June 23, 2018, 2:06pm

You have ether3 & 5 untagged for both Vlan-ids 5 & 40, as far as I recall, a port can only be a member of 1 untagged vlan

Niffchen · June 23, 2018, 2:34pm

Thank you for your suggestions. I fixed this and this 2 interfaces are now member of the VLAN with the ID 40.
I tested a bit more before you answered and it seems that the DHCP-Servers doesn’t work. I put the PC on a port which is member of the VLAN 150 and ordered a new lease for it. Now he doesn’t get a IP address. I don’t know what is wrong with the configuration …

CZFan · June 23, 2018, 5:06pm

For DHCP to work, you will have to make the Bridge also a “Tagged” member of that Vlan

Niffchen · June 24, 2018, 11:29am

Thank you for this hint. Now DHCP is working on all VLANs called 110-170. Every client gets an IP address.
Do you have any idea what to do that the clients in different VLANs can contact itself and get a connection to the internet via Ether1?
I located the PC in VLAN110, it got an IP address but I cannot ping its gateway 192.168.110.1 or Ether1 at 192.168.2.10. The second address gets a “no route to host” and the ping for the gateway gets a “host is down”.

CZFan · June 24, 2018, 4:29pm

I am not sure what the purpose of below is, if nothing, then remove it to prevent confusion in Vlan table:

/interface bridge vlan
add bridge=SubBridge tagged=ether2 untagged=ether3,ether5 vlan-ids=40

Also add your Vlan’s to interface list LAN to make sure FW rules work accordingly.

Post new config of router if possible

Are you sure your switch config is correct?

Rockyboa · June 24, 2018, 5:28pm

I’m trying to achieve the same.

Starting from a defualt congif on hAP ac lite

Add an ip address 192.168.89.4 to my ether4 port
I have set my bridge port ether4 to pvid 10
Added the brige as a tag port on this Bridge VLAN

I plug my pc into ether4
as soon as I turn on the VLAN filtering, I can no longer ping 192.168.89.4 from my pc configure at 192.168.89.10.

It does ping when brige VLAN filtering is no longer checked.

Can you give me some idea why?

/interface bridge
add admin-mac=CC:2D:E0:29:B2:C6 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10

Niffchen · June 24, 2018, 8:22pm

It has been deleted.

Done.

I haven’t changed anything at the switch config. Did I have to change something?
I also activated “Use IP firewall” at the Bridge dialog. I think it has something to do with the firewall you mentioned above!?

This is the new config:

# jun/24/2018 21:40:44 by RouterOS 6.42.4
# software id = G7JR-VZNY
#
# model = 960PGS
# serial number = 89F908AE5EB1
/interface bridge
add admin-mac=CC:2D:E0:68:3D:3E auto-mac=no comment=defconf name=MainBridge \
    protocol-mode=none pvid=5 vlan-filtering=yes
add fast-forward=no name=SubBridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=MainBridge name=VLAN5 vlan-id=5
add interface=MainBridge name=VLAN40 vlan-id=40
add interface=MainBridge name=VLAN110 vlan-id=110
add interface=MainBridge name=VLAN120 vlan-id=120
add interface=MainBridge name=VLAN130 vlan-id=130
add interface=MainBridge name=VLAN140 vlan-id=140
add interface=MainBridge name=VLAN150 vlan-id=150
add interface=MainBridge name=VLAN160 vlan-id=160
add interface=MainBridge name=VLAN170 vlan-id=170
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.110.150-192.168.110.200
add name=dhcp_pool2 ranges=192.168.120.150-192.168.120.200
add name=dhcp_pool3 ranges=192.168.130.150-192.168.130.200
add name=dhcp_pool4 ranges=192.168.140.150-192.168.140.200
add name=dhcp_pool5 ranges=192.168.150.150-192.168.150.200
add name=dhcp_pool6 ranges=192.168.160.150-192.168.160.200
add name=dhcp_pool7 ranges=192.168.170.150-192.168.170.200
add name=dhcp_pool8 ranges=192.168.40.150-192.168.40.200
/ip dhcp-server
add address-pool=default-dhcp interface=MainBridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=VLAN110 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN120 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=VLAN130 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=VLAN140 name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=VLAN150 name=dhcp5
add address-pool=dhcp_pool6 disabled=no interface=VLAN160 name=dhcp6
add address-pool=dhcp_pool7 disabled=no interface=VLAN170 name=dhcp7
add address-pool=dhcp_pool8 disabled=no interface=VLAN40 name=dhcp8
/interface bridge port
add bridge=MainBridge comment=defconf interface=ether2 pvid=5
add bridge=MainBridge comment=defconf interface=ether3 pvid=140
add bridge=MainBridge comment=defconf interface=ether5 pvid=5
add bridge=MainBridge comment=defconf disabled=yes interface=sfp1 pvid=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=MainBridge tagged=ether3 untagged=ether5 vlan-ids=40
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=110
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=120
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=130
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=140
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=150
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=160
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=170
add bridge=MainBridge untagged=ether5 vlan-ids=5
/interface list member
add comment=defconf interface=MainBridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether4 list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN120 list=LAN
add interface=VLAN130 list=LAN
add interface=VLAN140 list=LAN
add interface=VLAN150 list=LAN
add interface=VLAN160 list=LAN
add interface=VLAN170 list=LAN
add interface=VLAN5 list=LAN
/ip address
add address=192.168.5.10/24 interface=MainBridge network=192.168.5.0
add address=192.168.15.15/24 interface=ether4 network=192.168.15.0
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.110.1/24 interface=VLAN110 network=192.168.110.0
add address=192.168.120.1/24 interface=VLAN120 network=192.168.120.0
add address=192.168.130.1/24 interface=VLAN130 network=192.168.130.0
add address=192.168.140.1/24 interface=VLAN140 network=192.168.140.0
add address=192.168.150.1/24 interface=VLAN150 network=192.168.150.0
add address=192.168.160.1/24 interface=VLAN160 network=192.168.160.0
add address=192.168.170.1/24 interface=VLAN170 network=192.168.170.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.40.1,192.168.2.1 gateway=\
    192.168.40.1
add address=192.168.110.0/24 dns-server=192.168.110.1,192.168.2.1 gateway=\
    192.168.110.1
add address=192.168.120.0/24 dns-server=192.168.120.1,192.168.2.1 gateway=\
    192.168.120.1
add address=192.168.130.0/24 dns-server=192.168.130.1,192.168.2.1 gateway=\
    192.168.130.1
add address=192.168.140.0/24 dns-server=192.168.140.1,192.168.2.1 gateway=\
    192.168.140.1
add address=192.168.150.0/24 dns-server=192.168.150.1,192.168.2.1 gateway=\
    192.168.150.1
add address=192.168.160.0/24 dns-server=192.168.160.1,192.168.2.1 gateway=\
    192.168.160.1
add address=192.168.170.0/24 dns-server=192.168.170.1,192.168.2.1 gateway=\
    192.168.170.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

CZFan · June 24, 2018, 10:50pm

Will look at it in morning, if possible, can you provide switch config?

Niffchen · June 25, 2018, 7:35am

I think I musunderstood your last posting. You asked for the external Switch config and not the Switch settings of the hEX - I got it
I take a look after work if I can export some settings for you. Do I need to define some „Filters“ on the bridge or some firewall rules to get the communication working?

CZFan · June 25, 2018, 12:49pm

As per the last config you posted and to test:

If you leave the following config as is
/interface bridge port
add bridge=MainBridge comment=defconf interface=ether3 pvid=140

and change the following to be,
Remove
/interface bridge vlan
add bridge=MainBridge tagged=ether3 untagged=ether5 vlan-ids=40

change to
/interface bridge vlan
add bridge=MainBridge tagged=ether2,MainBridge untagged=ether3 vlan-ids=140

Then connect you pc/laptop to ether3, you should get IP in correct range, 192.168.140.0/24, should be able to ping 192.168.140.1, should have internet access?

Niffchen · June 25, 2018, 6:09pm

You are right and not. If I configure the interface like you posted above and the pc gets an IP address from DHCP-Server very fast, I can ping 140.1 and I can ping 2.10. But I didn’t “really” get a internet connection … it seems as I get a connection but the way backwards will be “blocked” or something like that:

ping www.gmx.de
PING redir.g-ha-web.de (82.165.229.87): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 baed   0 0000  3f  01 3b51 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 5c78   0 0000  3f  01 99c6 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 34d7   0 0000  3f  01 c167 192.168.140.197  82.165.229.87 

Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 63ba   0 0000  3f  01 9284 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 4d14   0 0000  3f  01 a92a 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 d51f   0 0000  3f  01 211f 192.168.140.197  82.165.229.87 

Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 5bf0   0 0000  3f  01 9a4e 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 9df1   0 0000  3f  01 584d 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 352d   0 0000  3f  01 c111 192.168.140.197  82.165.229.87 

Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 2003   0 0000  3f  01 d63b 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a4ba   0 0000  3f  01 5184 192.168.140.197  82.165.229.87 

92 bytes from 192.168.2.10: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 777a   0 0000  3f  01 7ec4 192.168.140.197  82.165.229.87 

Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
Request timeout for icmp_seq 13
^C
--- redir.g-ha-web.de ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss

I changed the default route “0.0.0.0/0” to “ether1” and preferred source 192.168.2.10 (ip address of ether 1).

When I connect the pc to a port on the switch, which is member of the VLAN 140 I also get an IP address, but it takes much longer and I cannot ping 140.1 and 2.10.
I checked the switch and everything is correct. The port is a member of the VLAN called “140”. The PVID is set to 140 und the trunk port has the PVID 1. The trunk port is also a tagged member of VLAN 140 und the other ports are untagged members. For me everything seems to be ok … be the result in the end is a little bit strange.
The switch is a DLink DGS-1210-24.

Ist very strange for me …

CZFan · June 25, 2018, 7:01pm

No, below is wrong, interfaces are normally used for tunnel routing, should be IP of next hop, i.e. 192.168.2.1. What is 192.168.2.1, do you have config access to it?

I changed the default route “0.0.0.0/0” to “ether1” and preferred source 192.168.2.10 (ip address of ether 1)

Niffchen · June 25, 2018, 7:08pm

Yes, the 2.1 is my provider router for access to the internet.
I configured the route as you said and I have access to the internet on port ether3. Thank you very much! The first success!!!
If I can access internet via ether3 with this configuration, ist there anything special I need to configure for the connects via trunk port on ether2? For me it seems if something with the VLAN-IDs on the trunk is wrong or am I wrong?

But in the other hand devices on the trunk port get ip addresses of the right DHCP server of there VLAN… is there something missing in my config?

CZFan · June 25, 2018, 10:10pm

For now change the pvid on bridge and ether2 back to 1 from 5 and test again?

Niffchen · June 29, 2018, 9:02pm

Sorry for my late response.
I have tested different scenarios but nothing work. The networks at VLAN trunk had problems accessing the internet and an ethernet port an the hEX could access the internet without problems. Thank you guiding me to reach this point.

After that I updated my switch and did a factory reset. After reconfiguring the VLANs everything worked with the VLAN trunk! Crazy, but the switch was the problem. I don’t really know which configuration has been the rason for this problem, but now everything works fine.

Thank you very much for your help and taking so much time!

Regards,
Jens

scaryrobot · September 5, 2018, 3:42pm

Hi! I have been trying to get my head around layer three interfaces over vlan-filtered bridges for days now. Your post gave me the final piece of the puzzle. I’m was so grateful, that I had to register a forum account just to come here and thank you personally. Three cheers!