Pushing Bridges out over VLAN Trunks

arandomadmin · March 4, 2020, 2:59am

Hi All,

I’ve got an RB1100 setup with a fairly basic config, essentially we’ve got an uplink to the internet and then three separate subnets (separate bridges) hanging off different ports on the RB (the rest of the ports are also in use but the configuration of them is not relevant to this question).

We’re looking at hanging some more kit off the router which will necessitate chucking a switch into the mix, and in order to make it work we basically need to push those subnets over a VLAN trunk to our switch ideally retaining the “local” port access (though worst case I’ll just move everything to the switch).

The naive way to do this would just be to define VLAN interfaces on ether5 and drop those onto the relevant bridges, however in reading a bit further I ran across this https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface which tells me that is a problem.

With the solution presented in the article, I can successfully get ONE of the bridge networks pushed out over the VLAN trunk, but I run into issues when it’s time to bring the second and subsequent networks onto that trunk, in a nutshell;

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 tagged=ether5 untagged=ether2 vlan-ids=20

Works fine, but when I attempt to add the trunk port to the second bridge it fails because the port has already been added to a bridge.

Been trying various things in Switch config and such but I’ve not had any luck getting it to work.

Can anybody provide some guidance as to how I can achieve this?

Thanks,

-A

anav · March 4, 2020, 3:29am

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

arandomadmin · March 4, 2020, 6:56am

Yeah, the Router-Switch-AP is the closest to what I want to achieve, but I’ll have to rework my existing config a bit to make it work with that, thanks.

satman1w · March 4, 2020, 10:32am

Hi,

I think that in attached link you will find enough information to solve your problem.

If there is something else - ask!

regards

http://wiki.tuturutu.eu/doku.php/networking/mikrotik/wireless_vlan

anav · March 4, 2020, 12:55pm

To be frank Satman your example is overly complicated (I would use the term butt ugly) for what I see to be no gain?
you only need a single bridge on each device.
All subnets separated by Vlans. Ports assigned as trunk or access as required.

satman1w · March 4, 2020, 1:52pm

OK!

anav · March 4, 2020, 4:18pm

Not saying it wouldn’t work nor that its not a valid approach, but unless there is a valid reason, simpler/cleaner is usually better and easier to manage??
I do like your diagram skills!

satman1w · March 4, 2020, 4:59pm

When you are doing it for yourself, it could be done simpler, I agree. But whe you expect someone else to work on router after yourself, I prefer to do it like it is described in the example, and believe me this is easier to manage than the simple solution.
Why?
If at any moment you will need additional access or trunk port you can just add it to bridge and the job is done, while in simple solution (VLAN created on Ethernet port) you will have to reconfigure it and in the process you will have to disconnect the port which will cause inconvenience for the already connected users.
Once again, if it is a home network and your personal needs, no problem but if it is a larger network…

regards

arandomadmin · March 25, 2020, 4:53am

Just in case anybody is looking to do a similar config this is what I ended up with;

/interface bridge
add name=trunk       protocol-mode=none vlan-filtering=no
add name=wan_bridge
add name=lan_bridge
add name=mgmt_bridge  

/interface vlan
add interface=trunk name=wan_vlan  vlan-id=330 comment="WAN VLAN"
add interface=trunk name=lan_vlan  vlan-id=30  comment="LAN VLAN"
add interface=trunk name=mgmt_vlan vlan-id=230 comment="Management VLAN"

/interface bridge port
add bridge=lan_bridge  interface=lan_vlan        comment="LAN VLAN"
add bridge=wan_bridge  interface=wan_vlan        comment="WAN VLAN"
add bridge=mgmt_bridge interface=mgmt_vlan       comment="Management VLAN"
add bridge=trunk       interface=ether5          comment="Trunk Port"
add bridge=trunk       interface=ether4 pvid=230 comment="Management local port"
add bridge=trunk       interface=ether3 pvid=30  comment="LAN local port"
add bridge=trunk       interface=ether2 pvid=330 comment="WAN local port"
add bridge=trunk       interface=ether1 pvid=330 comment="Uplink port"

/interface bridge vlan
add bridge=trunk tagged=trunk,ether5 untagged=ether1,ether2 vlan-ids=330 comment="WAN VLAN"
add bridge=trunk tagged=trunk,ether5 untagged=ether3        vlan-ids=30  comment="LAN VLAN"
add bridge=trunk tagged=trunk,ether5 untagged=ether4        vlan-ids=230 comment="Management VLAN"

/ip address
add interface=wan_vlan  address=x.x.x.210/28     comment="WAN"
add interface=lan_vlan  address=192.168.30.2/24  comment="LAN"
add interface=mgmt_vlan address=172.30.30.1/24   comment="Management"

/interface bridge port
set bridge=trunk ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=trunk ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=trunk ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=trunk ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=trunk ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]

/interface bridge
set trunk vlan-filtering=yes pvid=30 ingress-filtering=yes

/ip pool
add name=wan_pool  ranges=x.x.x.211-x.x.x.222         comment="WAN Pool"
add name=mgmt_pool ranges=172.30.30.20-172.30.30.40   comment="Management Pool"
add name=lan_pool  ranges=192.168.30.20-192.168.30.40 comment="LAN Pool"

/ip dhcp-server network
add address=x.x.x.208/28     gateway=x.x.x.209     dns-server=8.8.8.8,8.8.4.4 comment="WAN Subnet"
add address=172.30.30.0/24   gateway=172.30.30.1   dns-server=172.30.30.1     comment="Management Subnet"
add address=192.168.30.0/24  gateway=192.168.30.2  dns-server=192.168.30.2    comment="LAN Subnet"

/ip dhcp-server
add name=wan_dhcp  interface=wan_bridge  address-pool=wan_pool  disabled=no
add name=lan_dhcp  interface=lan_bridge  address-pool=lan_pool  disabled=no
add name=mgmt_dhcp interface=mgmt_bridge address-pool=mgmt_pool disabled=no

/ip route
add dst-address=0.0.0.0/0 gateway=x.x.x.209 pref-src=x.x.x.210 comment="Default Gateway"

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for SRC NAT of traffic exiting WAN" out-interface=wan_bridge

There’s also a secondary configuration parallel to this but using ether6-10 and obviously different IP ranges, and a sprinkling of route rules and such to make things go the right direction.

For just the trunking stuff you don’t need the wan/lan/mgmt_bridge bridges (you’ll obviously have to tweak the srcnat rule if you drop wan_bridge), they’re in our configuration because we have OpenVPN profiles attached to those bridges, so that remote users can be dropped on an appropriate bridge for their access requirements (it’s an atypical environment).

anav · March 25, 2020, 1:11pm

Very interesting setup.
Not being converse with the requirements of OPEN VPN, I do not understand at all what you have done with WAN bridge.
Is ether1 not from your ISP? How many IP addresses are you getting?
The diagram shows the uplink separate from networks 1,2,3 so that in of itself was confusing.

Finally the line in red below is completely bamboozling. How can your WANIP have anything to do with ether ports 2,3 etc or the trunk port 5 to the switch.
I have no clue as to what has been done here

???
/ip address
add interface=wan_vlan address=x.x.x.210/28 comment=“WAN”
/ip pool
add name=wan_pool ranges=x.x.x.211-x.x.x.222 comment=“WAN Pool”
/interface bridge
/ip dhcp-server network
add address=x.x.x.208/28 gateway=x.x.x.209 dns-server=8.8.8.8,8.8.4.4 comment=“WAN Subnet”
/ip route
add dst-address=0.0.0.0/0 gateway=x.x.x.209 pref-src=x.x.x.210 comment=“Default Gateway”
/ip firewall nat
add action=masquerade chain=srcnat comment=“Masquerade for SRC NAT of traffic exiting WAN” out-interface=wan_bridge
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add name=wan_bridge
/interface vlan
add interface=trunk name=wan_vlan vlan-id=330 comment=“WAN VLAN”
/interface bridge port
add bridge=wan_bridge interface=wan_vlan comment=“WAN VLAN”
/interface bridge vlan
add bridge=trunk tagged=trunk,ether5 untagged=ether1,ether2 vlan-ids=330 comment=“WAN VLAN”

arandomadmin · April 8, 2020, 1:31pm

As I mentioned it’s a very atypical environment

I showed ether2 as a separate network in the original post to avoid this type of confusion getting in the way of an answer (and for the purposes of the question it was functionally equivalent)

But for the sake of your sanity, there’s a /28 routed to each of the uplink ports and there’s no downstream DHCP server, instead the RB1100 serves out IP addresses on that segment to allow us to stand up hosts “parallel” to the RB1100 on public IPs when needed.