QinQ vlan bridge - help needed

allegro · February 17, 2024, 12:33pm

Hi all, long time lurker, first time poster.

I have vlan filtering setup and a dhcp server running on a bridge, a trunk from a service provider with S-TAG outer and C-TAG inner ids for the end user routers. I need to allocate IP addresses down the link to each router on the other end of the cvlans.

I setup vlan filtering on a bridge, added the vlan that’s mapped to the S-TAG and adding vlans on the bridge I can see the end user routers C-TAG id and mac addresses in the hosts on the bridge.

The DHCP server attached to the bridge sees the DHCP discovery from the end user devices and offers an address, but it’s not getting back down the cvlans to the end user routers.

Here’s my current config;

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bonding
add mode=802.3ad name="SL LACP" slaves=sfpplus1

/interface vlan
add interface="SL LACP" name=slc-VIC vlan-id=161

/ip dhcp-server
add address-pool=slc-VIC disabled=no interface=bridge1 name=server1

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=slc-VIC

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge1 tagged=slc-VIC untagged=bridge1 vlan-ids=2,8

/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.0.1

/ip pool
add name=slc-VIC ranges=192.168.0.10-192.168.0.20

Now .. if I set the PVID on the bridge to 2, the router on cvlan 2 gets an IP allocated. If I set it to 8, the router on cvlan 8 gets an ip.

It seems there’s no tagging on the way back down the cvlans, I’m sure I’m missing something simple.

allegro · February 18, 2024, 10:55pm

Bump

Anyone have any clues for me please?

allegro · February 19, 2024, 10:20am

I’ve got this configuration setup on an old CCR1016, could that be causing problems? It’s running the latest stable firmware v6.49.13

allegro · February 21, 2024, 11:42pm

Talking to myself here a little, and hoping bumping this up the list will catch the attention of someone who can help me.

I’ve ordered a new CCR2116 and will cut the link across to that on the weekend, I’m hoping my Bridge/VLAN Filtering configuration will just work on this new router. We’ll see.

allegro · February 23, 2024, 10:17pm

Ok, so the new router, running 7.13.15 does the same thing, so seemingly not related to the old hardware.

If anyone has any clues on where I should look it would be greatly appreciated. Cheers.

allegro · February 28, 2024, 10:50am

Well, I’ve abandoned the idea and gone with /32 static routes and set proxy-arp on each vlan instead.

nichky · February 28, 2024, 11:25am

why is that

/interface vlan
add interface="SL LACP" name=slc-VIC vlan-id=161

/interface bridge vlan
add bridge=bridge1 tagged=slc-VIC untagged=bridge1 vlan-ids=2,8

allegro · February 28, 2024, 11:41am

Why is what?

MrYan · February 28, 2024, 1:35pm

I’d have approached this a different way albeit likely it won’t meet your intentions. Rather than pop VLAN 161 off before it gets to the bridge, I’d have added “SL LACP” into the bridge.

Then add a vlan interface that decapsulates VLAN 161:
/interface vlan add interface=bridge1 name=vlan-161 vlan-id=161

And on top of the vlan-161 interface, add another pair of vlan interface for VLANs 2 & 8:
/interface vlan add interface=vlan-161 name=vlan-2 vlan-id=2
/interface vlan add interface=vlan-161 name=vlan-8 vlan-id=8

Then you configure DHCP onto the interfaces vlan-2 and vlan-8. What it wouldn’t do however is to make both of those a single bridge domain which is what you seem to be aiming for.

allegro · February 28, 2024, 2:15pm

I’ll give it a try, I need to allocate public addresses to the end user routers down the vlans, even segmenting to /30 is 4 addresses per user which is too wasteful.

MrYan · February 28, 2024, 7:56pm

You could put vlan-2 and vlan-8 into another bridge and run DHCP server on that second bridge. As only a single bridge can be hardware accelerated that might be an issue on some hardware. The CCR1036 won’t be impacted as it doesn’t have a switch chip. The CCR2116 does have a switch chip so performance may be impacted.

allegro · February 28, 2024, 11:22pm

I can’t just drop the vlans into a bridge, it causes duplicate mac address errors on the carrier side. I need vlan filtering on the bridge to work.

wldstn · February 23, 2025, 8:52pm

Did you every get to a workabing/working solution? I’m also faced with the same requirement and the only way I have got it sort of working is with two bridges. One places the c-tag within multiple-stags (being the port) as the physical is a share interface and then another for adding the required c-tags to a bridge for which DHCP is assigning IPs to a number of c-tags. I have also in this case add to disable vlan-filtering on the second bridge allocating DHCP addresses. I’m using a CCR2216 as hardware, but also testing the same using CHR. I have not yet tested with a CRS but coul possibly do so.
The issue with what I have working is I also want to split the assignment of IP’s per region, which than along with CGNAT gets allocated specific pulbic IPs, the CGNAT is not however a problem once a “CPE” gets an IP address, it scaling out.

As per the original post, a unique c-tag must be assigned per “CPE” on a common s-tag, which in essence is only ~4000 VLANs per s-tag before you have to use another s-tag to get another ~4000 CPEs. Creating ~4000 dedicated VLAN’s and DHCP scopes is far from being an elegant solution, nor is it overly managable without even considering the consumption/waste of IP’s.

allegro · February 23, 2025, 10:46pm

I went with a static configuration, using a central management server and the api on the mikrotik routers, and create a vlan interface for each ctag, a dhcp server and a pool with a single address in it, and a simple queue. The addresses are managed on the central management server.

The dhcp server has a script in it that creates a route each time it hands out the address and removes it when the session is ended.

In case it might be useful, here’s the script we use;

:if ($leaseBound = "1") do={
    /ip route add dst-address=$leaseActIP gateway=$leaseServerName
} else={
    :local routeID [/ip route find where dst-address=$leaseActIP/32 and gateway=$leaseServerName]
    /ip route remove $routeID
}

So far we have around 500 services running on a single router (ccr2116) sitting at around 5% cpu during peak, we expect to able to handle the 4000 max ctags on a single router and we’ll scale horizontally from there.

It needs the central management server, trying to manage the config on the routers directly would not be very nice.

While running a bridge and using a single dhcp server to manage the addresses would be nice, I don’t see any physical limitation, in our case anyway, in doing it this way.

It’s very likely there’s a better way, but this is currently working for us.

wldstn · February 26, 2025, 5:44am

I think I’m following along here. Centralised management is something like Splynx to assign a static IP per user from a pool of subnet(s). On the Mikrotik I assume Radius to auth a ‘user’ and provide the IP address back, that is what we do. Just really trying to avoid setting up the separate DHCP per VLAN (c-tag) and have that on the bridge configuration instead. I’ll keep trying for something scalable as ~4000 cpe’s per CCR isn’t overly scalable.