Hi,this is my first post, but I’m a long time reader of this forum and big user of mikrotik devices. I have a working configuration at a client site that goes like this:
Have 3 LAN vlans and 2 WAN vlans that my service provider set on a trunk port in order to give us internet on one vlan (516) and data transport to other branches on the other vlan (499)
/interface vlan
add interface=bridge1_LAN name=vlan10_HW vlan-id=10
add interface=bridge1_LAN name=vlan20_DC vlan-id=20
add interface=bridge1_LAN name=vlan30_Sistema vlan-id=30
add interface=ether9_WAN name=vlan499_Transporte vlan-id=499
add interface=ether9_WAN name=vlan516_Internet vlan-id=516
So my goal is to transport the LAN vlans (10,20,30) over the 499 vlan using QinQ so that all branches can talk in layer 2
on the bridge config:
/interface bridge
add dhcp-snooping=yes frame-types=admit-only-vlan-tagged igmp-snooping=yes ingress-filtering=yes name=bridge1_LAN protocol-mode=mstp region-name=balys region-revision=1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1_LAN interface=bonding_SW_Core trusted=yes
add bridge=bridge1_LAN interface=vlan499_Transporte
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1_LAN tagged=bridge1_LAN,bonding_SW_Core,vlan499_Transporte vlan-ids=10
add bridge=bridge1_LAN tagged=bridge1_LAN,bonding_SW_Core,vlan499_Transporte vlan-ids=20
add bridge=bridge1_LAN tagged=bridge1_LAN,bonding_SW_Core,vlan499_Transporte vlan-ids=30
So as you can see I treat the vlan 499 interface (wich has ether9 as parent and is a port member of the bridge) as a trunk port. Mikrotik does the trick and the internal vlans are stacked over the outer 499 service provider vlan. My service provider has made his switch ports “QinQ aware” and doing these configurations on the other branches the whole system works fine most of the time but there is a little instability and unpredictable behavior.
Reading the misconfigurations manual https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-BridgedVLANonphysicalinterfaces I realized that it’s not recommended to join a vlan interface with physical ethernet ports on a bridge, because it causes instability and unpredictable behavior (sounds familiar).
Also I watched the vlan filtering and QinQ videos on mikrotik youtube channel which have been very helpful to better understand the topic but unfortunately did not cover my specific case.
So my question is how can I reconfigure “the right way” this scenario? if possible of course…
in other words:
How can I have a router on a stick configuration with two trunk ports on a bridge, one of which will carry QinQ traffic out to a service provider trunk port?
And if not, I’m open to suggestions on changing the toppology or anything, the purpose being improving the network stability and performance.