RB2011 Switch mode VLAN problem

alexenergy · May 9, 2017, 10:02am

Hi,

i'm trying to use internal switch to reduce CPU usage... The RB2011 have 2 switch, one Ethernet and one Gigabit

I have 4 "trunk" port in port 1-3 and SFP module and 2 untagged Gigabit port. In FastEthernet switch i have only untagged port of vlan and 1 access internet gateway port...
At the trunk port is connected 3 switch with remote CAP wireless device.

Port SFP master: trunk VLAN 70,71,72,73
Port 1: trunk VLAN 70,71,72
Port 2: trunk VLAN 70,71,72,73
Port 3: trunk VLAN 70,71,72,73
Port 4: untagged VLAN 71
Port 5: untagged VLAN 70

Port 6 master: free
Port 7: untagged 70
Port 8: untagged 70
Port 9: free
Port 10: Gateway internet

I set all port on master port of gigabit on SFP port and Port 6 of fast ethernet switch.
In Switch VLAN i have setted the vlan and untagged port, in each vlan i have included switch-CPU port for talking with RouterOS

Now i must bridge the master port SFP and the master port eth6 because is different switch.
I have created a "localbridge" and add port SFP and ETH6.
In this bridge i have created 4 VLAN interface. This interface is for bridge each vlan with a wireless SSID of remote CAP.

NOW, the problem is:

if i connect to a wireless SSID of VLAN 70 i can access at all device except at the device connected at port 7 and 8 (fastEthernet switch), but if i connect to wireless SSID of VLAN 71 and try to access the device on port 7 and 8 it work (RouterOS route the 4 VLAN). Why?? The port is in bridgelocal!

The second problem is if i don't create the bridgelocal i suppose if the traffic can't move from the 2 master port. But SFP master port or eth6 master port can communicate with RouterOS (Switch_cpu port is in switch vlan config). If i disable the localbridge and create VLAN interface on SFP master routerOS i can't access any device from RouterOS in all trunk... is normal?

This is my configuration

may/09/2017 09:11:31 by RouterOS 6.39.1

software id = F0EQ-A5TK

/interface bridge
add fast-forward=no mtu=1594 name=br-hdmi
add fast-forward=no mtu=1594 name=br-ospiti
add fast-forward=no mtu=1594 name=br-pc
add fast-forward=no mtu=1594 name=br-sicurezza
add name=bridgelocal
/interface ethernet
set [ find default-name=sfp1 ] name= "ether00 master-uplink fibra armadio rack"
set [ find default-name=ether1 ] master-port= "ether00 master-uplink fibra armadio rack" name="ether01-uplink esterno"
set [ find default-name=ether2 ] master-port= "ether00 master-uplink fibra armadio rack" name="ether02-uplink PT"
set [ find default-name=ether3 ] name="ether03-uplink P1"
set [ find default-name=ether4 ] master-port= "ether00 master-uplink fibra armadio rack" name=ether04-nas
set [ find default-name=ether5 ] master-port= "ether00 master-uplink fibra armadio rack" name=ether05-dvr
set [ find default-name=ether6 ] name="ether06 master"
set [ find default-name=ether7 ] advertise=10M-half,10M-full name= ether07-allarme
set [ find default-name=ether8 ] advertise=10M-half,10M-full name= ether08-easyhome rx-flow-control=auto speed=10Mbps tx-flow-control=auto
set [ find default-name=ether9 ] name=ether09-programmazione
set [ find default-name=ether10 ] name="ether10-modem telecom" poe-out=off

/interface pppoe-client
add disabled=no interface="ether10-modem telecom" keepalive-timeout=60 name= "pppoe-out1 VDSL" password=aliceadsl use-peer-dns=yes user=aliceadsl

/ip neighbor discovery set ether04-nas discover=no
/interface vlan
add interface=bridgelocal loop-protect=off mtu=1594 name=eth00-vlan70 vlan-id=70
add interface=bridgelocal loop-protect=off mtu=1594 name=eth00-vlan71 vlan-id=71
add interface=bridgelocal mtu=1594 name=eth00-vlan72 vlan-id=72
add interface=bridgelocal mtu=1594 name=eth00-vlan73 vlan-id=73

/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz
channel.extension-channel=Ce channel.tx-power=30 datapath.bridge=br-pc
datapath.client-to-client-forwarding=yes datapath.local-forwarding=no
name="cfg1 pc" rx-chains=0,1,2 security.authentication-types=wpa2-psk
security.encryption=aes-ccm security.passphrase=xxxxxxx ssid=miciowifi
tx-chains=0,1,2
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz
channel.extension-channel=Ce channel.tx-power=30 datapath.bridge=
br-ospiti datapath.client-to-client-forwarding=yes
datapath.local-forwarding=no mode=ap name="cfg3 ospiti" rx-chains=0,1,2
security.authentication-types=wpa2-psk security.encryption=aes-ccm
security.group-encryption=aes-ccm security.passphrase=xxxxxx ssid=
"miciowifi ospiti" tx-chains=0,1,2
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz
channel.extension-channel=Ce channel.tx-power=30 datapath.bridge=
br-sicurezza datapath.client-to-client-forwarding=yes
datapath.local-forwarding=no mode=ap name="cfg2 sicurezza" rx-chains=
0,1,2 security.authentication-types=wpa2-psk security.encryption=aes-ccm
security.group-encryption=aes-ccm security.passphrase=xxxxx ssid=
"miciowifi sicurezza" tx-chains=0,1,2

/interface ethernet switch port
set 0 default-vlan-id=71 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
set 5 default-vlan-id=70 vlan-header=always-strip vlan-mode=secure
set 11 vlan-mode=secure
set 12 vlan-mode=secure

/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="cfg1 pc" name-format=
prefix-identity name-prefix=cap_wifi slave-configurations=
"cfg2 sicurezza,cfg3 ospiti"
/interface bridge port
add bridge=br-ospiti interface=eth00-vlan72
add bridge=br-hdmi interface=eth00-vlan73
add bridge=br-pc interface=eth00-vlan71
add bridge=br-sicurezza interface=eth00-vlan70
add bridge=bridgelocal interface="ether00 master-uplink fibra armadio rack"
add bridge=br-sicurezza interface=ether07-allarme
add bridge=br-sicurezza interface=ether08-easyhome
/interface ethernet switch vlan
add independent-learning=yes ports="ether00 master-uplink fibra armadio rack,s
witch1-cpu,ether01-uplink esterno,ether02-uplink PT,ether04-nas,ether03-up
link P1" switch=switch1 vlan-id=71
add independent-learning=yes ports="ether00 master-uplink fibra armadio rack,s
witch1-cpu,ether01-uplink esterno,ether02-uplink PT,ether03-uplink P1,ethe
r05-dvr" switch=switch1 vlan-id=70
add independent-learning=yes ports="ether00 master-uplink fibra armadio rack,s
witch1-cpu,ether01-uplink esterno,ether02-uplink PT,ether03-uplink P1"
switch=switch1 vlan-id=72
add independent-learning=yes ports="ether00 master-uplink fibra armadio rack,e
ther03-uplink P1,ether02-uplink PT" switch=switch1 vlan-id=73
add ports="ether06 master,ether07-allarme,ether08-easyhome,switch2-cpu"
switch=switch2 vlan-id=70
add ports="ether06 master,switch2-cpu" switch=switch2 vlan-id=71
add ports="ether06 master,switch2-cpu" switch=switch2 vlan-id=72
add ports="ether06 master,switch2-cpu" switch=switch2 vlan-id=73
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=pptp-in enabled=yes
max-mru=1500 max-mtu=1500
/interface wireless cap

stopped because not all interfaces available

set caps-man-addresses=192.168.1.1 certificate=request discovery-interfaces=
*F enabled=yes interfaces=*5 lock-to-caps-man=yes
/ip address
add address=192.168.88.1/24 interface=ether09-programmazione network=
192.168.88.0
add address=192.168.72.1/24 interface=br-ospiti network=192.168.72.0
add address=192.168.70.1/24 interface=br-sicurezza network=192.168.70.0
add address=10.10.0.2/24 interface="ether10-modem telecom" network=10.10.0.0
add address=192.168.71.1/24 interface=br-pc network=192.168.71.0