RB3011 with VLANs on switch troubles

Hey there,

I’m not sure why I have problems with switch-based VLAN settings on RB3011 (RouterOS v6.42.12). The same config works as expected on RB2011.

My initial goal was to get rid of default VLAN as my main network. So I want to use VLAN 77 for my main network, VLAN 300 for guests and VLAN 50 for management. All IPs and DHCP servers are on the bridges. My configuration:

Port 1,2:  WAN 1, WAN 2
Port 6: CSS326-24G-2S+ (Main switch)
Port 8: VLAN 77 (PC)
Port 10: wAP

I have no problems with all devices behind the switch (on VLAN 50, 77 and 300). But device on port 8 has have lags to some websites, connections, ICMP - very similar to MTU issues. All issues are gone if I use default vlan or move it on the switch. Is this a bug?

My config:

/interface bridge
add admin-mac=:A2 auto-mac=no name=bridge-guests protocol-mode=none
add admin-mac=:A4 auto-mac=no name=bridge-internal protocol-mode=none
add admin-mac=:A3 auto-mac=no name=bridge-manage protocol-mode=none
add admin-mac=:A1 auto-mac=no name=bridge-ports protocol-mode=none

/interface vlan
add interface=bridge-ports name=vlan-50-manage vlan-id=50
add interface=bridge-ports name=vlan-77-internal vlan-id=77
add interface=bridge-ports name=vlan-300-guests vlan-id=300

/interface ethernet switch vlan
add independent-learning=no ports=switch2-cpu,06.SWITCH,10.PoE.16.AP-001 \
    switch=switch2 vlan-id=50
add independent-learning=no ports=switch2-cpu,06.SWITCH,10.PoE.16.AP-001 \
    switch=switch2 vlan-id=300
add independent-learning=no ports=\
    switch2-cpu,06.SWITCH,08.PC,10.PoE.16.AP-001 switch=switch2 vlan-id=77

/interface ethernet switch port
set 5 vlan-header=add-if-missing vlan-mode=secure
set 7 default-vlan-id=77 vlan-header=always-strip vlan-mode=secure
set 9 vlan-header=add-if-missing vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure

/interface bridge port
add bridge=bridge-ports interface=06.SWITCH
add bridge=bridge-ports interface=07.empty
add bridge=bridge-ports interface=08.PC
add bridge=bridge-ports interface=09.empty
add bridge=bridge-ports interface=10.PoE.16.AP-001
add bridge=bridge-manage interface=vlan-50-manage
add bridge=bridge-internal interface=vlan-77-internal
add bridge=bridge-guests interface=vlan-300-guests

EDIT: Removed pvid from /interface bridge port.

The problem is that is not the way to manage bridges and vlans.
Create one bridge only and put all your vlans on that.

Use the examples here
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I understand that best practice is to use vlan-filtering, but I need to use VLANs at wire speed. The only way to achieve this on devices like RB3011 is to use switch chip. So all my VLANs are on one bridge only (bridge-ports) and I’m using switch chip ports to set VLAN ID on access ports. This configuration works without any problems on RB2011, hAP AC 2, hAP AC and many others devices with switch chip. I see that behavior only on RB3011.

Sorry can’t help you. I only work with new method of setting vlans/bridges.

When configuring VLANs on switch chip (i.e. in /interface ethernet switch vlan and /interface ethernet switch port) you don’t mention any of VLAN config in bridge configuration (i.e. in /interface bridge port and /interface bridge vlan). So you should remove pvid setting in add bridge=bridge-ports interface=08.PC pvid=77 stanza.

In addition to that, I’d set independent-learning=yes on all ports.

Thank you for your suggestion about independent-learning=yes, I will test with this again. You mean /interface ethernet switch vlan, right?

My settings about pvid on bridge was for testing and does not change the issue (I will remove this from the original post).

OK, i removed all bridges (except bridge-ports) on RB3011 and set IP addresses and DHCP servers on VLAN interfaces and now it works as expected.

Any chance you could show a working config? I’m in this exact situation and can’t figure it out!