RB4011 and VLANS

RouterOS General
1

Hello all,

I have a problem with VLANs setup on RB4011. I am using the bridge configuration method. The connection setup is this:
on Mikrotik, ports eth3 and eth5 are configured as “access” ports with PVID 2004. Port eth2 is a trunk port where I have a server who is sending tagged frames with vlan 2004. Here is the relevant config of the MIkrotik (if anything more is needed let me know, I will post it):

/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no \
    disabled=no ether-type=0x8100 fast-forward=yes forward-delay=15s \
    frame-types=admit-all igmp-snooping=no ingress-filtering=no \
    max-message-age=20s mtu=auto name=bridge_S1_net priority=0x8000 \
    protocol-mode=rstp pvid=2004 transmit-hold-count=6 vlan-filtering=yes
 
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge_S1_net broadcast-flood=yes \
    disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    hw=yes ingress-filtering=no interface=ether2 internal-path-cost=10 learn=\
    auto multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=2004 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes 
add auto-isolate=no bpdu-guard=no bridge=bridge_S1_net broadcast-flood=yes \
    disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    hw=yes ingress-filtering=no interface=ether3 internal-path-cost=10 learn=\
    auto multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=2004 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge_S1_net broadcast-flood=yes \
    disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    hw=no ingress-filtering=no interface=ether5 internal-path-cost=10 learn=\
    auto multicast-router=temporary-query path-cost=10 point-to-point=auto \
    priority=0x80 pvid=2004 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes        

/interface bridge vlan
add bridge=bridge_S1_net disabled=no tagged=ether2 untagged=ether3,ether5 \
    vlan-ids=2004
	 
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
 
/ip address
add address=192.168.148.1/24 disabled=no interface=bridge_S1_net network=\
    192.168.148.

First I created a bridge with pvid 2004. After that, I have added the ports to the bridge (eth2, eth3 and eth5). I set the PVID to 2004 on all of those ports. At the end i configured the VLAN 2004 and added the ports to tagged/untagged groups (eth2 to tagged, eth3 and eth5 to untagged).

What I find strange is that from the Mikrotik, I can ping the server (192.168.148.135) and the PCs (192.168.148.101 and 192.168.148.90). However, PCs cannot ping the server (but they can ping each other).

I am kinda lost right now, at what I did wrong, so any help here would be appriciated.
I already tried to leave all PVIDs at 1 and only configure vlan under /interface bridge vlan, but that didn’t work. A combination of setting PVID only on access ports (eth3 and eth5) to 2004 also did not work, so I am slowly running out of ideas and need some help. :slight_smile:

Thanks!

AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)
2

Not sure if it really breaks things for you, but on trunk port PVID should not be set (or it should be set to un-used VID).

As a matter of security, trunk (tagged-only) ports should have set frame-types=admit-only-vlan-tagged ingress-filtering=yes while access (untagged-only) ports should have set frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes. Those settings then actually enforce proper filtering according to VLAN IDs and tagged/untagged properties.

For better readability, next time post output of command export (run in relevant config subtree) … print detail indeed produces detailed output, but most of it is not relevant most of time while excess information obscure relevant settings.

3

It does not, thanks for the tip.

I added the additional security configs as you said, but if I understand correctly, the Mikrotik should tag and untag the frames anyway.

As for the output, y, I used export verbose, will tone it down next time :slight_smile:

As for the setup, customer aggreed to connect server to their switch and they will pass us the connection withouth the need to use for the VLANs. But it is strange, I had the same setup (only with VLAN 601) and it worked, when I changed it to use 2004 it broke…

Again, thanks for the help!

4

From time to time it seems that re-configuring some stuff in ROS doesn’t properly undo the old config … i.e. exported config looks just fine, but device doesn’t behave. If one then exports config (ASCII export), resets device to defaults and applies the previously exported config, device starts to perform according to configuration.