RB4011iGS - 3 VLANS one not working

huetty · December 18, 2024, 2:11pm

Hi,
i have a RB4011iGS+ (vers 7.16.2) - and following scenario:

VLAN 1 (untagged vlan)
VLAN 150 (guest)
VLAN 160 (iot)
trunk Port ether10 (uplink)
trunk Port ether5 (downlink)
accessPorts VLAN 160 - eth4, eth7, eth8
accessPorts VLAN 150 - eth2

Now when i create a VLAN Interface for 150 and put it to birdge1 and set up en DHCP Client there is no lease.
When i put one for 160 all works great.
I can Ping from the Box both gateways 150 and 160, but when i select the bridge the 150 won’t ping when i set to vlan-eth-160 then i can ping both Gateway 150 and 160.
I thought that on 7.1 and above i chan set up the vlan on bridge.
But now i am confused. Or is the box done?
I have reset the box to 0 and configured all once again. But no luck.
Can somone give me a hint?
Thx
Huetty

erlinden · December 18, 2024, 2:38pm

Don’t use VLAN ID 1…ever!

Want to read more:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

huetty · December 19, 2024, 10:41am

I do not use VLAN 1 as tagged - my ‘VLAN1’ is always untagged so i have a untagged LAN and two tagged VLANS. In the GUI the dynamic VLAN untagged shows with No. 1.
But thank you for the hint. I did read this before, but somehow is didn’t recognize this section.
Can it also make trouble, when i let one VLAN untagged?
Thx for support!
Huetty
Edit: I didn’t change the default PVID of the Interfaces in Bridge, so from here is the VLAN 1 - but why is there a 1 as default when it uses 0?

anav · December 19, 2024, 12:21pm

Before too much confusion, simply post your current config, sounds like you are fine.

/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys etc. )

huetty · December 19, 2024, 12:54pm

Ok Thanks,
here ist the config
best regards
Huetty
halle.rsc (2.1 KB)

anav · December 19, 2024, 8:10pm

Lots of blank holes have to guess at as config is not clear in intentions.
but assuming ethe1 is the wan port and the Bridge LAN, now vlan10 is the TRUSTED subnet.

Where are the rest of the rules… firewall rules, dhcp server, pool etc…
Is this not a router facing the internet…??? or did you mean for this solely to be a switch??

# model = RB4011iGS+
# serial number = xxx
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=Stexxx
set [ find default-name=ether3 ] comment="Downlink 66-3"
set [ find default-name=ether4 ] comment=Jaxx
set [ find default-name=ether5 ] comment="wlan IOT"
set [ find default-name=ether6 ] comment="Bxx"
set [ find default-name=ether7 ] comment=Doxx
set [ find default-name=ether10 ] comment="Uplinkxxx"
/interface vlan
add interface=bridge1 name=vlan150 vlan-id=150
add interface=bridge1 name=vlan160 vlan-id=160
add interface=bridge1 name=VLAN10-lan vlan-id=10
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2  pvid=150
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether3 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether4  pvid=160
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether5 comment="trunk port to???"
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether6 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether7  pvid=160
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether8  pvid=160
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether9  pvid=10
add bridge=bridge1 ingress-filtering=yes frame-type=admit-only-vlant-tagged interface=ether10  comment="trunk port to???"
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5,ether10  untagged=ether3,ether6,ether9  vlan-ids=10  comment="management/trusted vlan"
add bridge=bridge1 tagged=bridge1,ether5,ether10, untagged=ether2 vlan-ids=150
add bridge=bridge1 tagged=bridge1,ether5,ether10, untagged=ether4,ether7,ether8 vlan-ids=160
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add disabled=yes interface=vlan160
add disabled=yes interface=vlan150
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system identity
set name=Hallxxx
/system note

huetty · December 20, 2024, 10:22am

Sorry about that.
Yes it is just used as a switch. The uplink ist eth10 (to an Wifi 60G) - behind the 60G the vlan 150 is OK and works. The device is connected to 60 G Wlan an then comes the network with the WAN Port and Firewall.
The vlan 160 is for iot devices, the 150 for guest and ‘1’ is the LAN.

Now i have configured to use vlan 160 so i can move on with the work, but i want to give our employees the guest Network (vlan 150) as WLAN.
Sorry that i didn’t write this sooner.

anav · December 20, 2024, 2:39pm

So the MT device incoming trunk port (from upstream) is on etherX and on that port incoming is 2 vlans and 1 untagged flow of data?
So its getting a hybrid port from the 60G?

Is there a trunk port exiting the MT device, aka is it feeding any other smart devices and if so which ports…

Assuming your LAN is the trusted subnet…