RouterOS 7 VLAN access problem on PPC architecture

Hi all,

We had a problem with RouterOS 7 on PPC devices (e.g. RB850Gx2)

When the config below was applied on a PPC arch device it is unaccessible by WinBox or ssh. It is unable to communicate on IP, but switching and ping is working. MAC WinBox is working too.
On mipsbe architecture (e.g. RB450G) this config works well. I assume there is a bug in the VLAN handling of the PPC architecture.

/interface bridge add name=bridge-lan protocol-mode=none
/interface vlan add interface=bridge-lan name=bridge-lan.44 vlan-id=44
/interface ethernet switch port set 0 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch port set 1 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 2 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 3 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 4 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 5 default-vlan-id=0 vlan-mode=secure
/interface bridge port add bridge=bridge-lan interface=ether1
/interface bridge port add bridge=bridge-lan interface=ether2
/interface bridge port add bridge=bridge-lan interface=ether3
/interface bridge port add bridge=bridge-lan interface=ether4
/interface bridge port add bridge=bridge-lan interface=ether5
/interface ethernet switch vlan add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=44
/ip address add address=192.168.44.91/24 interface=bridge-lan.44 network=192.168.44.0
/ip dns set servers=192.168.44.11,192.168.44.12
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.44.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

The ether1 is the trunk port and the others are access ports. I tested the access on the trunk and the access side too.

I tested it on RB850Gx2 with bridge vlan filtering instead of switch config. In this case the router can be accessed via access ports (ether2-5) on IP but can’t be accessed via trunk port. MAC WinBox has worked on both.

/interface bridge add ingress-filtering=no name=bridge-lan protocol-mode=none vlan-filtering=yes
/interface vlan add interface=bridge-lan name=bridge-lan.44 vlan-id=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether1
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=44
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2,ether3,ether4,ether5 vlan-ids=44
/ip address add address=192.168.44.91/24 interface=bridge-lan.44 network=192.168.44.0
/ip dns set servers=192.168.44.11,192.168.44.12
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.44.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Both config above works well with RouterOS 6 on RB450G and RB850Gx2, but they works only on RB405G with RouterOS 7.
Personally I prefer the switch config variation because the hardware offload works on it only.

This bug is still present in RouterOS 7.2.1 and 7.3beta33 too.

I am registering the same problem, last testing on RouterOS 7.3 Stable

I just upgraded my RB850gx2 to RouterOS 7.6 stable from 6.49.7. My VLAN config is similar to soosp’s first config and I’m experiencing the same issue. I thought I had bricked my router when WinBox didn’t reload after the 7.6 upgrade. It’s not accessible via WinBox via IP or SSH, but it otherwise seems to be working fine, responds to ping, and can be accessed via MAC WinBox.

Regarding SSH, I have a series of firewall rules set up to block repeated SSH attempts. After the ROS 7.6 upgrade, I noticed my SSH attempts were blocking my own machine. I can see in my firewall logging that my machines SSH connection is accepted at first, but apparently a connection is never established. Subsequent attempts hit the SSH brute force rules and eventually block my own machine even though it should have been able to access it via SSH.

My RB750GL (which operates only as a switch in my network) upgraded to ROS 7.6 without any issues and is still accessible by IP with WinBox.

Is there a solution for this?

I reported the situation to support. Here is the answer.

Hello,

Thank you for the report!

We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions, unfortunately, I cannot provide a release date now.

Best regards,
Edgars P.

Just wanted to chime in, the issue still exists on a RB850Gx2 and ROS v7.7. I was using the RB850 as a CAPSMAN manager and DHCP/DNS server, and using a trunk port to communicate to three different VLANs. I noticed that DNS server capabilities and WinBox direct connection via IP stopped working, and spent the last two days troubleshooting it. However, CAPSMAN and DHCP continued to work during my testing.

Took me a lot of head scratching before I decided to duplicate the configuration on an mAP, which is working fine right now and has taken over duties temporarily. I finally searched on the forums, and this thread came up.

I also found that once a trunk port with a bridge configuration is put in place, even removing all VLAN configurations and turning off VLAN filtering does not appear to fix the problem. Only removing the trunk port from the bridge and then re-adding it seems to temporarily fix the access issue, until VLAN filtering is turned on again. Once it’s turned on, all Winbox access is lost on that port.

I know the RB850Gx2 is an older platform on PowerPC, so while I’m slightly annoyed that there wasn’t anything published other than this forum thread about it not working, I’m relieved that this bug doesn’t seem to exist on the MIPS and ARM platforms, which is what most of my Routerboard equipment is based on.

I haven’t tested it on an old RB1200 (PowerPC) that’s still in production (running ROS6.48.5), but seeing as it it may be linked to the PowerPC platform I’ll probably just upgrade that unit to a newer one.

I was able to come up with a workaround for certain use cases. Disabling “Switch All Ports” allows ether1 to be used. I have not verified that the other ports work.

Turns out it seems to be related to how the Switch Chip is handled on the device. For my use case (CAPsMAN, DNS/DHCP, Router-On-A-Stick), I don’t need the switch, so I disabled “Switch All Ports” which releases ether1 to the CPU. After that, bridging, VLANs, and IP access (and DNS) all work properly. Note that turning on “Switch All Ports” afterwards does not fix the issue, and in fact requires a reboot to gain access to the router.

For my use case, I think this is “good enough”. I put a note in that pops up every time I remotely access this device to not use trunk ports with the switch so I don’t accidentally lock myself out in the future.

I also verified that v7.8 still has the issue. Hope this helps someone.

The bug exists in RouterOS 7.8 too. Additionally my related support ticket was closed by MikroTik without any solution or substantive response.
I made some tests and found that the ping works on VLAN interfaces in both direction even with packet size 1500, but other communication methods doesn’t.

The BUG still exists with recent versions of RouterOS with RB850Gx2. Any solution Mikrotik?

It seems that they know the error but don’t solve it. The Mikrotik is not accessible through Winbox/HTTP on v7.

Out of curiosity: have you tried 7.15?

This bug still exist on RB850Gx2 RouterOS v7.15.3. It still happens exactly as described by soosp in the first 2 posts of this thread.

Bug still exists on 7.16-ppc it seems, though does this also affect SSH connectivity and DNS? I can’t get those either and I have gone through my config time and time again.

Update: It also exists on 7.17beta4. I used Netinstall to downgrade to 6.49.17, restored my backup script, now everything works. I knew my config was correct. The fact this is not fixed and it’s been so long is kind of shocking. I always recommended MikroTik but this situation has put me off a bit. As long as it’s fixed before support for v6 is ended, though, I’ll be happy enough.

And to confirm, yes, it also affects SSH, DNS, and other connections on the input chain whenever a trunk port is in use.

Have supout bug reports been sent to MT, on these issues??

Look at http://forum.mikrotik.com/t/routeros-7-vlan-access-problem-on-ppc-architecture/157216/7