Routing issue with switch (hAP ac2) and VLANs

nemoforum · February 27, 2020, 9:27am

Hello everyone.
In the previous topic I was fiting with bridge filtering http://forum.mikrotik.com/t/better-way-to-pass-wan-untagged-to-lan-tagged/137155/1

I was able to configure the following:

_

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface vlan
add interface=ether1-wan name=vlan10-wan vlan-id=10

/interface bridge
add name=br protocol-mode=none

/interface bridge port
add bridge=br interface=wlan24
add bridge=br interface=wlan50
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=wlan24.1
add bridge=br interface=wlan50.1
add bridge=br interface=ether1-wan

/interface ethernet switch port
set 0 default-vlan-id=10 vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=no ports=ether1-wan,ether2,switch1-cpu switch=switch1 vlan-id=10

So, my router got 176.38.50.85/14 from a ISP via DHCP on vlan10-wan:

  0  vlan10-wan  no  yes  bound  176.38.50.85/14
  
     DAd  0.0.0.0/0         176.36.0.1     1
     DAC  10.10.10.0/24     br             0
     DAC  176.36.0.0/14     vlan10-wan     0

and my server (connected to ether2) got 176.38.50.112/14 also from the ISP via DHCP:

vlan10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 176.38.50.112  netmask 255.252.0.0  broadcast 176.39.255.255

0.0.0.0         176.36.0.1      0.0.0.0         UG    0      0        0 vlan10
176.36.0.0      0.0.0.0         255.252.0.0     U     0      0        0 vlan10

NAT users in the VLAN1 are able to access the internet as well the server is able to access the internet via vlan10.
The only problem is that both router and server are unable to ping each other, i.e. 176.38.50.85/14 ↔ 176.38.50.112/14, and NAT users are unable to ping server 176.38.50.112/14.
What is my mistake?

mkx · February 27, 2020, 1:59pm

Probably it’s the thing you already mentioned in the other thread: interface vlan10-wan should be anchored on bridge, not on ether1 interface.

I don’t know why it doesn’t work for you. But I really dislike mixed use of tagged and untagged frames over bridge. When I did my setup, I also got weird effects. Which don’t show if only tagged frames pass the bridge. Essentially, ether2-ether5 should have pvid/default-vlan-id set as well (and add another vlan interface on bridge to interact with the new VLAN). And all wlan interfaces should use vlan-id as well …

nemoforum · February 28, 2020, 8:23pm

It looks like the issue (unable to get IP via DHCP from ISP) with vlan10-wan anchored on the bridge is related to that fact that packets from CPU are not being forwarded to the switch. I added a switch rule “copy all packets from switch1 cpu to ether1-wan” and were able to get an IP via DHCP from ISP.
But I suppose it’s not the right way, as CPU load was a few times bigger than with bridge vlan filtering option, covered in the previous topic.

With vlan10-wan anchored on ether1-wan, I was able to get the original issue solved by adding vlan10 on ether2 too, bridging vlan10-wan and vlan10-ether2 with a new bridge (DHCP client is assigned on the new bridge). However, it’s another misconfiguration https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Bridged_VLAN .

So, the first option (vlan10-wan anchored on the bridge) is looking better. Just need to understand how to properly configure it…

mkx · February 28, 2020, 9:03pm

You can post complete config as exported running command /export hide-sensitive … and we’ll try to see if there’s sonething not so obviously wrong…