Hello,
I’m unusually struggling to make a simple setup work:
4 ports, to be used as following
Would you be so kind to share a simple setup to meet this above?
I have been struggling with bridges without success
I have been reading this: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
Support here would be very welcome
Cheers
Yes, this is easy but for gods sake DO NOT USE VLAN1, use vlan11 or 21 or 111. VLAN1 is the default vlan of the bridge which thou shalt not USE or be named. ( didnt you go to Hogwarts?)
Bridge port settings
add bridge=bridge interface=ether1 pvid=11 ingress-filtering=yes frame-types=untagged-and-priority {access port}
add bridge=bridge interface=ether2 pvid=11 ingress-filtering=yes frame-types=untagged-and-priority {access port}
add bridge=bridge interface=ether3 pvid=2 ingress-filtering=yes frame-types=untagged-and-priority {access port}
add bridge=bridge interface=ether4 ingress-filtering=yes frame-types=only-tagged {trunk port}
Bridge vlan settings
add bridge=bridge tagged=bridge,ether4 untagged=ether1,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether4 untagged=ether3 vlan-ids=2
What you need to read instead is this excellent reference…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Thanks very much Anav,
First thanks for your time to respond something I can action upon.
The big key I was missing was that a single bridge can achieve this.
I was attempting to get 1 bridge per VLAN, and per-VLAN what ports are access/trunk … which got me nowhere.
Much thanks for this elegant approach!
Thanks also for the great link. This is something I need to spend time to go through.
Bonus points for the Hogward reference, and indeed I’m not using VLAN1, was just for the sake of getting a number for illustration.
Agreed though: I should have picked the VLAN numbers from 2 onwards.
Cheers
Hi,
I’m still struggling to get this to work.
My config below
In short: the trunk works (which is the interface “LAN6(ETH7)”), but I don’t manage to get access ports to work: no IP given when connecting to the ethernet interface.
I’m expecting this config to allocate interface “LAN4(ETH5)” as access port to vlan-id 4 and allocate interface “LAN5(ETH6)” as access port to vlan-id 8
I’ve spent a few hours on this already, and can’t find a deviation from my config vs what you posted.
Am I too close to the tree to see the forest?
Is there something uber-obvious I’m not seeing?
Thanks
#############
## Bridge setup
#############
/interface bridge
add arp=reply-only name=BridgeVlanToLan
/interface bridge port
add bridge=BridgeVlanToLan comment="Access port" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface="LAN5(ETH6)" pvid=8
add bridge=BridgeVlanToLan comment="Access port" frame-types= admit-only-untagged-and-priority-tagged ingress-filtering=yes interface="LAN4(ETH5)" pvid=4
add bridge=BridgeVlanToLan comment="Trunk port" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface="LAN6(ETH7)"
/interface bridge vlan
add bridge=BridgeVlanToLan tagged="LAN6(ETH7)" untagged="LAN4(ETH5)" vlan-ids=4
add bridge=BridgeVlanToLan tagged="LAN6(ETH7)" untagged="LAN5(ETH6)" vlan-ids=8
#############
## Vlan setup
#############
/interface vlan
add arp=reply-only interface="LAN6(ETH7)" name="vlan4(private)" vlan-id=4
add arp=reply-only interface="LAN6(ETH7)" name="vlan8(guest)" vlan-id=8
Please post your FULL config, that stilted view makes me sea sick.
/export hide-sensitive file=anynameyouwish
(just ensure you hide any real WANIP numbers, gateways etc…)
Hi Anav,
yes, I understand your need and appetite to get the full picture … even if I thought that my past extracts was sufficient.
I’m not super comfortable sharing this full config publicly, even when redacting some parts manually. So, I will send to you per email the full config.
For the sake of supporting fellow users facing the same config, i’ll post here the steps to get this vlan accesss port to work, once we have sorted it out.
Cheers
Well for one, its not simple setup.
You have multiple bridges and you assign vlans to a single etherport and not the bridges.
I will skip over the ovpn stuff as its not my area of knowledge…
I also find your nomenclature very confusing with its numbering/naming schema (eth1, LAN2 etc…).
What I need to along with the config is a network diagram that will show me what is going on for all ports.
Vlans going out which ports (trunk (to smart device) access(to dumb device))
Thanks,
Yes, I understand is not simple.
I can help simplify on the bridge front: there is only one bridge. The other 3 bridges are all disabled. FYI, 2 were for OVPN and one was for running tests. But all three are disabled, leaving only the one bridge from sample conf extract shared earlier.
The interface naming is indeed tricky: I combined 2 ideas in one: the ETH hardware address, as printed on the router by Mikrotik + how I use the port (ie: as WAN or LAN).
This is indeed not optimal.
Good call on the diagram, thanks for pointing this out.
Please find it here:
To be clear: the trunk works, but the access ports doesn’t.
I hope this helps
Comments embedded in the text below (not for copy and paste etc.)
/interface bridge
add name=onebridge
/interface ethernet (simplified)
set [ find default-name=ether2 ] name=eth2-LAN
set [ find default-name=ether3 ] name=eth3-LAN
set [ find default-name=ether4 ] name=eth4-LAN
set [ find default-name=ether5 ] name=eth5-LAN
set [ find default-name=ether6 ] name=eth6-LAN
set [ find default-name=ether7 ] name=eth7-LAN
set [ find default-name=combo1 ] name=ETHCOMBO-WAN1
set [ find default-name=ether1 ] name=ETH1-WAN2
set [ find default-name=sfp-sfpplus1 ]
/interface vlan ( dont know why you need arp-reply only but assuming you know what you are doing)
add arp=reply-only interface=onebridge name=vlan4-private vlan-id=4
add arp=reply-only interface=onebridge name=vlan8-guest vlan-id=8
add arp=reply-only interface=onebridge name=vlan9-Gwork vlan-id=9
add arp=reply-only interface=onebridge name=vlan10-Cwork vlan-id=10
add arp=reply-only interface=onebridge name=vlan11-fl vlan-id=11
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/ip pool look fine)
/ip dhcp-server (look good dont forget to disable remove pool for vlan1))
add address-pool=dhcp_poolVlan1 interface="vlan1(default)" lease-time=1d
name=dhcpVlan1
/interface bridge port
add bridge=onebridge interface=ether5 pvid=4 ingress-filtering=yes frame-types=untagged-and-priority {access port}
add bridge=onebridge interface=ether6 pvid=8 ingress-filtering=yes frame-types=untagged-and-priority {access port}
add bridge=onebridge interface=ether7 ingress-filtering=yes frame-types=only-tagged {trunk port}
/interface bridge vlan
add bridge=onebridge tagged=onebridge,ether7 untagged=ether5 vlan-ids=4
add bridge=onebridge tagged=onebridge,ether7 untagged=ether6 vlan-ids=8
add bridge=onebridge tagged=onebridge,ether7 vlan-ids=9,10,11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict tcp-syncookies=yes ( ARE YOU SURE YOU WANT STRICT, Loose is normal, assuming you know what you are doing )
/interface detect-internet (recommend set to NONE as is known to cause issues in the past)
/interface list member
add interface=ETHCOMBO-WAN1 list=WAN
add interface=ETH1-WAN2 list=WAN
add interface=vlan4-private list=LAN
add interface=vlan8-guest list=LAN
add interface=vlan9-Gwork list=LAN
add inerface=vlan10-Cwork list=LAN
add interface=vwlan11-fl list=LAN
add interface=vlan4-private list=TRUSTED ( I mean the the name given to the interface)
add interface=IPSEC NAME list=TRUSTED ( I mean the name given to the interface)
add interface=OVPN NAME list=TRUSTED
(note the address list usage list=support, in input chain rules will further delineate access - this is mainly for the Tools: MAC Server/MAC WinBox Server setting of interface input: interface list=TRUSTED)
You could modify this rule however.........
From
add action=accept chain=input src-address-list=support
comment="Full access for SUPPORT address list" log-prefix="FW accept - SupportSubnet: "
TO
add action=accept chain=input src-address-list=support in-interface-list=TRUSTED
comment="Full access for SUPPORT address list" log-prefix="FW accept - SupportSubnet: "
/ip address (seem okay)
/ip dhcp-server network (seem okay can disable the old vlan1)
add address=192.168.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.1.254
/ip firewall nat ( I cannot recall seeting TO ADDRESSES in any sourcenat rule so my inclination is that this is wrong, but my experience is limited)
add action=src-nat chain=srcnat comment="NAT to WAN1" ipsec-policy=out,none
out-interface="WAN1(ETH)" to-addresses=192.168.Y.CD
add action=src-nat chain=srcnat comment="NAT to WAN2" ipsec-policy=out,none
out-interface="WAN2(ETH1)" to-addresses=192.168.X.EF
/ip service ( I recommend disabling any NON encyrpted services TELNET, FTP, WWW, API)
set telnet a
set ftp
set www
set api
Many thanks anav,
I appreciate the effort and time.
will need a bit of time to go through and digest.
I can already share some lights on some points you wondered:
You have added the DHCP IP pool of vlan 1 (192.168.1.x/24) - would I need that?
Or is it OK if I keep working with the IP pool I have already set per VLAN?
Thanks
You missed one holy book then: https://mum.mikrotik.com/presentations/EU17/presentation_4058_1490948376.pdf
I’m a bit afraid that after reading it, you may go and purge masquerade everywhere at all costs, but…
here right now might be the the tipping point that spirals this thread out of control 
I’m sorry for that, I wanted to ignore that claim at first, but seeing to-addresses in srcnat as bad, it’s just too bad.
That question was indeed, meant for SOB, and the response I was looking for has been returned… I dont understand it but will attempt to read the link.
Sorry eguun, I provided the IP Pool to show which one needs to be removed not added LOL.
Disappointed Sob didnt chime in on the RP filter strict and loose though 
)
And only one comment on my lengthy post, im duing gude
Thanks for these clarifications
Maybe he’s seen your point on strict/loose convincing enough … I’m still googling without success what post/documentation I could have bumped into that drove me to change this parameter. I’m seeing specific use cases with Autonomous Systems way beyond my fairly basic setup.
RP filter guards against spoofed packets on wrong interfaces. If you have route to subnet X on interface A, then packets from X coming in on interface B will be seen as invalid and silently dropped. So silently that you won’t be notified in any way, so it’s fun to debug. That’s for strict, the loose variant relaxes it and checks only for sources with no routes to. I have in my TODO list to check, if it actually does anything useful on typical router with default route to 0.0.0.0/0, i.e. with no address really unreachable. Strict variant breaks things like multi-WAN.
I can’t otherwise comment much on config when it’s secret. IMHO not the best way, you know, more eyes…
Thanks for the message.
Yes, that would indeed be a nive try for a home-lab.
Your comment hits home as I’m using the mikrotik on dual-wan. No regret moving back the setting to loose.
Calling out that your lack of comment offsprings because of missing info kind of bursts the joy-bubble, doesnt it?
Joke aside, I’ll be happy to share … unless anav states that I have not redacted enough.
On what email would you like me to post it?
Yeah I wouldnt post it due to the heavy ipsec content but I can vouch for Sob as being trustworthy.
If sob wants to give me his email I will pass on to you… separate from the forum
seeing as Mr OPEN SOB, is to fraidy cat to put email where his mouth is. (aka on profile)
Hint for Sob: Just make a temp one on gmail, so that your aloofness remains protected!
Thanks anav for you judgement and volunteering to act as middle man.
I’m happy with that construct … of course, should he opt for disclosing to you such essential piece of extremely personal information
On your config, the big stuff I though diverging from my run were:
1- the VLANs I had were associated to a physical ethernet port, not the bridge … duh! So in my previous setup, the ethernet port #7 was where all the VLAN where associated acted -de-facto- as a trunk
2- I had not tagged the bridge in the command /interface bridge vlan add bridge=onebridge tagged=onebridge,ether7 untagged=ether5 vlan-ids=4
Now I have associated all VLAN to the bridge (and tagged the bridge), and the trunk works very well. Thanks!
I’m still getting no luck to get the access port to work.
I must be close!
Does the classification of ports (as LAN/WAN/TRUSTED) play an essential role here for getting the bridge to mark an ethernet port as access?
Thanks
Nope, at least not the way you attempted to do so.
If your bridge setup is as its supposed to be and you cannot pull an IP address then one should go back to the fundamentals of the vlan.
. attached to the bridge?
.correct IP pool
.correct IP address
.correct dhcp server
.correct dhcp server network.
send me your latest config…