[SOLVED] Issue with Setting Up Tagged VLAN on bridge

Hello,

I have a MikroTik CAP ax and I am trying to set up VLANs. The configuration with CAPsMAN running as a VM on Proxmox (10.10.0.5) works well for VLAN 1110 (10.10.0.201). However, I am struggling to set up bridgeLocal with tagged VLAN 1500 to receive a DHCP lease (although this is not a necessity). I simply need VLAN 1500 to be active on bridgeLocal.

When i ignore the bridge and just jet the vlan1110 and vlan1500 i have the connection to gw and clients are able to receive leases from external dhcp server, but I’m pretty sure that the configuration is not correct.

I have untagged VLAN 1 as passive and everything else is apparent from the configuration

VLAN Interface Configuration:

 0 R vlan1010  1500  enabled     1010  bridgeLocal
 1 R vlan1020  1500  enabled     1020  bridgeLocal
 2 R vlan1030  1500  enabled     1030  bridgeLocal
 3 R vlan1040  1500  enabled     1040  bridgeLocal
 4 R vlan1050  1500  enabled     1050  bridgeLocal
 5 R vlan1060  1500  enabled     1060  bridgeLocal
 6 R vlan1070  1500  enabled     1070  bridgeLocal
 7 R vlan1080  1500  enabled     1080  bridgeLocal
 8 R vlan1090  1500  enabled     1090  bridgeLocal
 9 R vlan1110  1500  enabled     1110  bridgeLocal
10 R vlan1200  1500  enabled     1200  bridgeLocal
11 R vlan1500  1500  enabled     1500  bridgeLocal
12 R vlan1600  1500  enabled     1600  bridgeLocal

Bridge Configuration:

name="bridgeLocal" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled 
arp-timeout=auto mac-address=D4:01:C3:97:24:B1 protocol-mode=rstp 
fast-forward=yes igmp-snooping=yes multicast-router=temporary-query 
multicast-querier=no startup-query-count=2 last-member-query-count=2 
last-member-interval=1s membership-interval=4m20s querier-interval=4m15s 
query-interval=2m5s query-response-interval=10s 
startup-query-interval=31s250ms igmp-version=2 mld-version=1 auto-mac=no 
admin-mac=D4:01:C3:97:24:B1 ageing-time=5m priority=0x8000 
max-message-age=20s forward-delay=15s transmit-hold-count=6 
vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all 
ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no

Bridge Port Configuration (ether1):

interface=ether1 bridge=bridgeLocal priority=0x80 edge=auto 
point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all 
ingress-filtering=yes unknown-unicast-flood=yes 
unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
bpdu-guard=no trusted=no mvrp-registrar-state=normal 
mvrp-applicant-state=normal-participant multicast-router=temporary-query 
fast-leave=no

Bridge VLAN Configuration:

0  bridgeLocal  1010  ether1                          
              1020                                  
              1030                                  
              1040                                  
              1050                                  
              1060                                  
              1070                                  
              1080                                  
              1090                                  
              1200                                  
              1600                                  
1  bridgeLocal  1110  bridgeLocal                     
              1500  ether1

IP Addresses:

0  192.168.88.1/24   192.168.88.0  ether2     
1  10.10.0.211/24    10.10.0.0     vlan1110   
2 X 10.10.150.211/24  10.10.150.0   bridgeLocal

didn’t sleep for days now, will really appreciate your help.

Could you post your ocnfig the following command:

/export file=anynameyouwish

That way it’ll be better readible and will have more details about the configiuration which are not visible in your format

Thanks for reply, please find the file attached.

to add, vlan1500 is tagged base vlan, 1110 is management
cap_config.rsc (11.4 KB)

I think your problem corresponds to the following one:

https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithsimplifiedbridgeVLANtable

The solution to it is adding a separate Bridge VLAN entry for every VLAN ID in the bridge VLAN table.

You could also remove ether2 from the bridge because I don’t see it as part of the VLAN configuration, as well as the bridge address to avoid mishap.

Also, I don’t see any RADIUS client configuration and I assume you’re using the service for DHCP leases

Got you, that could work. However, when I applied it, it didn’t. The reason is simple: possibly, I didn’t specify it deeply enough.

I have a physical switch before it where all VLANs are tagged and VLAN1 is untagged. The RADIUS server is just forwarding requests to a Debian FreeRADIUS server, and upon success, the client gets a lease from the OPNsense firewall. This is working as it’s running on the management VLAN.

My issue is that I cannot receive a lease directly on the bridge. With my current configuration, I can receive a lease on the VLANX interface when Ether1 is tagged on it. This setup is working, but I need to have the bridge tagged to get a lease on it for VLAN1500. I do not know what I am doing wrong.

Current bridge vlan’s config, where :

#   BRIDGE       VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridgeLocal      1110  ether1          		bridgeLocal     
1   bridgeLocal      1500  ether1          		bridgeLocal

dhcp client:

# INTERFACE    USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS        ADDRESS         
;;; defconf
0 bridgeLocal  yes           yes                searching...                  
;;; defconf
1 vlan1500     yes           yes                bound         10.10.150.211/24
;;; defconf
2 vlan1110     yes           yes                bound         10.10.0.211/24

and what i need is tag vlan1500 on bridge to get the lease on it

#   BRIDGE       VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridgeLocal      1110  ether1          		bridgeLocal     
1   bridgeLocal      1500  bridgeLocal                  ether1

what do you thing?

You plan to have 12 SSIDs?

No i don’t, have just one and radius is managing what Vlan will be assigned.

This piece of hw is Cap ax device as an one of AP’s as bridge for it.

As i was mentioning, vlan’s are up, dhcp working, CapsMan managing SSID’s and the rest is basically managed by OPNsense FW.
Vlan’s tagget on ether1 with 1110 and 1500 are getting the lease as Vlan interface, but i need the bridge to be tagged with 1500

Is it even a mistake not to have an IP on the bridge interface?
Isn’t it enough to have IPs on the VLANs if it works?

The only problem is with this:

I think what you’re looking for is this:

https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-ChanginguntaggedVLANforthebridgeinterface

Yes, TheCat12 is the Master! Thanks a lot, I really appreciate your help.

Bridge UP and solved. Closing

Now, another problem has occurred. I get the address on the bridge interface in VLAN1500, so that’s fine. The problem is that I can’t ping the gateway. I tried running Torch to find out where the problem is, and when I turn it on for bridgeLocal with the ICMP protocol, the ping starts working, but it’s periodic—sometimes it works, and then it doesn’t. The same thing happens without Torch. I’m confused.

I thought about it, but I don’t want to assume that the issue is because the interface in OPNsense (gateway for VLAN1500) has MSS set to 1420.

Adjusting the MSS to 1420 didn’t help.

add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1420 passthrough=yes

When I had the lease directly on VLAN1500, the ping worked without any problems. Could Frame Types the issue? On my port i have admit all

 0     ;;; defconf
       interface=ether1 bridge=bridgeLocal priority=0x80 edge=auto 
       point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=1500 frame-types=admit-all 
       ingress-filtering=yes unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=no trusted=no mvrp-registrar-state=normal 
       mvrp-applicant-state=normal-participant multicast-router=temporary-query 
       fast-leave=no

I apologize for spamming with the message above; I was just confused after solving the issue with the lease for the bridge. However, after investigating and searching for what could be causing this problem, I found that the solution might be what you mentioned earlier:

https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithsimplifiedbridgeVLANtable

I did this, but it didn’t help. I also found a post here on the forum by @kobuki, with the difference that I don’t have the problematic comment in the logs:

http://forum.mikrotik.com/t/weird-warning-with-bridge-config-regarding-vlans/150103/1

My current port configuration is set to “admit only VLAN tagged” for Frames Type, which matches my configuration. All bridged VLANs are set separately, but the problem persists.

Because ether1 is the trunk port, shouldn’t the PVID 1500 be set on ether2? That way you’ll have access to the management VLAN through the aforementioned port

Sorry, now I’m confused. It’s clear that ether1 is the trunk. The management VLAN is 1110, the base VLAN is 1500, and the rest are just pass-through. Ether2 is not active or in the bridge at all. Config is attached
conf.rsc (11.3 KB)

You are attempting to use the bridge-to-CPU interface both untagged (by setting pvid=1500 under /interface bridge) and tagged (by having an /interface vlan with vlan-ids=1500) which leads to all sorts of unexpected behaviour.

Also setting the PVID under /interface bridge port makes no sense with frame-types=admit-only-vlan-tagged as this disables all untagged packets.

Presumably VLAN1500 is your management network. Is everything on your trunk connection tagged, or is it hybrid with untagged plus tagged?

1500 is the base VLAN with the gateway. It is tagged on the trunk port of the physical switch before ether1, just like all other VLANs.
VLAN1 is untagged and port on the switch have PVID1.
Management is VLAN1110.

There is nothing connected behind the CAP AX; it’s just an AP with SSID that distributes VLANs. The client gets tagged when authenticated by FreeRADIUS.

@tdw has given you quite a clear pointer what is the issue, but it fell through.

So I’ll try to be more straightforward than @tdw was: disable (and later delete) all rows in the /interface/vlan table except the one for the management vlan 1110. There are two ways to make the router part of the cAP ax access VLAN 1500 on the bridge part, but they cannot be used simultaneously, which is what you did.

Plus there are quite some issues in your firewall rules, albeit unrelated to the intermittent ping operation you are struggling with now.

So I feel a phone call might be a more efficient way (it would be like in the old joke about the U.S. president asking the Soviet general secretary how much does a call from Moscow to hell cost).

I’m not afraid of hell, heaven is for wimps

So I’ll delete all VLANs, assuming that’s related to external distribution. I’ll change the PVID on the bridge to 1, same as on the ports. I’ll set VLAN1110 to be tagged on ether1 and the bridge. Then I’ll accept the lease on the VLAN1110 interface.

What’s the number? From Prague, it won’t be that bad.

That a) is a change of the concept on the fly (nothing bad about that unless you lock yourself out of the device) and b) would still be a mistake if done exactly as described.

Follow http://forum.mikrotik.com/t/bobcat-miner-300-relayed/154400/65

here I am

fwyYQDQkQ2FmM1mAHHwTnq/jj5cRWLc9PFvNvkXgPu8Dq7h1KglRCQ+83tWoxDBq
5ymuqo3wma0TG2+zKtcQhHC3ZlHwy1JuYs/3rFVulCtz1Zp6BSICLn5iKf1yZiDn
2cKP3os1KArcuW8AkVaDc2qc3HD6CkGISu3sX7lJIRHBrkcUhYSv928EkYSngRw7
KWeGM7QXT2+mOW4WFHREOpXKQqqbGdvdC4ZDPNJtMdE9DcrICOQAs2X93yGU9aCZ
yuVwPJ01VWI4SQXwQeHQ/AMsi6zLkQWIljnES1sKaKqs7ppiFDr1aJHJdvnvAocF
uLpDzlze0oS62r+7D0gbo4MMKPEXwtIOw0qopaNOdMzn09kCs/aa/d4qC2kkJg3S
ojvpkpGPDJc10UPqkkbtigcwabyY6k/k2cnHPt80Jt8iNfJPKaIUuAslzofSk9Sh
GkdTTi0LpnMcCjYaJeQSOC5y+qDV2oQPrr4xbzM9kM9pBXLBZLx8wb4qaBpnSnMN
ME0YZG5EuneC73Me1O/F/AOx3+YuCf5JOgRA8k/aEeLysT0h6s85Jflwe3D4Zsnr
xU4+AOvx7foiU28hoHOBEbWG/4LQWx+WeX0CLm8DhrqYl+o+bI9mMpRpG0wcr2SW
1F+z+cgQgIi0cyyeGIqjgdmNp6PYSSmaR3DYxARJvA0=