Trrunk on RB750Gr3 with PVID=1 as native vlan, with vlans as l3 interfaces and nat..

BoskoBuha · November 11, 2020, 9:58pm

Hi guys and gals.

Yes, I’m also a Cisco, Juniper and hpe guy, where world of VLANs is quite simple. You create vlans, assign membership of a switch port in vlans, set port as trunk and choose /or not a vlan as native (if not native vlan is always 1) Then, you create a l3 interface, assign an ip to it and, in case of juniper, assign l-3 interface to a vlan. From the hpe switches I’m also familiar with the PVID and multiple untagged vlans on port concept so this part on RouterOS/SwitchOS is not new for me.

I’d like to do the same thing on my RB750G Ge3 and also on my hAP ac^˘2.
I thought I got stuff figured out, but it doesn’t work as I thought it would.
At the moment, I have set up RB750G Gr3 as gateway, and a hAP ac^2 as a switch (later will be using two of them for wireless bridge). There will be cisco switch between the RB750 (ether5) and a (ether1) hAP, There will also be some Cisco APs and other devices using vlan 1 as native , so native vlan 1 is a must.

Current setup is:
Trunk with pvid=1 on ether5 on RB750 and on ether1&2 on hAP . Test PCs is connected to ether4 on 750 and on ether5 on hAP. RB750 and hAP are connected ether5 - ether1
I set up an infrastructure l-3 interface on default bridge and assigned it an /24 address. I did the same on RB750 and hAP. For other vlans I’ve just created l3- interfaces on default bridge onlyon RB750 and assigned them addresses. I haven’t created all vlans on hAP yet, just vlan 5 and 10 for testing.

Both pc’s access the internet, both can ping all gateway ips and both can ping gateway infrastructure ip.
Neither pc can ping hAP’s infrastructure ip.
Neither Mikrotik can ping each other’s infrastructure ips, hAP also can not access internet, which is logical, since can’t reach it’s gateway

Please advise me, what am I doing wrong?

RB750G Gr3:config

# nov/11/2020 22:02:10 by RouterOS 6.47.7
# model = RouterBOARD 750G r3
/interface bridge
add name=bridge vlan-filtering=yes
add name=services pvid=250 vlan-filtering=yes

/interface vlan
add interface=bridge name=closed vlan-id=2
add interface=ether1 name=data vlan-id=999
add interface=bridge name=dmz vlan-id=15
add interface=bridge name=infrastructure vlan-id=1
add interface=bridge name=public vlan-id=10
add interface=services name=service vlan-id=250
add interface=bridge name=surveilance vlan-id=20
add interface=bridge name=wlan vlan-id=5

/interface bridge port
add bridge=bridge interface=ether2 pvid=2
add bridge=bridge interface=ether3 pvid=2
add bridge=bridge interface=ether4 pvid=5
add bridge=bridge interface=ether5

/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether1 vlan-ids=999
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3 vlan-ids=2
add bridge=bridge tagged=ether5,bridge vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=5
add bridge=bridge tagged=ether1,bridge,ether5 vlan-ids=3998,3999
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
add bridge=services vlan-ids=250
add bridge=bridge untagged=ether5,bridge vlan-ids=1

/ip address
add address=172.20.0.1/24 interface=closed network=172.20.0.0
add address=172.20.5.1/25 interface=wlan network=172.20.5.0
add address=172.30.5.1/26 interface=public network=172.30.5.0
add address=172.55.0.1/28 interface=dmz network=172.55.0.0
add address=172.40.0.1/27 interface=surveilance network=172.40.0.0
add address=172.0.0.1 interface=services network=172.0.0.1
add address=10.0.0.1/24 interface=infrastructure network=10.0.0.0

hAP ac^2 config:

# nov/11/2020 22:39:13 by RouterOS 6.47.7
# model = RBD52G-5HacD2HnD

/interface bridge
add name=bridge vlan-filtering=yes

/interface vlan
add interface=bridge name=infrastructure vlan-id=1
add interface=bridge name=public vlan-id=10
add interface=bridge name=wlan vlan-id=5
 
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether5 pvid=5

/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3
add bridge=bridge untagged=ether1,ether2 vlan-ids=1
add bridge=bridge tagged=bridge,ether1 untagged=ether5

/ip address
add address=10.0.0.201/24 interface=infrastructure network=10.0.0.0
add address=172.30.5.2/26 disabled=yes interface=public network=172.30.5.0

/ip route
add distance=1 gateway=10.0.0.1

mkx · November 12, 2020, 6:12pm

I’ll just comment on hAP ac2 config, both RBs should be configured in similar way.

If you want to use any VLAN in tagged manner in RB (as you declared by creating vlan interface in the first part of quoted config), then you have to add bridge interface as tagged member of said vlan.

BTW, in principle there is no such thing as “native VLAN” in ROS. VLAN ID 1 is special just because it’s used as (implicit) default value everywhere VLAN ID could be set … on bridge all ports have PVID set to 1 implicitly, which in your case this means anybody could access infractructure VLAN through ports ether1 and ether2. If you intend these two ports to be tagged only (i.e. VLAN 1 is tagged over wires as well), you should enforce some security on those ports by setting frame-types=admit-only-vlan-tagged ingress-filtering=yes. It is good practice to set ingress-filtering=yes on all ports.
Due to all of this it’s wise to generally stay away from VLAN ID 1 unless one really knows what he’s doing.

BTW2: are you from Virovitica or just fond of Boško?

anav · November 12, 2020, 7:32pm

The best reference for this work is http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
If you want a management VLAN create one, say101 and then ensure all the devices have an assigned IP on that subnet.
So on all the switches hapacs etc… Vlan1 will be carried along automatically, no need to do anything special for that.

First thing to do is remove this…
/interface bridge
add name=bridge vlan-filtering=yes
add name=services pvid=250 vlan-filtering=yes
Leave that to default.

Only need one bridge, so unless its a port going to the WAN all ports wired/wireless should be on same bridge on each individual device.
Ports going to smart devices (switches etc.) are trunk ports, ingress filtering on bridge port
Ports going to dumb devices (PCs etc.) are access ports, frames only priority or untagged

BoskoBuha · November 12, 2020, 10:17pm

I noticed this later.

But default PVID is 1 for bridge interface. So I figured, it must be set untagged. I’ll try and change the PVID for the bridge interface and see what happens.

Noted.

Nope, I’m from same country as you Metod, hence vlans 3999 and 3998.
And my name is usually nicknamed Boško.

Thanks for input,
Boštjan

BoskoBuha · November 12, 2020, 10:36pm

I did study those cases briefly, but I didn’t find an example with hybrid settings. However i followed the wiki page: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

This is l-3 interface for dns server, an experiment not yet started. There is no port assigned to that bridge.

Thank you for your input, I guess I have some more settings to test.
As I said, I’d really like to have a hybrid port with vlan 1 as native.

Regards,

Boštjan

mkx · November 12, 2020, 10:41pm

Bridge has twin personalities in ROS:

something like a (smart) switch, passing L2 frames between member ports
interface, used for ROS to interact with networks. It is created implicitly and is always member of bridge of same name

So same principles apply when setting PVID on bridge interface as if it is set on any other interface.
In case of default setting PVID=1 this means that frames tagged with VID=1 in the bridge (switch-like entity) will be made available untagged to ROS (through bridge interface). However if you construct vlan interface with vlan-id=1 on top of bridge interface, it will need frames tagged with VID=1. Hence you have to set bridge interface to be tagged port member of VLAN 1. This setting alone probably doesn’t eliminate the default pvid setting, but setting frame-types=admit-only-vlan-tagged definitely does. For bridge interface it is set in /interface bridge (not in port subtree).

BTW, unless you want to do something really wicked, you probably don’t want to have more than one bridge per device.

anav · November 13, 2020, 3:20am

All I can say is that I use vlan bridge filtering using the default settings for brigde (I do not change default vlan) and my setup works on all sorts of vendors, from dlink to tplink to MT to netgear.

BoskoBuha · November 13, 2020, 6:30am

After consideration from both replies, I’ve changed infrastructure vlan id on both Mikrotiks. Now I have a working hybrid port on both of them.
RB750:

/interface bridge
add interface=bridge name=infrastructure vlan-id=1024

/interface bridge port
add bridge=bridge interface=ether5 pvid=1024

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=1024

/ip address
add address=10.0.0.1/24 interface=infrastructure network=10.0.0.0

hAP:

/interface bridge
add interface=bridge name=infrastructure vlan-id=1024

/interface bridge port
add bridge=bridge interface=ether1 pvid=1024

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=1024

/ip address
add address=10.0.0.201/24 interface=infrastructure network=10.0.0.0

/ip route
add distance=1 gateway=10.0.0.1

Than both of you again!