So I’ve got two hap ac2 connected with an ethernet cable, from router 1 ether2 to router 2 ether1. Router1 is the gateway to the internet with default config. Router2 simply has all interfaces bridged. Router2 ether2 is connected to the neighbor’s network, and I want that to function as a separate LAN. (while rest of interfaces on router2 remain bridged for main subnet)
Here is what I’ve tried, but it did not work.
On router 1, I created vlan2 interface with vlan id 2 on the bridge interface, assigned it an address block, and created a DHCP server for it.
On bridge VLAN, put ether2 tagged for vlan 2
and enabled vlan filtering on the bridge.
And on router 2, set bridge port ether2 PVID to 2:
and in bridge vlan, set vlan 2 tagged on ether1 and untagged on ether2.
But once enabling vlan filtering on bridge of router2, port seems completely unusable. Am I doing this right? Or how should I do it?
Your config output of Router 1 does not show the PVID=2 for ether2 on that router.
Can you check this is properly configured.
Additionally I would move away from VLAN 1 for the remaining parts of your network, put all main subnet interfaces, including the bridges on a dedicated separate VLAN. This gives a more secure segmentation and leaves less possibilites to misuse the default VLAN 1.
As final recommnendation, also put an unused VLAN id on your trunk interface for the same reason and enable ingress-filter set to frame-types=admit-only-vlan-tagged.
[EDIT]
I have reviewed your configs and explanation of your setup again and I have to correct myself her.
You have to setup a trunk connection between R1e2 and R2e1.
As I stated above I would recommend to step away from the usage of VLAN 1 as a whole but it can be done without this change.
but you have to put the following line on Router 1
The issue here is mixing apples and oranges. In other words you are using bridge and then introduce vlans but keep bridge for some dhcp.
I personally do one or the other but a mix is also very common (although it drives me insane to see).
The issue in this case is that you use a trunk port to send traffic from ether1 to ether2 but ONLY one vlan.
You want to send two streams of traffic to second router.
Now its perfectly legit to use the bridge traffic over to router 2 as well but it makes the setup a little bit tricky.
So far what I see on Router 1 is fine except for this line where the missing part is now added.
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=2
Now Router 2… and this is where it gets tricky due to your way of doing stuff on router 1.
Coming in on ether1 is bridge traffic (think of it as untagged traffic and a vlan). So in effect a HYBRID PORT.
Since you want to take that bridge traffic and spread it out to all ports… with vlan2 going to ether2 only…
So I would do it like this. One thing I am not sure of is if the Ip address of the device should use interface=ether1 as I have it or interface=bridge2 as you have it.
/interface bridge
add name=bridge2
/interface vlan
add interface=bridge name=vlan39 vlan-id=39
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=secure supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=“united states” disabled=no frequency=2437 hide-ssid=yes installation=outdoor mode=ap-bridge security-profile=secure ssid=[redacted] wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-eeeC country=“united states” disabled=no frequency=5320 hide-ssid=yes installation=outdoor mode=ap-bridge security-profile=secure ssid=[redacted]
wps-mode=disabled
/interface bridge port
add bridge=bridge2 ingress-filtering=no interface=ether1 pvid=39
add bridge=bridge2 ingress-filtering=no interface=wlan1 pvid=39
add bridge=bridge2 ingress-filtering=no interface=wlan2 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether3 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether4 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether5 pvid=39
add bridge=bridge2 ingress-filtering=no interface=ether2 pvid=2
/interface bridge vlan
add bridge=bridge2 tagged=bridge2,ether1 untagged=ether2 vlan-ids=2
add bridge=bridge2 tagged=bridge2 untagged=ether1,wlan1,wlan2,ether3,ether4,ether5 vlan-ids=39
/ip address
add address=10.39.0.2/24 interface=ether1 network=10.39.0.0
/ip dns
set servers=10.39.0.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.39.0.1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=MikroTik2
/system routerboard settings
set cpu-frequency=auto
+++++++++++++++++++++++++++++++++++++
In summary I would not do it this way.
I would create two vlans on Router1 and both would be sent to router 2 on a clear trunk port and then distributed cleanly on Router 2 as required.
Thanks for the responses. But, should the second router’s switch be configured directly, bypassing the cpu and bridge vlan configuration? I looked at the switch configuration but am not sure how/if it can be set up to connect tagged frames from a hybrid trunk port to an isolated access port.
Wow, you just pickup as if you were responding to a comment from yesterday.
Are you a computer that just got turned back on after being hibernated 10 weeks ago?
i got it working! so thanks to post #5 i figured out that the thing i was missing was adding bridge as tagged on both sides.
then i added vlan2 to LAN interface list to enable internet access with default firewall.
now i can configure the firewall as desired, and figure out what to do for ipv6, as i’m not sure my isp will provide a smaller prefix than 64… (edit: looks like dhcp client was able to get a /60 (edit: working nicely yeey))
so from what i read... i guess bridge vlan and switch vlan are effectively the same because bridge vlan will do hardware offload. i read that switch vlan is the old way of configuring it and bridge vlan is the new way.
I don’t have a hap ac3, only a hEX S. With the hEX v6 had no switch support. V7.1rc5 began to add HW support for switch in the bridge config, and with in recent versions of v7 the vlan-filtering bridge. With v7.2.1 bridging and vlans are hardware offloaded to the MT7621A’s included MT7530 switch ASIC. Note well. vlan offloading does not mean inter-vlan routing. But it can have one port with vlan x untagged and another port with vlan x tagged, and traffic between the two ports in the same vlan can happen without CPU intervention, and at near wire speed, i.e. the switch ASIC and do the tagging/untagging without the help from the CPU.
I think to do the same thing (hw support for vlan aware functions) on the hap ac3 will require the combined use of bridge and switch sections if you want the switch chip to do the tagging/untagging for traffic within the same vlan.
