Two VLANS to another place. Voip + Data

mkx · November 24, 2018, 9:02pm

I’m glad you had some success.

hgonzale · November 24, 2018, 9:55pm

Yes my friend. Thank you for everything. I didn’t finish, because no time. Really really I didn’t connected the phone in the other place, but I discover a lot of.!
You are part of this!!! Really.

Jotne · November 24, 2018, 10:47pm

Instead of post 7 post one after another, do edit the first post in an answer and add what you need to post.
Click the pencil at the top of the post.

hgonzale · November 24, 2018, 10:49pm

Yes, thank you. Even after I tried to delete some and it say I can’t delete a post if there are new..
sorry

sindy · November 26, 2018, 3:44pm

A blind shot what may be going on:

There is a thing called STP, which is a protocol (Spanning Tree Protocol) used to prevent L2 loops in the infrastructure.

And there is another thing called various names but the purpose is the same: to prevent switches belonging to different networks from ruining each other’s STP operation. This is ensured by shutting down a port which is configured for connection of end devices (such as computers and phones) which do not run STP if it eventually receives an STP frame (BPDU).

So before connecting Mikrotik to the Huawei, make sure that the protocol-mode of the bridge whose port you connect to the Huawei port is set to none. If my guess was right, doing so will stop the BPDUs from being sent to Huawei, and it will not be shutting down its port any more.

hgonzale · December 22, 2018, 3:06pm

Hello friend. I am back here and I solve something but still I am not able to get the VLAN in the other side

I am sure the problem is me, because I don´t know exactly how to configure and handle the VLANs and the TAG.

But first…

1.- In the main ¨office¨ I need to create a new bridge and put VLAN Filtering. If I disable it, the ISP Switch DISABLE FOREVER (until I reboot) the port.

Here the configuration for MY switch in the office (Mikrotik switch)

[admin@Switch-AP Cajas] /interface> export

dec/22/2018 15:58:51 by RouterOS 6.43.4

software id = 9G1F-7X2Y

model = CRS109-8G-1S-2HnD

serial number = 883C08AFBACA

/interface bridge
add admin-mac=CC:2D:E0:2F:07:5C auto-mac=no comment=defconf name=bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-voip
protocol-mode=none pvid=21 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] comment=“Link a Oficina” speed=100Mbps
set [ find default-name=ether4 ] comment=“Suelo 1. Impresora” speed=100Mbps
set [ find default-name=ether5 ] comment=“Suelo 2. PC” speed=100Mbps
set [ find default-name=ether6 ] comment=“PC 1” speed=100Mbps
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full comment=
“Cable a VoIP” loop-protect=on speed=100Mbps
set [ find default-name=ether8 ] comment=“Link a Antena - Maribel” speed=100Mbps
set [ find default-name=sfp1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether8 name=eth8-vlan-21 use-service-tag=yes vlan-id=21

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge hw=no interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge-voip frame-types=admit-only-vlan-tagged interface=eth8-vlan-21 pvid=21
add bridge=bridge-voip interface=ether7
/interface bridge vlan
add bridge=bridge-voip tagged=eth8-vlan-21,ether7 vlan-ids=21
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether7 vlan-id=21
/interface ethernet switch vlan
add ports=ether7 vlan-id=21

Then… the port 7 is connected using a Ubiquiti o Long wire (I can change it for the wire temporary) to the other place.
The Ubiquitis are in WDS (transparent bridge)

In the other side, I have the following. The wire coming from the Ubiquiti is on port 1

[admin@AP-Brdige Maribel] /interface> export

dec/22/2018 16:08:09 by RouterOS 6.43.4

software id = PRTC-DB0V

model = RouterBOARD 941-2nD

serial number = 925608BB5332

/interface bridge
add admin-mac=CC:2D:E0:D8:6C:16 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-voip
/interface ethernet
set [ find default-name=ether1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:D8:6C:15
set [ find default-name=ether2 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:D8:6C:16
set [ find default-name=ether3 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:D8:6C:17
set [ find default-name=ether4 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
CC:2D:E0:D8:6C:18
/interface vlan
add interface=ether1 name=eth1-vlan-21 use-service-tag=yes vlan-id=21
/interface ethernet switch port
set 3 default-vlan-id=21
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge hw=no interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge-voip frame-types=admit-only-vlan-tagged interface=ether4 pvid=21
add bridge=bridge-voip frame-types=admit-only-vlan-tagged interface=eth1-vlan-21 pvid=21
/interface bridge vlan
add bridge=bridge-voip tagged=ether4,eth1-vlan-21 untagged=bridge-voip,ether1 vlan-ids=21

The voIP phone in on LAN4

Thank you to all my friend, you are teaching me and helping me and a good friend!!!

Have a merry Christmas.

sindy · December 26, 2018, 12:15pm

Your L2 settings on the CRS are messy. You cannot have ether8 as a member port of one bridge (called bridge) and at the same time have an /interface vlan with interface=ether8, I’m surprised it doesn’t show configuration warnings. So as a result, you run a mixed configuration never intended to be operated so it is hard to assume what’s actually happening there.

So I’d remove interface bridge bridge-voip and interface vlan eth8-vlan-21 completely and just configure all ports on bridge “bridge” the way you need them to work with regard to the two VLANs (1 and 21):

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge hw=no interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether8
add bridge=bridge interface=ether7
/interface bridge vlan
add bridge=bridge tagged=ether7,ether8 vlan-ids=21
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether8,sfp1,wlan1,wlan2 vlan-ids=1

To make the above work, you need to set vlan-filtering=yes on bridge bridge.

Also on the switch configuration, it is a nonsense to have only ether7 permitted for VLAN 21, you need to permit also ether8 for that VLAN, but better remove the /interface ethernet switch settings completely for the start.

Other than that, use-service-tag works different than you seem to assume. The tagged side of /interface vlan always adds/removes a VLAN tag; if use-service-tag=no, the usual 802.1Q tag is used, whereas if use-service-tag=yes, an 802.1ad tag is used. The only difference between the two is the ethertype value - 802.1Q uses 0x8100, 802.1ad uses 0x88a8.

So even if not for the other mistakes, your configuration uses different tags on ether8 and ether7, and worse than that, it uses a different tag at each end of the link between the CRS and the 941. So the CRS sends a frame tagged with 802.1Q which is treated as an untagged frame at the 941, and vice versa.

hgonzale · December 26, 2018, 6:27pm

Ohhhhhh thank you my friend for correcting me.
I will try the next week everything you say.

Thank you a lot!

hgonzale · December 26, 2018, 6:42pm

My friend sindy. I did another question some time ago, with a lan in my “house” and vlan and I am having troubles also, because I don’t known well about it.
Can you send me a private and I will re open the post with the correct question.

Thank you!

sindy · December 26, 2018, 7:08pm

PM is not activated on this forum (probably because if it was, everyone would PM Normis), but you can place a link to that other thread here so that we could stay topic-related both here and there.

Also, you may want to bite your way through this topic and choose between @Jotne’s coloured graphics and my ascii-art to grasp the basics around VLANs and their possible configurations.

hgonzale · December 29, 2018, 1:35pm

Hello Sindy. Good day for you. Now I am here trying to help my friend. I did the cnfiguration in the switch but not luck. Even, I am connecting the VoIP phone (tag 21) directly on the switch (port 7) and not luck. Playing now with options!!! But really, I don´t understand very well. I will take a Mikrotik course as soon as apossible

I have now the following config:

Switch.

/interface bridge
add admin-mac=CC:2D:E0:2F:07:5C auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] comment=“Link a Oficina” speed=100Mbps
set [ find default-name=ether4 ] comment=“Suelo 1. Impresora” speed=100Mbps
set [ find default-name=ether5 ] comment=“Suelo 2. PC” speed=100Mbps
set [ find default-name=ether6 ] comment=“PC 1” speed=100Mbps
set [ find default-name=ether7 ] comment=“Cable a VoIP” loop-protect=on speed=100Mbps
set [ find default-name=ether8 ] comment=“Link a Antena - Maribel” speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge hw=no interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether7 pvid=21
/interface bridge vlan
add bridge=bridge tagged=ether7,ether8 vlan-ids=21
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,sfp1,wlan1,wlan2,ether8 vlan-ids=1

941º in the other side:

/interface bridge
add admin-mac=CC:2D:E0:D8:6C:16 auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
mac-address=CC:2D:E0:D8:6C:15
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
mac-address=CC:2D:E0:D8:6C:16
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
mac-address=CC:2D:E0:D8:6C:17
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
mac-address=CC:2D:E0:D8:6C:18

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge hw=no interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=21

/interface bridge vlan
add bridge=bridge tagged=ether1,ether4 vlan-ids=21
add bridge=bridge untagged=bridge,ether1,ether2,ether3,wlan1,wlan2 vlan-ids=1

For this testing and avoid the Ubiquiti link, I have the 941 directly connected to eth8 in the switch.

sindy · December 30, 2018, 5:21pm

Here, the configiration of the “switch” seems fine to me.

The 941, however, has an issue - these two lines are in contradiction:

/interface bridge port
…
add bridge=bridge interface=ether4 pvid=21
and
/interface bridge vlan
…
add bridge=bridge tagged=ether1,ether4 vlan-ids=21

The upper line says that ether4 is an access (tagless on outer=wire side, tagged on inner side) port of VLAN 21, whereas the lower line says that ether4’s wire side should be tagged. So you have to align these two: if the phone expects and sends tagless frames, you have to modify the line in /interface bridge vlan to bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=21 to make ether4 an access port of VLAN 21; if the phone expects tagged frames (i.e. if VLAN 21 is mentioned in the phone configuration and the phone previously worked if directly connected to any port of the Huawei), you have to modify the line in /interface bridge port to bridge=bridge interface=ether4 pvid=1 to make ether4 a trunk port of VLAN 21.

Now back to the Huawei device blocking the port, it can do so for the following reasons:

most likely because it receives STP’s BPDU frames from the Mikrotik (which is again true in your current configuration; if no protocol-mode is specified on a bridge, rstp is used by default as /export verbose shows you),
less likely because it receives a frame with unexpected VLAN ID or with an unexpected Ethertype (such as 802.1ad if you configure use-service-tag=yes on a local /interface vlan); in your current configuration there is no /interface vlan at all so it is not the reason.
because it receives loop protect packets and misinterprets them as something else; in your current case loop-protect is off on the ether interfaces so it is not the reason

There is one more possibility - the phone may use LLDP to learn from the switch which VLAN to use for VoIP and which VLAN to use for data (and one of the two may be tagless on the wire). As Mikrotik does not support this aspect of LLDP functionality, and as the LLDP protocol by design and purpose only works between directly interconnected devices so it cannot be forwarded between the phone and the Huawei via a chain of other switches, you would have to disable LLDP on the phone and configure the Voice VLAN ID to 21 manually if this is the case.

hgonzale · January 2, 2019, 9:22pm

Ohhh sindy… Really you explain very well and you are teaching me a lot… You will receive a present… of course!!! I am so gratefully with you.

In other words… I was playing today a little bit at my friend’s house and I didn’t have luck, but was some minutes only playing

I need to ask something to you…

When will you have time, and that is your time zone for helping me in hot-line.. I will do something and ask you and you correct me…

Thank you a lot!!!

sindy · January 3, 2019, 5:40am

Yo no hablo español, but if you post here your teamviewer number and the temporary pin, we may chat there. My time zone is the same as yours, but my time planning is generally poor, I’m event-driven in general. So usually I am free for such kind of activity between 20 and 22, but I cannot guarantee it.

hgonzale · January 3, 2019, 8:40pm

The spanish is not a problem my friend. If you are going to help me, I will speak even Russian for you… If I am receiving something, I need to make you easy as possible…

Second, nice to know you can help me a little bit. You will get a recompense..

Tell me when you think you will have a little bit time, and I will go there my friend.. Really.. THANK YOUUUUU

And of course, we will post the solution and we will $#%$#%$#%@$ Movistar in Spain w1th "business " solutions.

hgonzale · February 16, 2019, 5:07pm

Hello my friend. I am going to be many days at my friend place… How is your week this next week?

anav · February 17, 2019, 2:32am

Sindy, you missed the same error in the first half, plus the op needs to adjust the frame type as well!!!

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether7 pvid=21
/interface bridge vlan
add bridge=bridge tagged=ether7,ether8 vlan-ids=21
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,sfp1,wlan1,wlan2,ether8 vlan-ids=1

Remember Interface Bridge Port really is describing the INGRESS functionality we would like to have
The Interface Bridge VLAN is describing the EGRESS functionality we would like

So from the first one, the only reason to assign a PVID is that we know the data ingressing is untagged and we wish to tag it with vlan21
In other words my assumption looking at this line is that ether7 is an Access Port.
However, the egress is contradictory in that there is no untagging assigned to this port??

So I can only make two conclusions. Fix the ingress or fix the egress so they match
For example if truly an access port the following would apply
(1) ether7 is an Access Port:
/interface bridge port
add bridge=bridge frame-types=admit-only-un-tagged or priority interface=ether7 pvid=21
/interface bridge vlan
add bridge=bridge tagged=ether8 untagged=ether7 vlan-ids=21
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,sfp1,wlan1,wlan2,ether8 vlan-ids=1

(2) ether7 is a trunk port (attached to another device which can mark packets)
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether7
/interface bridge vlan
add bridge=bridge tagged=ether7,ether8 vlan-ids=21
add bridge=bridge untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,sfp1,wlan1,wlan2,ether8 vlan-ids=1

The same comment applies here to the same contradiction in these two rules…
/interface bridge port
add bridge=bridge interface=ether4 pvid=21
/interface bridge vlan
add bridge=bridge tagged=ether1,ether4 vlan-ids=21

sindy · February 17, 2019, 10:07am

As I wrote earlier, give me some temporary communication channel so that we could start talking in a more flexible way then via this forum. The coming week should be as busy as any other one, so every day between 20 and 22 in the evening there is a chance we may do something, except Monday where I know for sure I won’t be available.