VLAN across bridges

DL7JP · June 12, 2021, 8:18pm

Folks, here’s another Q on my journey to understand the VLAN implementation: Suppose there are two bridges, and we want them to share the same VLAN (tagged 10 here). bridge1 could be an ISP delivering a VoIP over VLAN 10, bridge2 an internal network with VoIP phones. Would this be a preferred way to do the trick?

/interface bridge
add name=bridge1
add name=bridge2 vlan-filtering=yes
/interface vlan add interface=bridge1 name=vlan10 vlan-id=10
/interface bridge port add bridge=bridge2 frame-types=admit-only-untagged-and-priority-tagged interface=vlan10
/interface bridge vlan
add bridge=bridge1 tagged=bridge2 untagged=vlan10 vlan-ids=10
add bridge=bridge2 tagged=bridge2 untagged=vlan10 vlan-ids=10

anav · June 12, 2021, 8:52pm

No, use one bridge.

DL7JP · June 12, 2021, 9:25pm

The bridges have more than these interfaces and untagged traffic on them is on different subnets. So, I have to route/firewall between them.

anav · June 13, 2021, 12:36am

Why not use all vlans for subnets, and that way one bridge is much easier to deal with.
Also use firewall rules properly and fewer rules are actually needed.
I am trying to simplify …

DL7JP · June 13, 2021, 8:37am

Yes, this would be an option; but it meant I had to re-configure the router completely. I just want to “pass” my ISP’s VoIP-VLAN to internal VoIP clients, and I’d prefer to minimize changes to the (complex) router configuration.

tdw · June 13, 2021, 9:50am

You cannot directly share VLANs between bridges - VLAN 10 on bridge 1 and VLAN 10 on bridge 2 are completely independent ethernet / layer 2 networks.

DL7JP · June 13, 2021, 10:17am

Hm… there is really no way? I guess I could do this with physical cables: Put both VLANs on an ethernet-port and connect the ports with a cable. Not sure if you know what I mean, roughly like this: Create an VLAN-Interface for VLAN 10 at each of the two bridges; then create two new bridges with an ethernet-port and a VLAN-Interface on each. A cable would then connect both ports and also the VLANs on them.

This sounds really weird, and I would think there should be another way to do this…

anav · June 13, 2021, 10:21am

No i cannot help stubborn horse that refuses to drink clean good water.

tdw · June 13, 2021, 12:57pm

That’s why I said directly share. There are numerous bodges - bringing out the VLAN on physical ports and connecting them per your post; abusing a VLAN interface by attaching it to one bridge and including it as a member port of the other (see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration particularly points 7 & 8 for the potential issues); create a EoIP tunnel within the Mikrotik so one end can be attached to one bridge, and the other end to the second bridge. All very hacky.

DL7JP · June 13, 2021, 5:01pm

Thanks a bunch, useful page! I wasn’t aware of it!

DL7JP · June 13, 2021, 5:06pm

The horse is more interested in learning how to find such water than in drinking it :-).