vlan and bridge and trunk question

AlexS · August 1, 2024, 6:18am

Hi
I have a CRS328-24P-4S+
some ports I allocated to my wifi - 10.10.10.0/24
some ports I allocated to my lan - 10.10.11.0/24
I create a bridge interface - br_wifi and br_lan and then just allocated the ports to those bridges
Allow works fine.

Now I wanted to put in a switch in my garage and I want to transport the lan network and the wifi network to there.

so I setup a bond - 2 port
then I setup a new vlan 10 for wifi
I attach port vlan to br_wifi and attach vlan10 to the bonding interface
the untagged I attach to br_lan

so on the remote switch default vlan (so vlan id 1) is lan and vlan10 is wifi . and this works.

except I attached the bonding interface to br_lan, which means … that all packets go to br_lan - including vlan 10 packets. this is causing problems for my device on the remote switch on vlan 10 . because it arps back and the arp packet ends up on my bonding interface and turns up on br_lan and not for some reason on br_wifi

so arp response for 10.10.10.x comes into br_lan which is 10.10.11.0

how do i fix this.

Had a thought whilst typing this - can create a new vlan 11 and attach it to the trunk and then attach port vlan11 to br_lan … so basically stop using the default vlanid - I think that should work ..

is this the right way to do it ?

sindy · August 1, 2024, 6:41am

Do it the normal way - instead of your current “port-based VLAN” approach where each VLAN has a bridge of its own, use vlan-filtering=yes on a single common bridge along with the corresponding settings in /interface bridge vlan and /interface bridge port, so you will be able to connect the device in the garage using a trunk port (or a trunk bond of multiple ports)

See this post of mine and the @pcunite’s one it refers to if Mikrotik documentation is not enough to set up the above.

anav · August 1, 2024, 9:57am

pcunite —> http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

AlexS · August 2, 2024, 4:47am

Thanks for the link. But I am a bit lost on the one bridge. on my ros box i have eth1-10 on bridge lan and on 1 bridge and eth 11-20 on bridge wifi and on 1 bridge.

forgetting about my trunk connection how i would i achieve that with just one bridge ?

thanks for that I will have a read

EDIT :
Done some reading think I might have an answer - think of the ros box more as a switch
so that means assign a pvid to all of the interface … so in my example above eth1-10 would have pvid =11 and eth11-20 would have pvid=10
then add them to the bridge with vlan filtering on !!! the careful thing to keep in mind the ip address assigned to the bridge interface might work any more - why - because of vlan filtering … tricky

then add the interfaces to the bridge
then add vlan port to the bridge this is where you get your vlans so vlan port 11 will see all of eth1-10 because its vlanid 11 via the pvid .
same for pvid10

Bit of a hint for those that follow this . the issue with trump / bonding and vlan ports added to bridges is stp or one of its flavors - seems like it doesn’t breaks thing quick but over time it causes problems - slow and silent killer. More reading and more configuring for me to do !

anav · August 2, 2024, 10:07am

https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1394s

AlexS · August 8, 2024, 2:03pm

Think i have it right now
so i want vlan10 and vlan11
I have bond interface so the ros box to a cisco

interface vlan 10
name wifi
!
interface vlan 11
name lan
ip address 192.168.11.9 255.255.255.0
!

interface gigabitethernet25
channel-group 1 mode auto
!
interface gigabitethernet26
channel-group 1 mode auto
!
interface Port-channel1
description ros
switchport trunk allowed vlan add 10-11

so on bonding1 I should only get vlan 10 and 11 from the cisco

strange thing is when I look at packets on bonding1 I see the packets come in with vlanid 11:7

/tool/sniffer/quick interface=bonding1 ip-address=192.168.11.9

bonding1 4.614 11 ← F8:4F:57:02:2C:2D C4:AD:34:43:55:0E 11:7 192.168.11.9:49153 192.168.10.7:53 (dns) ip:udp 91 0
bonding1 4.614 12 → C4:AD:34:43:55:0E F8:4F:57:02:2C:2D 11 192.168.10.7:53 (dns) 192.168.11.9:49153 ip:udp 198 0
bonding1 4.619 13 ← F8:4F:57:02:2C:2D C4:AD:34:43:55:0E 11:7 192.168.11.9:49153 192.168.10.3:53 (dns) ip:udp 91 0
bonding1 4.62 14 ← F8:4F:57:02:2C:2D C4:AD:34:43:55:0E 11:7 192.168.11.9:49153 192.168.10.3:53 (dns) ip:udp 91 0

/interface bridge
add comment=“New Bridge - one bridge to rule them all - per the doco for vlans and bridges” ingress-filtering=no name=newBridge pvid=8 vlan-filtering=yes

/interface bridge port
add bridge=newBridge comment=“new bridge link” interface=bonding1
add bridge=newBridge comment="This interface list includes all the ports that are part of the WAN link - NBN " interface=int_list_wan pvid=255

/interface bridge vlan
add bridge=newBridge tagged=bonding1 vlan-ids=10
add bridge=newBridge tagged=bonding1 vlan-ids=11

I’m not sure why the incoming packets show up as vlan 11:7 … so it works as long as i turn off ingress filtering … I presume it filters the packets because 11:7 doesn’t match any of the vlans i have attached to the bridge

tdw · August 8, 2024, 2:56pm

No, 11:7 is VLAN ID 11 with priority 7.

You are missing the bridge-to-CPU interface in the bridge VLAN membership:
/interface bridge vlan
add bridge=newBridge tagged=newBridge,bonding1 vlan-ids=10
add bridge=newBridge tagged=newBridge,bonding1 vlan-ids=11

AlexS · August 8, 2024, 9:49pm

Okay, great thanks that seems to be working - but I am not 100% sure why i need it - I thought by adding the vlan port off the bridge it makes the bridge process those vlans … I’m guessing in all my reading i just overlooked it

can you explain why you would ever want a bridge with out a cpu bridge port ? and if not why not make it automatic

last extra question why are my native ethX port shown as hardware switched, but my bonding interface isn’t ?

priority - who sets that and where and priority for what ?

tdw · August 8, 2024, 10:20pm

An /interface vlan object merely inserts the specfied VLAN tag for packets on ingress and removes them on egress.

When configuring a Mikrotik device as a switch you may have various untagged and tagged VLANs configured on several ports, but only a single VLAN configured to transit the bridge-to-CPU port for management access to the device.

The VLAN management is currently being reworked so in future adding an /interface vlan to a bridge will automatically add the bridge-to-CPU port as a dynamic entry under /interface bridge vlan. In the meantime http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1 written by @sindy is a good explanation.

How have you configured your bond? Only 802.3ad and balance-xor bonding modes are hardware offloaded, other modes will use the CPU’s resources. The built-in switch chip will always use Layer2+Layer3+Layer4 for a transmit hash policy, changing the transmit hash policy manually will have no effect. See https://help.mikrotik.com/docs/display/ROS/CRS3xx,+CRS5xx,+CCR2116,+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-Bonding

AlexS · August 9, 2024, 12:54pm

/interface bonding
add mode=802.3ad name=bonding1 slaves=ether23,ether24

AlexS · August 10, 2024, 12:11pm

Thought I had this solved but - still not working - properly, I have an old setup I am trying to move to the proper way to setup and things are break as I move them !

I have a bridge br_wifi - this has all of the ports associated with wifi network and a br_lan all of the ports on the LAN

I am trying to create a single bridge with vlan filter
new_bridge and with 4 vlans configured against it
vlan8
vlan9
vlan10
vlan11

what I have done is added vlan11 interface as a port to bridge br_lan and vlan10 interface as a bridge port to br_wifi

from an ip on br_wifi I can ping a device on other end of my newbridge / bond port.

192.168.10.7 → goes to a switch that connect to the crs on ether12
ether12 is bridge port on br_wifi - no pvid so the default of 1 (this is old)
192.168.10.1 is attached to br_wifi
it gets routed via br_lan 192.168.11.1

br_lan has vlan11 as a bridge port
vlan11 is vlan11 attached to newbridge
bonding (802.3d)
newbridge has its self vlan11 bonding1
packet leaves on bonding1

so the link from 192.168.10.0/24 via crs to 192.168.11.0/24 (not all of 192.168.11.0/24 is on bonding ) is working

packet capture on all interfaces

ether12    8.996   99  <-   2C:CF:67:2C:7F:18  C4:AD:34:43:55:00        192.168.10.7  192.168.11.9  ip:icmp     98    0
br_wifi    8.996  100  <-   2C:CF:67:2C:7F:18  C4:AD:34:43:55:00        192.168.10.7  192.168.11.9  ip:icmp     98    0
br_lan     8.996  101  ->   C4:AD:34:43:55:0E  F8:4F:57:02:2C:2D        192.168.10.7  192.168.11.9  ip:icmp     98    0
vlan11     8.996  102  ->   C4:AD:34:43:55:0E  F8:4F:57:02:2C:2D        192.168.10.7  192.168.11.9  ip:icmp     98    0
newBridge  8.996  103  ->   C4:AD:34:43:55:0E  F8:4F:57:02:2C:2D  11    192.168.10.7  192.168.11.9  ip:icmp    102    0
bonding1   8.996  104  ->   C4:AD:34:43:55:0E  F8:4F:57:02:2C:2D  11    192.168.10.7  192.168.11.9  ip:icmp    102    0
ether24    8.996  105  ->   C4:AD:34:43:55:0E  F8:4F:57:02:2C:2D  11    192.168.10.7  192.168.11.9  ip:icmp    102    0
ether24    8.997  106  <-   F8:4F:57:02:2C:2D  C4:AD:34:43:55:0E  11:7  192.168.11.9  192.168.10.7  ip:icmp    102    0
bonding1   8.997  107  <-   F8:4F:57:02:2C:2D  C4:AD:34:43:55:0E  11:7  192.168.11.9  192.168.10.7  ip:icmp    102    0
newBridge  8.997  108  <-   F8:4F:57:02:2C:2D  C4:AD:34:43:55:0E  11:7  192.168.11.9  192.168.10.7  ip:icmp    102    0
vlan11     8.997  109  <-   F8:4F:57:02:2C:2D  C4:AD:34:43:55:0E        192.168.11.9  192.168.10.7  ip:icmp     98    0
br_lan     8.997  110  <-   F8:4F:57:02:2C:2D  C4:AD:34:43:55:0E        192.168.11.9  192.168.10.7  ip:icmp     98    0
br_wifi    8.997  111  ->   C4:AD:34:43:55:00  2C:CF:67:2C:7F:18        192.168.11.9  192.168.10.7  ip:icmp     98    0
ether12    8.997  112  ->   C4:AD:34:43:55:00  2C:CF:67:2C:7F:18        192.168.11.9  192.168.10.7  ip:icmp     98    0

this is from a device on br_lan but directly connected to crs - so into the crs in br_lan to newbridge then out bonding0

ether21    8.487    1  <-   DC:A6:32:D4:FA:A7  F8:4F:57:02:2C:2D        192.168.11.3  192.168.11.9  ip:icmp     98    0
vlan11     8.487    2  ->   DC:A6:32:D4:FA:A7  F8:4F:57:02:2C:2D        192.168.11.3  192.168.11.9  ip:icmp     98    0
newBridge  8.487    3  ->   DC:A6:32:D4:FA:A7  F8:4F:57:02:2C:2D  11    192.168.11.3  192.168.11.9  ip:icmp    102    0
bonding1   8.487    4  ->   DC:A6:32:D4:FA:A7  F8:4F:57:02:2C:2D  11    192.168.11.3  192.168.11.9  ip:icmp    102    0
ether23    8.487    5  ->   DC:A6:32:D4:FA:A7  F8:4F:57:02:2C:2D  11    192.168.11.3  192.168.11.9  ip:icmp    102    0
ether24    8.489    6  <-   F8:4F:57:02:2C:2D  DC:A6:32:D4:FA:A7  11:7  192.168.11.9  192.168.11.3  ip:icmp    102    0
bonding1   8.489    7  <-   F8:4F:57:02:2C:2D  DC:A6:32:D4:FA:A7  11:7  192.168.11.9  192.168.11.3  ip:icmp    102    0
newBridge  8.489    8  <-   F8:4F:57:02:2C:2D  DC:A6:32:D4:FA:A7  11:7  192.168.11.9  192.168.11.3  ip:icmp    102    0
vlan11     8.489    9  <-   F8:4F:57:02:2C:2D  DC:A6:32:D4:FA:A7        192.168.11.9  192.168.11.3  ip:icmp     98    0
ether21    8.489   10  ->   F8:4F:57:02:2C:2D  DC:A6:32:D4:FA:A7        192.168.11.9  192.168.11.3  ip:icmp     98    0

My problem is that currently I have 192.168.11.1 DGW for br_lan on br_lan, I want to move it to vlan11 interface

add address=192.168.11.1/24 comment=“LAN network DGW” interface=br_lan network=192.168.11.0

when i change the interface onto vlan11 then devices on vlan11 can’t arp it, I can see the arp request coming in vlan11 interface but doesn’t work

it could be the arp cache I presume when i move the ip it gets a new mac …

AlexS · August 13, 2024, 7:27am

Seems like it was a firewall issues - fix that it and its working as advertised