Vlan and bridge

jeanpara · April 19, 2020, 6:08am

Hello win,
I have a fairly basic network, port 1 wan.
port 2,3,4,5 in a bridge interface.
I have a data network 192.168.1.0/24
Voip network (vlan: 20) 10.11.12.0/24 associate with interface 2.

I would rather associate the vlan20 with the bridge interface.
But once associate the voice passes pu.
I tried to activate on the bridge vlan filtering.
its gives nothing.

I also try to tagged in vlans in the bridge interface, it doesn’t work.

You have an idea?? Thank you

here is my config:

/interface bridge
add name=BR-Data
/interface ethernet
set [ find default-name=ether1 ] comment=Wan name=WAN speed=100Mbps
set [ find default-name=ether2 ] comment=Trunk speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=ether2 name=Vlan-Voix-20 vlan-id=20
/interface list
add name=jp
add name=ovpn
add name=lan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 name=profile-jean nat-traversal=no
/ip ipsec peer
add address=2xx.xxx.xx.xxx/32 name=peer-jean profile=profile-jean
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add enc-algorithms=3des name=proposal-jean pfs-group=none
/ip pool
add name=Pool-Data ranges=192.168.1.100-192.168.1.150
add name=Pool-Voip ranges=10.11.12.2-10.11.12.254
add name=ovpn ranges=172.16.6.10-172.16.6.200
/ip dhcp-server
add address-pool=Pool-Data disabled=no interface=BR-Data lease-time=1h name=
DHCP-Data
add address-pool=Pool-Voip disabled=no interface=Vlan-Voix-20 lease-time=2d
name=DHCP-Voix
/ppp profile
add change-tcp-mss=yes local-address=172.16.6.1 name=maison remote-address=
ovpn use-compression=no use-mpls=no
add dns-server=172.16.6.1 local-address=192.168.1.1 name=OVPN-Client
remote-address=Pool-Data
add change-tcp-mss=yes name=default_ovpn use-compression=no use-encryption=
yes use-mpls=no
/snmp community
set [ find default=yes ] addresses=192.168.1.0/24 write-access=yes
/system logging action
add disk-file-name=Userlog name=userlog target=disk
add disk-file-name=ATTACK name=ATTACK target=disk
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/dude
set enabled=yes
/interface bridge port
add bridge=BR-Data interface=ether2
add bridge=BR-Data interface=ether3
add bridge=BR-Data interface=ether4
add bridge=BR-Data interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=*2000011
/interface detect-internet
set detect-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=ether5 switch=switch1 vlan-id=200
/interface l2tp-server server
set allow-fast-path=yes default-profile=default enabled=yes use-ipsec=yes
/interface list member
add interface=BR-Data list=lan
/interface ovpn-server server
set certificate=OvpnServer cipher=aes256 default-profile=default_ovpn
enabled=yes keepalive-timeout=30 require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=192.168.1.1/24 interface=BR-Data network=192.168.1.0
add address=10.11.12.1/24 interface=Vlan-Voix-20 network=10.11.12.0
add address=10.11.50.1/24 interface=BR-Data network=10.11.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

/ip dhcp-server network
add address=10.11.12.0/24 dns-server=192.168.1.1 domain=Maison.local gateway=
10.11.12.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.11,192.168.1.1 domain=
Maison.local gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.250 name=clo
/ip firewall address-list
add address=172.16.6.0/24 list=openvpn
/ip firewall filter
add action=jump chain=input disabled=yes in-interface=WAN jump-target=
ch-in-wan
add action=accept chain=ch-in-wan comment=“Permit SAFE Router” in-interface=
WAN src-address-list=Safe
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward disabled=yes dst-address=192.168.4.0/23
src-address=10.11.50.0/24
add action=accept chain=ch-in-wan disabled=yes in-interface=WAN protocol=
ipsec-esp
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=“Allow OpenVPN” dst-port=1194 protocol=
tcp
add action=accept chain=ch-in-wan comment=“#1 DNS” connection-state=
established,related protocol=udp src-port=53
add action=accept chain=ch-in-wan comment=“#2 NTP” connection-state=
established,related protocol=udp src-port=123
add action=accept chain=ch-in-wan comment=“Allow L2TP/IPSec” disabled=yes
dst-port=1701,500,4500 protocol=udp
add action=add-src-to-address-list address-list=BLACKLIST
address-list-timeout=30m chain=ch-in-wan comment=“#3 PSD” protocol=tcp
psd=21,3s,3,1
add action=add-src-to-address-list address-list=BLACKLIST
address-list-timeout=30m chain=ch-in-wan comment=“#4 telnet, ssh”
dst-port=22,23 protocol=tcp
add action=drop chain=ch-in-wan comment=“#5 BLACKLIST” disabled=yes log=yes
log-prefix=“BLACKLIST===” src-address-list=BLACKLIST
add action=accept chain=ch-in-wan comment=“echo requests” icmp-options=8:0
protocol=icmp
add action=accept chain=ch-in-wan comment=“#6 echo reply” icmp-options=0:0
protocol=icmp
add action=drop chain=ch-in-wan comment=“#7 http(s)” dst-port=80,443,8080
log=yes log-prefix=“HTTP(S)===” protocol=tcp
add action=accept chain=ch-in-wan comment=“#8 established, related”
connection-state=established,related
add action=drop chain=ch-in-wan comment=“#9 Catch-all” log=yes log-prefix=
“CATCH-ALL===”
add action=return chain=ch-in-wan comment=“#10 return”
/ip firewall nat
add action=dst-nat chain=dstnat comment=“Serveur FTP” disabled=yes
dst-address-list=Safe dst-port=21 in-interface=WAN protocol=tcp
to-addresses=192.168.1.250 to-ports=21
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface-list=*2000010
add action=accept chain=srcnat comment=“Regle IPSEC Mirazed” dst-address=
192.168.4.0/23 src-address=10.11.50.0/24
add action=masquerade chain=srcnat comment=“Harpin Nat” disabled=yes
dst-address=!66.130.190.20 out-interface-list=*2000010 src-address=
192.168.1.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=66.130.190.20
dst-address-type=local dst-port=80 protocol=tcp to-addresses=
192.168.1.5 to-ports=80
/ip firewall raw
add action=drop chain=prerouting comment=“Drop BLACKLIST” src-address-list=
BLACKLIST
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes ports=5060
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip route

/ip service
set telnet disabled=yes
set ftp disabled=yes port=2100
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret

/snmp
set enabled=yes trap-generators=interfaces trap-interfaces=all trap-version=2
/system clock
set time-zone-name=America/Toronto
/system identity
set name=CAMfdsafdsonhfhfsdaf
/system logging
add action=userlog topics=account
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings

Firmware upgraded successfully, please reboot for changes to take effect!

set silent-boot=yes

/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no

mkx · April 19, 2020, 10:25am

High level LAN layout is not clear from your description … e.g. for VoIP network, is RB acting as a router-on-a-stick and you connect all VoIP devices to some switch downstream from ether2?

BTW, there’s seemingly a leftover config line … get rid of it:

/interface ethernet switch vlan
add independent-learning=no ports=ether5 switch=switch1 vlan-id=200

Further ideas after we get a bit better insight into your setup.

jeanpara · April 19, 2020, 8:56pm

hello mkx, sorry i wasn’t very specific. I made a plan which will help to understand.
I have a router and a manageable switch.
I have an ip address for the BR-Data. And I would like to put vlan 20 in BR-data instead of the ether2 interface.

I deleted this: / ethernet switch vlan interface
add independent-learning = no ports = ether5 switch = switch1 vlan-id = 200
Thank you

anav · April 20, 2020, 12:27pm

Well there is one issue,
You have the vlan associated with ether2 vice the bridge.
IN addition you have the bridge serving the lanip of your network
So you cannot really add the vlan to the bridge since you have the bridge already doing dhcp.

Easy solution from my vlan centric point of view.
Just remove the bridge from dhcp responsibilities and create a home vlan10
add vlan10 with interface bridge
change vlan 20 with interface to bridge (instead of two ether 2).
Modify IP address interface is the applicable vlan, dhcp-server and dhcp network-appropriately and pool etc.

In bridge ports ethe2 stays the same (trunk port)
In bridge ports ether3-4 if serving pcs for example (access ports)
add bridge=BR-Data interface=ether3 pvid=vlan10

add bridge vlan filtering
/interface bridge vlan
add bridge=BR-Data tagged=ether2 untagged=eth3,eth4,eth5 vlan-ids=10
add bridge=BR-Data tagged=ether2 vlan-ids=20

The large bubble under the switch is being served by vlan10 etc.

Zacharias · April 20, 2020, 2:00pm

There is not need for Bridge VLAN filtering on the Router itself if we just need to use the eth2 port for the Trunk, i had a recent discussion on that with @mkx, tested as well on GNS3 and it works fine…
At your main router it is enough to create an Interface VLAN for the VIDs, eg one for Vlan ID 10 on eth2 and VLAN ID 20 on eth2 as well… Set IP addresses, DHCP etc…
Then configure the Bridge VLAN filtering on the Switch…

jeanpara · April 21, 2020, 2:55pm

Hello again,
I worked on a router already in place with a client and weirdly everything works with a dhcp on the bridge and a vlan associated with the bridge.
this dear mikrotik he does everything but …
thank you for helping me understand.

Config of Master:

/interface bridge
add fast-forward=no name=BR-LAN-
add fast-forward=no name=BR-WIFI-Invite
/interface ethernet
set [ find default-name=combo1 ] comment=Combo1 name=WAN-Videotron
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] comment="VRRP-Bridge Spanning" speed=100Mbps
set [ find default-name=ether7 ] comment="VRRP-Bridge Spanning" speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-full,100M-full,1000M-full

/interface vrrp
add interface=BR-LAN name=VRRP-Data

/interface vlan
add comment="VoIP VLAN" interface=BR-LAN name=VLAN-Voip100 vlan-id=\
    100

/interface vrrp
add interface=VLAN-Voip100 name=VRRP-Voip

/interface sstp-client
add authentication=mschap2 certificate=cert_export_SSTP-TotoSHVS.crt_0 \
    connect-to=192.252.132.210 disabled=no name=SSTP-TotoSHVS user=\
    SSTP-TotoSHVS

/interface list
add name=Infographie
add name=L2TP
add name=ISP
add name=VPN
add exclude=dynamic name=discover
add name=List-LAN

/ip dhcp-server option
add code=6 name="DNS Server" value="'192.168.4.10'"
add code=46 name="WINS/NETBIOS node type" value="'0x08'"
add code=132 name=VLAN100 value="s'100'"


/ip pool
add name="Pool Informatique 2" ranges=192.168.5.30-192.168.5.149
add name=Pool-WL-Invite ranges=192.168.20.10-192.168.20.254
add name=OVPN-Pool ranges=172.20.0.2-172.20.0.253
add name=PoolVoIP ranges=192.168.35.100-192.168.35.225

/ip dhcp-server
add address-pool=Pool-WL-Invite authoritative=after-2sec-delay disabled=no \
    interface=BR-WIFI-Invite lease-time=8h name=DHCP-WL-Invite
add address-pool=PoolVoIP disabled=no interface=VLAN-Voip100 lease-time=8h \
    name=DHCP-VoIP

/ip pool
add name=dhcp next-pool="Pool Informatique 2" ranges=\
    192.168.4.50-192.168.4.209

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    BR-LAN lease-time=8h name=DHCP-Toto

/interface bridge port
add bridge=BR-LAN interface=ether6
add bridge=BR-LAN interface=ether7

/interface ovpn-server server
set auth=sha1 certificate=TotoShLocal cipher=aes256 default-profile=\
    OVPN-Client enabled=yes require-client-certificate=yes

/interface sstp-server server
set authentication=mschap2 certificate=Toto default-profile=\
    default-encryption enabled=yes verify-client-certificate=yes

/ip address
add address=xxx.xxx.xx.xx/xx comment="Internet Fibre Videotron" interface=\
    WAN-Videotron network=207.253.66.176
add address=192.168.4.1/23 comment="Adresse IP LAN" interface=VRRP-Data \
    network=192.168.4.0
add address=192.168.4.2/23 comment="Adresse IP LAN" interface=BR-LAN \
    network=192.168.4.0
add address=192.168.35.1/24 comment="Adresse IP Range Telephonie" interface=\
    VRRP-Voip network=192.168.35.0
add address=192.168.20.1/24 comment="R\E9seau sans-fil invite" interface=\
    BR-WIFI-Invite network=192.168.20.0
add address=xxx.xxx.xx.xx/xx comment="Internet Fibre Videotron" interface=\
    WAN-Videotron network=207.253.66.176
add address=172.20.0.1/24 comment="Reseau pour l'OpenVPN" interface=\
    BR-LAN network=172.20.0.0
add address=192.168.35.253/24 comment="Adresse IP Range Telephonie" \
    interface=VLAN-Voip100 network=192.168.35.0
add address=10.11.11.9/30 comment=Gre-Toto disabled=yes network=10.11.11.8

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

/ip dhcp-server lease
add address=192.168.4.51 comment=POSTE_MIGRATION mac-address=\
    00:27:0E:24:5D:90 server=DHCP-Toto
add address=192.168.4.53 comment=MZ- mac-address=A8:60:B6:09:E1:ED \
    server=DHCP-Toto

/ip dhcp-server network
add address=172.20.0.0/24 dns-server=172.20.0.1 gateway=172.20.0.1
add address=192.168.4.0/23 dhcp-option="WINS/NETBIOS node type,VLAN100" \
    dns-server=192.168.4.10,172.16.98.10 domain=Toto.com gateway=\
    192.168.4.1 netmask=23
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.35.0/24 dhcp-option=VLAN100 dns-server=192.168.35.1 \
    gateway=192.168.35.1

/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,205.151.222.111,205.151.222.112,4.2.2.2

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Zacharias · April 21, 2020, 3:34pm

@jeanpara so does everything work or not ? I got confused

jeanpara · April 21, 2020, 4:15pm

anav says it can’t work if dhcp is enabled on the bridge and associating a vlan with the bridge. Well I’m just saying that I saw her on a router in production and it works.

so I too am confused

Zacharias · April 22, 2020, 9:41am

That is correct…