Just as I thought I had even a miniscule understanding of how VLAN’s actually work in MikroTik land, I find that nope its still confusing and makes no sense
I don’t even touch the switch chip because its ridiculously complicated and confusing and I always do VLAN’s with bridges
I found what is maybe a bug, maybe a feature, but doesn’t make any sense to me
I’ve set up this topology for labbing. All routers are RB951
router A1 I have configured a PPPoE client to run on ether2 (the uplink) and it works fine. I also create an ether2.101 interface and include it into the LAN bridge. DHCP-server on the LAN bridge
On A2 I also configure PPPoE client on ether2 - works fine. And a dhcp-client on ether2.101 - again, works fine.
But on A2 when I add ether2.101 into its LAN bridge, and then put the dhcp-client on the LAN bridge, it doesn’t get an IP address. It also doesn’t see LabE/LabA/A1 on the LAN bridge as neighbors either
I have tried with 6.38.3 and 6.41.3 - same problem
My understanding of how VLAN’s work in RouterOS when it comes to bridges… (Correct me if i’m wrong)
If you add physical interfaces to a bridge, along with a vlan interface, then traffic going OUT all physical interfaces will be untagged for that VLAN. Traffic going OUT the vlan interface will be tagged
Hence in the above example (ether2.101 and ether3/4/5 are in the LAN bridge), traffic coming IN on ether2 that is tagged with vlan101, will be sent OUT ether3/4/5 untagged. And traffic coming IN ether3/4/5 untagged will be sent OUT ether2.101 tagged
But when I put ether2.101 in the LAN bridge of ‘A2’ there is no traffic flow at all, no dhcp-client, no neighbors out ether2.101/LAN bridge. As soon as I remove ether2.101 from the LAN bridge, I can see A1 and everything else works (i.e. DHCP) but obviously its not going to reach any clients on ports 3/4/5 at A2
The bridges and bridge ports are all default configuration. VLAN filtering is not turned on, PVID is left at the default of 1 etc. I’ve tried removing and recreating the bridges and vlan’s on A2 just to be 100% sure I didn’t accidently set something I shouldn’t have
Can someone explain what the heck is going on? This works fine over at A1, just doesn’t work on A2
Think i’ve found the issue
When I look at LabE and go into the Bridge->Ports section and open up ether5.101->Status I notice it’s flicking between the learning and discarding state (the role stays at designated port)
If I force it to an edge port it works fine. But there is no loop in the network so why is this happening?
For the lab its ok if I turned off BPDU discovery by making it an edge port. But in production I will likely have a switch (or bridged mikrotik) connected to multiple customers and it would be possible for a loop to occur, so I don’t want to make a habit of forcing edge ports. Not to mention the additional troubleshooting time…
EDIT: It doesn’t quite work 100%. A2 still thinks that it is the root bridge, in reality A1 is the root bridge (which is acknowledged by LabA and LabE). I havn’t noticed anything else other than that but again it could possibly cause an issue if A2 detects a loop and blocks the uplink
.
My understanding of how VLANs work on RB is the oposite: if physical interface is added to bridge, any tagged traffic will remain tagged on bridge as well. If you want to untag that traffic, you need to create VLAN interface somewhere … either on physical interface (without adding the same to bridge) and add resulting VLAN interface to bridge … or you create VLAN interface on bridge and do something with it (you can use it in any way you see fit … the only constraint AFAIK is that you can not add “both ends” of VLAN interface to same bridge).
Your assumption is only partly correct. Traffic going in the physical interface will get tagged and will be sent out tagged through the physical interface, on which the VLAN interface is created.
Wait hang on that ‘solution’ implementation for VLAN’s on a bridge doesn’t make sense
As you are adding a physical interface to a bridge, then setting PVID. Thats fine but thats not AT ALL what I would want to accomplish because then I can’t use that interface in any other bridges
And I often create multiple bridges for VLAN traffic i.e. ether1 has 3 vlan’s, ether1.10 / .20 / .30
I’ll create…
ether1.10 and ether3 in a bridge
ether1.20 and ether4 in a bridge
ether1.30 and ether5 in a bridge
ether1 itself is NOT in any bridge
Net result is ether3 is untagged, but sends tagged out the ether1 uplink on vlan10
Same story for ether4 & ether5 on vlan 20/30 respectively
But if I have to add ether1 into the bridge with ether3, then I can’t add it into another bridge with ether4/5
I also use the ‘vlan on a slave interface’ configuration and it has worked just fine?
Ether1 and ether2 in a bridge
then I create ether1.10 and bridge that to ether3, setup DHCP or whatever. All tagged/untagged traffic passes between ether1/ether2 fine EXCEPT for vlan tagged 10 coming in on ether1, then it goes out untagged on ether3
The new bridge design assumes that you have a single common bridge for several (or all) VLANs and several (or all) physical interfaces, and you use either vlan filtering on bridge level or vlan configuration at switch level to indicate which VLAN may be let in and out on which physical interface. If you filter VLANs in the switch chip, you can use “hardware-accelerated bridging” which means that the packets between two interfaces of the switch chip are forwarded directly between them, bypassing the CPU.
