I seem to be struggling with the correct VLAN configuration for this network diagram. Can someone advise what is incorrect? The switch doesn’t seem to be receiving the trunk traffic for vlan156 correctly.
RB4011
I do have questions on the vlans.
Where is vlan156 traffic going mostly.
Is there something on vlan156 that all users will be accessing a lot and if so which port is located on…
Same with all the other vlans? (172,180,190)
Is it all traffic out internet or to local servers and if so where are servers located etc…
I am thinking there has to be a better way to organize/optimize your requirements, but not sure.
Your CAPAC is configured weirdly but if it works it works.
what is not clear to me is what is the Management or Trusted VLAN??
Can I assume that vlan156 also acts a a managment vlan as well as a data vlan.
In other words all the users on vlan156 should have access to config all smart devices ??
Yes, vlan156 is the trusted/mgmnt. These are all my personal devices. I would be fine/happy the vlan156 was untagged (if that’s easier) everywhere except going towards the Brocade over the sfp trunk but I don’t know how this looks going to the CapAC. I might have noticed slow speeds on CapAC, but won’t really know until I get 4011 straightened out.
I have firewall rules to prevent ingress to LanBridge (vlan156). vlan172 gets a bunch of traffic the other vlans do not. I didn’t include the firewall in the config since I’m just trying to figure out the bridging/trunking.
The SFP has nothing to do with LAN bridge anyway.
So how do you specify the trunk? Do I just add the VLAN interfaces to the SFP interface? Like so?
This cleans up the capac to work properly and will be fully reachable from 156 via the trunk port from RB4011 to the trunk port ether1 on the capac.
I didnt include the wifi settings as they should be fine (separate from vlan and bridge settings).
Getting the most out of your wifi is another topic altogether
my capac is set to 5Ghz A/N/AC, 20/40 Ce AND 2Ghz to G/N 20
You will see at the bottom of the config I added an optional set of config lines that would allow you to setup the ether2 on the capac to
a. provide emergency access if the bridge hiccups OR
b. a safe place to configure the capac settings separate from the bridge.
My recommendation is the first thing you do is remove ether2 from the bridge, give it a name,
add the IP address suggested and probably done, Next plug in your laptop to ether2 of the capac and enter in an IP address of lets say
192.168.5.5 in the ipv4 settings and you should be in.
Then do the rest of the configuration from this access.
I can do this because the capac is in an accessible location, if its not, its worthwhile running a long ethernet cable to a location where you can put your laptop and plug it in for future work.
# model = RouterBOARD cAP Gi-5acD2nD
{fixed}
/interface bridge
add name=capBridge protocol-mode=none pvid=1 vlan-filtering=yes
/interface vlan
add interface=capBridge name=vlan156-Trusted vlan-id=156
/interface bridge port
add bridge=capBridge interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=capBridge interface=wlan5 pvid=156 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=capBridge interface=wlan24 pvid=156 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=capBridge interface=virtualWLANX pvid=180 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=capBridge interface=virtualWLANY pvid=190 ingress-filtering=yes frame-types=admit-priority-and-untagged
/interface bridge vlan
add bridge=capBridge tagged=capBridge,ether1 untagged=wlan5,wlan24 vlan-ids=156
add bridge=capBridge tagged=capBridge untagged=virtualWLANX vlan-ids=180
add bridge=capBridge tagged=capBridge untagged=virtualWLANY vlan-ids=190
/ip address
add address=192.168.156.3/24 interface=vlan156-Trusted network=192.168.156.0
{Added}
/interface list
add name=MGMT
/interface list member
add interface=vlan156-Trusted list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip dns
set allow-remote-requests=yes servers=192.168.156.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.158.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
{CONSIDER ADDING}
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/ip address
add address=192.168.5.0/24 interface=ether2-emergaccess
/interface list member
add interface=vlan156-Trusted list=MGMT
add interface=ether2-emergaccess list=MGMT {new}
Should I be doing use tag and setting VLAN ID (to 156) in the wlan interfaces? Or just needed in the bridge port vlan?
But when I turned on vlan-filtering in the router (RB4011) I lose network access on both the Cap and Brocade. Ether ports 6-9 work. Something isn’t correct with the trunking.
Yeah, I suppose the RB4011 and Capac have to be on the same wavelength vis-a-vis how the bridge is setup (default vlan-id=1).
I setup my capac the way I do, so the wireless settings are just wifi settings, no vlan settings within wifi settings.
Will take a look later today, bit busy at the moment.
WEIRD! I saw another post of yours and made some changes and it’s working for vlan156 wired/wifi/sfp! However, I think the CAP is still incorrect.
Changed:
vlan156-Brocade was removed from sfp.
Added generic vlan156 to lanBridge interface
Bridge Port: removed vlan156-Brocade and replaced it with just the sfp interface
Bridge VLAN: tagged sfp
So how do I get the ether10S2 working like the SFP? Because following the same config logic doesn’t work (tested).
# aug/24/2022 12:20:12 by RouterOS 6.48.6
# software id = 8PQW-VGK7
#
# model = RB4011iGS+
# serial number = AAAF09C9E66C
/interface bridge
add admin-mac=E4:8D:8C:0B:60:ED auto-mac=no name=lanBridge protocol-mode=none pvid=156 vlan-filtering=yes
/interface vlan
add interface=lanBridge name=vlan156 vlan-id=156 # MOVED vlan156-Brocade to this
add interface=ether10-S2 name=vlan156-WiFi vlan-id=156 # WIFI WORKS if I keep it like this
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=ether10-S2 name=vlan190-SmartHome vlan-id=190
add interface=sfp-brocade name=vlan172-VM vlan-id=172
add interface=sfp-brocade name=vlan180-Cameras vlan-id=180
/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan156-WiFi pvid=156
# Doing the same for ether10-S2 does not work like it does for Brocade/sfp so I have it disabled
add bridge=lanBridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2 pvid=156
/interface bridge vlan
add bridge=lanBridge tagged=sfp-brocade,vlan156-WiFi untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
Spoke too soon, I tried again, and I was able to get rid of vlan156-Wifi and just use the ether10S2 interface. So now the cap is configured as you suggested and the virtual wlans are working.
So networking is looking good across subnets except now I have a loop…
Loop Protect: on doesn’t help
Turning on STP brings down the network
interface,warning sfp-brocade: bridge port received packet with own address as source address (b8:69:f4:e6:b9:b5), probably loop
You work fast LOL. I have electricians, sheet metal workers and refrigerants at the home at the moment and thus not able to keep up.
Will loook at your latest two configs when I can. I am sure its almost there.
(1) I am confused by your RB4011 setup.
If you are running VLAN156 on the bridge as you have here stated in two ways…
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade pvid=156
The issue…
You have stated by adding the PVID=156 that this is either an access port or hybrid port. However the frametypes stated mean the port is a Trunk port (vlans only).
Suggest if its meant as a hybrid port, get rid of frame types. On the other hand if its truly a trunk port Get rid of the pVID setting.
(2) For the /interface vlan setting
/interface bridge vlan
add bridge=lanBridge tagged=???, sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
Guess what you missed to tag … the bridge!!
Should be…
/interface bridge vlan
add bridge=lanBridge tagged**=lanBridge**, sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
(3) After looking at the interface bridge vlan settings, its clear on the /interface bridge ports
you only need to remove the PVID=156 as it appears to be a trunk port for sfp-brocade
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade
OK I configured as suggested. It took a few minutes to “set” so I was probably just impatient when I tested before. Almost there…
I still have this loop issue. I had a (wifi) chromecast device that kept sneaking onto the VM DHCP (vlan172) which is crazy because 172 isn’t even hanging off the wifi. I kept deleting the Dynamic DHCP record and it kept coming back. Finally I deleted the record but rebooted the chromecast and it’s back on the 156 network with the correct IP. The logs appear to indicate that 0.0.0.0 is receiving the DHCP packet and it’s going to all DHCP servers?
(1) Too fancy on the bridge, leave it to default!!! The only thing needed 99% on bridge is unique name if you want one and activate vlan-filtering=yes.
So, GET RID OF admin-only-vlan tagged and ingress filtering. Only required at /interface bridge ports. Keep it simple!!
(2) Just not sure about your ether10??? Why is the pvid still there. Clearly you are sending it out as part of a trunk port iaw with your /interface bridge vlan settings??
Note in the same line you state admit-only-vlan tagged ??? Thus another clue that the pvid is wrong!!
I’m 98% there! Thanks for all your help so far. I’ve added the bridge and removed PVID as you suggested.
So get this. On the Brocade, all the VLANs work except for vlan156!! Vlan 172, 180, 190 when I plug in, I get a DHCP address, can ping the gateway, can get to the internet (when not blocked by firewall). WiFi vlan156 works fine! It’s just the brocade vlan156. I plug into one of the brocade vlan156 ports and I get a DHCP address but I can’t ping anything. I thought it might be firewall somehow so I added an INPUT/FORWARD allow rule for my IP address and I could see that packet counter but no improvement. I ran Torch on the sfp-brocade and I can see “156” in the VLAN column for traffic. Is traffic not routing back? Does the Brocade switch need a virtual interface IP address in VLAN 156 to route (I don’t have that for the other VLANs)?
BTW, I believe I resolved that loop error I was getting by removing “Dual-Mode” from Default Vlan 1 on Brocade. Now the Brocade should only be sending Tagged traffic.
Not that it should make a difference but set this to none…
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
YOur MT is setup correctly, sorrry cannot help with your non-mt switch settings as I dont have that unit…
The above suggests that the Brocade access port is setup correctly. And that it is probably a firewall issue. Although it does assume you are getting an ip address from the home-pool (192.168.156.150-192.168.156.250), which you don’t explicitly state.
/interface list
add name=Isolated
add include=none name=WAN
add name=LAN
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
But I see no LAN or vlan156-Home in your /ip firewall filter stanza.
The other thing I see that looks odd to me is that you are creating vlan interfaces on interfaces that belong to the bridge. I think that is a configuration error. Note Well: (edit) The following was accidently copied from post #16 (as noted by @anav in post #21. See my follow up in post #22
/interface vlan
add interface=ether10-S2 loop-protect=on name=vlan50-Guest vlan-id=50
add interface=lanBridge loop-protect=on name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=sfp-brocade loop-protect=on name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 loop-protect=on name=vlan190-SmartHome vlan-id=190
