VLAN confusion

There seem to be so many different ways to configure VLANs on the Routerboard boxes that, whilst I’m sure it offers ultimately great flexibility, I can’t get them to work!

I have two devices, a RB2011 as the main router at home, and a HEX PoE which is on a mast (which also has a long range PtP wifi radio on it) alongside some other kit, there is only one cat6 cable between the house and the mast, so I’m trying to use VLANs to effectively emulate having two cables up there. There used to be a dumb switch which worked reasonably, but since moving to the HEX PoE I’ve had no end of issues.

Port 1 is the house, port 5 is the dish, there is a VLAN (155) between these and it works perfectly and as expected. There are two other devices on the mast (CCTV camera and a pi) which should be on either VLAN 1 or VLAN 301 (I’ve tried both).

The HEX RB960PGS is configured like this;

[admin@MikroTik] /interface ethernet switch port> print
Flags: I - invalid 
 #   NAME                                 SWITCH                                VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1-house                         wtmastsw                              disabled  add-if-missing               1
 1   ether2                               wtmastsw                              disabled  leave-as-is               auto
 2   ether3                               wtmastsw                              disabled  leave-as-is               auto
 3   ether4                               wtmastsw                              disabled  leave-as-is               auto
 4   ether5-backhaul                      wtmastsw                              secure    always-strip               155
 5   wtmastsw-cpu                         wtmastsw                              disabled  leave-as-is                  1

[admin@MikroTik] /interface ethernet switch vlan> print
Flags: X - disabled, I - invalid 
 #   SWITCH                                                 VLAN-ID PORTS                                               
 0   wtmastsw                                                   155 ether1-house                                        
                                                                    ether5-backhaul                                         
 1   wtmastsw                                                     1 ether1-house                                        
                                                                    ether2                                              
                                                                    ether3                                              
                                                                    ether4                                              
                                                                    wtmastsw-cpu                                        
 2   wtmastsw                                                   301 ether1-house                                        
                                                                    ether2                                              
                                                                    ether3                                              
                                                                    ether4                                              
                                                                    wtmastsw-cpu 
                                                                    
[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running 
 #   NAME                                       MTU ARP             VLAN-ID INTERFACE                                   
 0 R ;;; MGMT VLAN
     vlan1                                     1500 enabled               1 bridge                                      
 1 R vlan301                                   1500 enabled             301 bridge             

[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                       
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                                          
 1   10.38.0.253/24     10.38.0.0       vlan301

The RB2011 has the interfaces vlan155 and vlan301 associated with ether09 (which connects to the HEX PoE) and uses vlan155 as the route for outbound NATted traffic (which works) and vlan301 is added to the main bridge (I’ve also tried with that untagged) which doesn’t. I can’t connect to the admin interface on 10.38.0.253 and the only way of accessing it is 192.168.88.1 which appears in IP > Neighbours when connecting to the 2011 via Winbox

I get the feeling I’m missing something obvious here.

Please follow my automatic signature below. Your description of the configuration on the 2011 sounds suspicious, the export will give a clear picture. The hEX PoE configuration may also need modification but it seems just unusual to me so far.

Please post the configs of both the Rb2011 and the hex for us to look at.

/export hide-sensitive file=anynameyouwish

I’ll get these exports shortly, I have made some progress…

The VLAN mode table here https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features suggests that VLAN mode = disabled should still pass tagged traffic however it seems (perhaps due to port isolation?) even though all the ports were in the right VLAN and all the ports were in a bridge it didn’t! By changing the VLAN mode to fallback I can see one of the devices on the switch and I also seem to be able to get to the admin interface on 10.38.0.253

So that’s a start

Ok, I think my other issues were just related to ARP caching, when I changed the VLAN modes it all worked as expected after a reboot of the 2011(!)

(as an aside I’ve spend DAYS trying to do this!)

Ok, one outstanding issue (config file attached as requested) on the hEX PoE it seems that traffic isn’t being switched as I’d expect.

There’s a lot of traffic between 10.38.0.64 (on ether4 on the hEX PoE) and 10.38.0.170 (which is connected to the RB2011) over VLAN 301 (this is expected) but what’s odd is that this traffic is also being sent to ether3 on the hEX PoE (which has a pi connected to it) i.e. the Raspberry pi can see traffic between 10.38.0.64 and 10.38.0.170 almost as if there was port mirroring or they were both connected to the hub, as if it hasn’t learnt the appropriate MACs?

Full config attached.
20200519.rsc (2.51 KB)

I wont bother to look unless there are both configs as per the request.