VLAN dedictated port and tagged in bridge

GrumpyGiantbe · October 19, 2021, 12:29pm

Hello all

I am pretty new to the mikrotik routeros.

I have a 10 port mikrotik router. On this router I need to be able to have 6 diffrent LAN Networks I want these to be vlans with a dedicated physical port. The configuration is as follows (of the interfaces)
Ether1 WAN (No vlan needed)
Ether2 Main_Network
Ether3 Security
Ether4 IoT-Devices
Ether5 Guest_Network
Ether6 Sim_Backhaul
Ether7 Management
Ether8 Main_Network
Ether9 Main_Network
Ether10 Main_Network ( On this port I want the other 5 LAN’s to be a tagged VLAN to send to a switch for further distribution. No help needed over here)
SFP Main_Network

Would someone be able to help me with this config. Currently I have no working config except one where evrything is the same subnet. Below You can find a config that might work but not sure.
If there is already a thread with a similar config feel free to let me know.

Best regards
Grumpygiantbe

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether2 hw=yes pvid=20
add bridge=bridge interface=ether3 hw=yes pvid=21
add bridge=bridge interface=ether4 hw=yes pvid=22
add bridge=bridge interface=ether5 hw=yes pvid=23
add bridge=bridge interface=ether6 hw=yes pvid=24
add bridge=bridge interface=ether7 hw=yes pvid=29
add bridge=bridge interface=ether8 hw=yes pvid=20
add bridge=bridge interface=ether9 hw=yes pvid=20
add bridge=bridge interface=ether10 hw=yes pvid=20
add bridge=bridge interface=sfp hw=yes pvid=20
/interface bridge vlan
add bridge=bridge untagged=ether2,ether7,ether8,ether9,ether10,sfp vlan-ids=20
add bridge=bridge untagged=ether3 tagged=bridge vlan-ids=21
add bridge=bridge untagged=ether4 tagged=bridge vlan-ids=22
add bridge=bridge untagged=ether5 tagged=bridge vlan-ids=23
add bridge=bridge untagged=ether6 tagged=bridge vlan-ids=24
add bridge=bridge untagged=ether7 tagged=bridge vlan-ids=29

erlinden · October 19, 2021, 12:56pm

Depending on the hardware you are using it can be configured easily. Please have a good look at this topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · October 19, 2021, 1:58pm

Close!

What is not clear to me is ether10.
In the majority of cases a Router to a Switch scenario port to carry vlans is a trunk port that carries all vlans.
You seem to be indicating that the SWITCH is expecting a HYBRID scenario and CAN handle incoming untagged info (main network) as well as several tagged vlans.
Lets go on that premise for case 1

Also You have an error in your config that needs to be fixed!
add bridge=bridge interface=ether4 hw=yes pvid=22
add bridge=bridge interface=ether4 hw=yes pvid=23

One cannot have ether 4 with two untagged vlans, an access port can only have one untagged set of traffic flowing in and out of the port.

Okay so some assumptions…that ether4=22, ether5=23, ether6=24 and ether7=25 (to make up the five vlans).

CASE1: All ports are access ports except port 10 is a hybrid port. I would add ingress filtering and frame-types=admit-priority-and-untagged for all except ether10, but that is up to you.
/interface bridge port
add bridge=bridge interface=ether2 hw=yes pvid=20
add bridge=bridge interface=ether3 hw=yes pvid=21
add bridge=bridge interface=ether4 hw=yes pvid=22
add bridge=bridge interface=ether5 hw=yes pvid=23
add bridge=bridge interface=ether6 hw=yes pvid=24
add bridge=bridge interface=ether7 hw=yes pvid=29
add bridge=bridge interface=ether8 hw=yes pvid=20
add bridge=bridge interface=ether9 hw=yes pvid=20
add bridge=bridge interface=ether10 hw=yes pvid=20
add bridge=bridge interface=sfp hw=yes pvid=20

Now for the bridge vlans and there is two ways to config this, both valid.

/interface bridge vlan
add bridge=bridge untagged=ether2,ether8,ether9,ether10,sfp vlan-ids=20
add bridge=bridge untagged=ether3 tagged=bridge**,ether10** vlan-ids=21
add bridge=bridge untagged=ether4 tagged=bridge**,ether10vlan-ids=22
add bridge=bridge untagged=ether5 tagged=bridge,ether10** vlan-ids=23
add bridge=bridge untagged=ether6 tagged=bridge**,ether10** vlan-ids=24
add bridge=bridge untagged=ether7 tagged=bridge**,ether10** vlan-ids=29

OR
add bridge=bridge tagged=bridge**,ether10** vlan-ids=21
add bridge=bridge tagged=bridge**,ether10vlan-ids=22
add bridge=bridge tagged=bridge,ether10** vlan-ids=23
add bridge=bridge tagged=bridge**,ether10** vlan-ids=24
add bridge=bridge tagged=bridge**,ether10** vlan-ids=29

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If its the more common scenario that etherport 10 is a trunk port carrying all vlans tagged to the switch.
add bridge=bridge interface=ether2 hw=yes pvid=20
add bridge=bridge interface=ether3 hw=yes pvid=21
add bridge=bridge interface=ether4 hw=yes pvid=22
add bridge=bridge interface=ether5 hw=yes pvid=23
add bridge=bridge interface=ether6 hw=yes pvid=24
add bridge=bridge interface=ether7 hw=yes pvid=29
add bridge=bridge interface=ether8 hw=yes pvid=20
add bridge=bridge interface=ether9 hw=yes pvid=20
add bridge=bridge interface=ether10 {ingress filtering as well but also frame-types=admit-only-vlan-tagged}
add bridge=bridge interface=sfp hw=yes pvid=20

/interface bridge vlan
add bridge=bridge tagged=bridge,ether10 untagged=ether2,ether8,ether9,sfp vlan-ids=20
add bridge=bridge untagged=ether3 tagged=bridge**,ether10** vlan-ids=21
add bridge=bridge untagged=ether4 tagged=bridge**,ether10vlan-ids=22
add bridge=bridge untagged=ether5 tagged=bridge,ether10** vlan-ids=23
add bridge=bridge untagged=ether6 tagged=bridge**,ether10** vlan-ids=24
add bridge=bridge untagged=ether7 tagged=bridge**,ether10** vlan-ids=29

OR
add bridge=bridge tagged=bridge**,ether10** vlan-ids=20
add bridge=bridge tagged=bridge**,ether10** vlan-ids=21
add bridge=bridge tagged=bridge**,ether10vlan-ids=22
add bridge=bridge tagged=bridge,ether10** vlan-ids=23
add bridge=bridge tagged=bridge**,ether10** vlan-ids=24
add bridge=bridge tagged=bridge**,ether10** vlan-ids=29

GrumpyGiantbe · October 19, 2021, 8:16pm

Thank you very much.
There was just a typo in the config that I didn’t catch but would have found. I was remote so couldn’t really test the config. I have a pretty good understanding of networking but the Mikrotik syntax is pretty new to me. Love the stuff btw.

Also thank you for the insight it makes more sense to just have a trunk and not a hybrid on ether 10 since the only device is the switch. This also a reason I like Mikrotik people like you.

Kind regards
GrumpyGiant

anav · October 19, 2021, 8:23pm

Oh, haha, I am just a hack. Not certified or trained, well except for my self-ordained MTUNA certification.
Follow my advice at your own risk!!

GrumpyGiantbe · October 19, 2021, 8:39pm

Well just a hack is how I describe myself. Was pretty close but wasn’t sure.
And about the follow at your own risk it sounds like it should work.

Sometimes what a hack needs is the thinking of another hack.

Once again thanks.

GrumpyGiant