vlan-filtering

woro · April 21, 2018, 7:41pm

Hi,

I’m struggling with the new vlan-filtering.

My desired configuration:
ether1 : VLAN trunk for PVID 1, 10 and 11 where 1 should be untagged (default) and 10 and 11 tagged
ether5 : VLAN with PVID 10 (untagged) but also carrying PVID 11 tagged

My setup as I understood is required since 6.41:

I have no VLAN interfaces (I think they are not required anymore when vlan-filtering is used?)

Bridge list:

[admin@hap-dg] /interface bridge> print
Flags: X - disabled, R - running 
 1 R name="bridge-vlan" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:C2:CF:8D protocol-mode=rstp fast-forward=yes 
     igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes pvid=1

Bridge port list:

Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
#     INTERFACE                                     BRIDGE                                     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
0   H ether2                                        bridge                                     yes    1     0x80         10                 10       none
3 I   ether1                                        bridge-vlan                                yes    1     0x80         10                 10       none
6 I   ether5                                        bridge-vlan                                yes   10     0x80         10                 10       none

Bridge VLAN list

Flags: X - disabled, D - dynamic 
0 D bridge=*A vlan-ids=10 tagged="" untagged="" current-tagged="" current-untagged=ether5 
1   bridge=bridge-vlan vlan-ids=10 tagged=ether1 untagged=ether5 current-tagged="" current-untagged=bridge-vlan 
2   bridge=bridge-vlan vlan-ids=11 tagged=ether1,ether5 untagged="" current-tagged="" current-untagged="" 
3   bridge=bridge-vlan vlan-ids=1 tagged="" untagged=ether1 current-tagged="" current-untagged=bridge-vlan

Now with this setup when I connect ether1 to my regular (PVID=1) network I cannot access RouterOS anymore. The only reason I see is that some VLAN configuration seems wrong but I don’t see the mistake in my config.

Any hint appreciated.

Thanks,
Wolfgang

sindy · April 22, 2018, 3:01pm

There is something rotten somewhere, ****

bridge=*A

in the list suggests that you have deleted from your configuration a bridge which previously existed and configuration of some member port still refers to it.

Other than that, is your IP address from vlan 1 (which you want to have tagless at ****

ether1

) attached to

bridge-vlan

as its carrying interface or to some other one?

I have no VLAN interfaces (I think they are not required anymore when vlan-filtering is used?)

You need interfaces of type ****

vlan

only if you want to run IP addresses in these VLANs. It has nothing to do with vlan-filtering. vlan-filtering only means that if you have multiple vlans on a single bridge as you do, you prevent frames with VLAN IDs unsupported on a given port from entering the bridge. Without vlan-filtering active, frames with any VLAN ID can enter the bridge.

Somehow there is always some weirdness when ****

pvid=1

is used, so maybe your trouble comes from there. If you don’t need VLAN ID 1 tagged anywhere, better use some other ID like 1111 for ether1’s pvid and create a

vlan

interface with

vlan-id=1111

on

bridge-vlan

, and attach the IP address to it.

woro · April 22, 2018, 5:41pm

Thanks for your feedback.
I think I’m getting closer but still my basic testcase is failing.
I cannot connect to the device when connected via the ether1 interface from regular (non-vlan) network. This is the very basic thing which obviously needs to work.
Other than that my configuration now looks like:

# apr/22/2018 19:37:03 by RouterOS 6.42
# software id = J2Q0-G8NA
#
# model = RouterBOARD D52G-5HacD2HnD-TC
/interface bridge
add admin-mac=CC:2D:E0:C2:CF:8A auto-mac=no comment=defconf name=bridge
add name=bridge-vlan vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge-vlan interface=wlan1
add bridge=bridge-vlan interface=wlan2
add bridge=bridge-vlan interface=ether1
add bridge=bridge-vlan interface=ether3
add bridge=bridge-vlan interface=ether4
add bridge=bridge-vlan interface=ether5
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1,bridge-vlan untagged=ether5 vlan-ids=10

For simplicity I left out the handling of vlan11 now until vlan1 and vlan10 works correctly.

The device IP is 192.168.250.251 on bridge-vlan and 192.168.250.250 on bridge/ether2 for now until the vlan bridge works.
/ip address
add address=192.168.250.250/24 comment=defconf interface=bridge network=192.168.250.0
add address=192.168.250.251/24 interface=bridge-vlan network=192.168.250.0

EDIT: Actually do I need to change anything so I can connect via winbox, webfig or similar to the device? Just seen interface list entries for mac-winbox → bridge etc. But bridge and bridge-vlan are currently disconnected.

woro · April 22, 2018, 7:34pm

So I think I’m getting there. vlan10 and vlan11 testing still missing but vlan1 works finally.

One thing I noticed though:
Using winbox I can connect to the IP of the vlan bridge but the device does not show up under neighbors which seems a bit strange to me. Is that to be expected?

sindy · April 22, 2018, 7:49pm

I’m useless for Winbox related questions, I use it very rarely. But your two addresses from the same subnet attached to two interfaces in different VLANs are a voucher for trouble alone

woro · April 22, 2018, 8:01pm

Interesting. Actually I had indeed two IPs on the different bridges. But both bridges are supposed to work with VLAN1. So I didn’t expect a problem with that.
But then again removing one seems to have fixed my CAPSMAN connection issue but still not the issue that winbox does not detect the device still. I’m fine with using the IP but this smells like something is wrong still. I expect that bridge-vlan is still in the same network segment (for untagged traffic) so winbox should see it.

sindy · April 22, 2018, 8:14pm

Your

bridge

and

bridge-vlan

are totally isolated from each other at L2 unless you connect ether1 with ether2 using a cable. So the network stack at L3 has two gateways to that network, with the same priority (distance), so it can throw a coin to choose which one of them to use to send a packet. That’s not so much of an issue is the cable between ether1 and ether2 is there, but becomes a surprise generator when it is not.