Vlan Filtering

MTnewbi · May 2, 2020, 8:19am

Hi,

I would like to confgiure rb4011 like this:

1.WAN port ether1: (vlan 1 untagged for pppoe or static IP, vlan 30 tagged(IPTV muticast)) - hybrid port with untagged vlan and tagged vlan 30
2.Bridge (need vlan1 untagged on all ports and vlan 30 only on selected ports)

so far i created like this for WAN (ether1):
/interface vlan
add interface=ether1 name=IPTV vlan-id=30

for Bridge:

/interface bridge
name=bridge-LAN vlan-filtering=yes

/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether3
add bridge=bridge-LAN comment=defconf interface=ether4
add bridge=bridge-LAN interface=IPTV pvid=30

/interface bridge vlan
add bridge=bridge-LAN tagged=IPTV, ether3 vlan-ids=30
add bridge=bridge-LAN untagged=ether2,ether3,ether4 vlan-ids=1

So I dont unterstand why this does not work..

but if I add interface IPTV to untagged on vlan 30 than it works.
/interface bridge vlan
add bridge=bridge-LAN tagged=ether3 untagged=IPTV vlan-ids=30

As I was reading wiki page regaridng vlan filtering IPTV interface should be tagged on bridge vlan?

mkx · May 2, 2020, 9:19am

Because it’s pretty much wrong.

Read through this fine tutorial.

anav · May 2, 2020, 2:53pm

That was gentle!

MTnewbi · May 2, 2020, 6:02pm

Sorry guys after 6h still dont understand mikrotik vlan logic
still cant figure it out how to enable vlan filtering with WAN as hybrid port (untagged and tagged vlan on ether1)

can someone try to convert my old school config to new way single bridge vlan filtering.. or some other solution for best performance on
rb4011

I would like to create network like this:
-for wan WAN i need one untagged and one tagged vlan *** it can be vlan1 untagged(for pppoe or static ip) and vlan 30 tagged for IPTV)
-pass vlan untagged and tagged vlan30 to specific ports

my old way with 2 bridges:

/interface bridge
name=bridge
name=bridge-IPTV

/interface vlan
add interface=ether1 name=ether1-vlan30 vlan-id=30
add interface=ether3 name=ether3-vlan30 vlan-id=30
/interface list

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4

add bridge=bridge-IPTV interface=ether1-vlan30
add bridge=bridge-IPTV interface=ether3-vlan30

/interface list member
interface=bridge list=LAN
interface=ether1 list=WAN

Can someone help? as far as i looked rb4011 does not support switch vlan or hardare offloading on vlan filtering..
someone can help with best practice configuration for best performance and stability?

donating beer after help

gazingbazooka · May 2, 2020, 6:08pm

Did you look at the tutorial?

One thing I will point out since I started with this problem as well. Stay away from VLAN 1. There are 4000 numbers to choose from. Do not use 1. It’s not a fun ride.

MTnewbi · May 5, 2020, 7:27pm

Hi.

Thanks all for help.. i think i finaly qunderstand some MT logic

last question

link to picture: https://ibb.co/YhrHJ7P

Vlan-filtering automaticly add dynamic interface on vlan1 untagged.

should I change bridge PVID to 5 (my local LAN)?

tdw · May 5, 2020, 8:03pm

It depends on how you access traffic on VLAN5 by the CPU, you can either do
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-5 vlan-id=5
/ip address
add address=192.168.1.1/24 interface=vlan-5 network=192.168.1.0
or
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes pvid=5
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0

It is really down to preference. If the CPU requires access to multiple VLANs (e.g. a router serving several subnets on VLANs) I tend to use the first method; if only one VLAN (e.g. the management interface on an AP even if it serving multiple SSIDs on differing VLANs) or adding VLANs to an existing setup I tend to use the second.

As you have noticed the PVID settings for /interface bridge and /interface bridge port entries are added automatically as dynamic untagged members under /interface bridge vlan so you can omit explicitly adding them - I can’t remember if this has always been the case since VLAN-aware bridges were introduced, or appeared in a later firmware version and the documentation hasn’t caught up.

tdw · May 5, 2020, 8:05pm

It depends on how you access traffic on VLAN5 by the CPU, you can either do
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-5 vlan-id=5
interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=5
/ip address
add address=192.168.1.1/24 interface=vlan-5 network=192.168.1.0
or
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes pvid=5
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0

It is really down to preference. If the CPU requires access to multiple VLANs (e.g. a router serving several subnets on VLANs) I tend to use the first method; if only one VLAN (e.g. the management interface on an AP even if it serving multiple SSIDs on differing VLANs) or adding VLANs to an existing setup I tend to use the second.

As you have noticed the PVID settings for /interface bridge and /interface bridge port entries are added automatically as dynamic untagged members under /interface bridge vlan so you can omit explicitly adding them - I can’t remember if this has always been the case since VLAN-aware bridges were introduced, or appeared in a later firmware version and the documentation hasn’t caught up.

MTnewbi · May 5, 2020, 9:11pm

I have your first option:
/interface bridge

add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-5 vlan-id=5
interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=5
/ip address
add address=192.168.1.1/24 interface=vlan-5 network=192.168.1.0

**vlan 1 (which I dont use) is dynamically added.. can i ignore this?

if I also add:
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes pvid=5

than vlan 1 is not dynamically added. some hybrid with option 1 and option 2.

should I ignore dynamically added vlan1 or should I also add bridge to pvid 5?