VLAN over L2TP Bridging

gius64 · August 20, 2018, 11:32am

Hello,
I have an L2TP tunnel on a router which have traffic passing in VLAN 10.

I want to make an L2TP client on another router, and all traffic on ether4 port of that router should be tagged with VLAN 10 and pass the tunnel.

In the client router I’ve created this configuration:

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no fast-forward=no name=bridge_vlan protocol-mode=none
/ppp profile
add bridge=bridge_vlan name=bridge_profile
/interface bridge port
add bridge=bridge_vlan interface=vlan-10
add bridge=bridge_vlan interface=ether4
/interface vlan
add interface=bridge_vlan name=vlan-10 vlan-id=10
/interface l2tp-client
add connect-to=XXXXX disabled=no mrru=1600 name=l2tp-client password=XXXXX profile=bridge_profile user=XXXXXX

With this config I expected to have the ether4 port in access on VLAN10, but traffic on ether4 doesn’t get tagged to pass over the L2TP tunnel.

If I try to manually set in the device attached to ether4 port the VLAN10, it works great, but I have to make ether4 an access port, so it will be transparent to clients that they’re bridging over VLAN10.

How can I do it?
What I’m doing wrong?

I’m using RouterOS 6.42.5

Thank you

NathanA · August 20, 2018, 12:14pm

In the example config that you posted, you are making VLAN 10 both a slave to the bridge interface AND a member of the bridge interface. This makes no sense.

If ether4 needs to be an access port on VLAN 10, and VLAN 10 also exists on the other side of the L2TP BCP-bridge, then the problem isn’t with the config on your side. It is with the config on the other side. The other side needs to bridge VLAN 10 to the BCP bridge, and your side doesn’t even need to know about the VLAN (because no tags will be transmitted across the bridge).

However/alternatively, if you can’t change the other side, and you need to send the VLAN traffic tagged across the L2TP tunnel, then you need to create two bridges on your side:

Bridge VLAN 10 and ether4 in bridge1, and do not put the L2TP tunnel in that bridge. This will properly untag VLAN 10 traffic egressing from ether4, and tag VLAN 10 traffic ingressing to ether4.

Make VLAN 10 a slave to bridge2, but a member of bridge1 (as mentioned earlier), and then make the L2TP/BCP connection a member of bridge2. It will be the ONLY member of bridge2. This will ensure that VLAN 10 traffic going across the L2TP/BCP tunnel is always tagged.

That should do the trick. Here is an example:

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no fast-forward=no name=bridge1 protocol-mode=none
add admin-mac=XX:XX:XX:XX:XX:XY auto-mac=no fast-forward=no name=bridge2 protocol-mode=none
/ppp profile
add bridge=bridge2 name=bridge_profile
/interface bridge port
add bridge=bridge1 interface=vlan10
add bridge=bridge1 interface=ether4
/interface vlan
add interface=bridge2 name=vlan10 vlan-id=10
/interface l2tp-client
add connect-to=XXXXX disabled=no mrru=1600 name=l2tp-client password=XXXXX profile=bridge_profile user=XXXXXX

– Nathan

xvo · August 20, 2018, 1:13pm

However/alternatively, if you can’t change the other side, and you need to send the VLAN traffic tagged across the L2TP tunnel, then you need to create two bridges on your side:

Bridge VLAN 10 and ether4 in bridge1, and do not put the L2TP tunnel in that bridge. This will properly untag VLAN 10 traffic egressing from ether4, and tag VLAN 10 traffic ingressing to ether4.

Make VLAN 10 a slave to bridge2, but a member of bridge1 (as mentioned earlier), and then make the L2TP/BCP connection a member of bridge2. It will be the ONLY member of bridge2. This will ensure that VLAN 10 traffic going across the L2TP/BCP tunnel is always tagged.

That should do the trick. Here is an example:
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no fast-forward=no name=bridge1 protocol-mode=none
add admin-mac=XX:XX:XX:XX:XX:XY auto-mac=no fast-forward=no name=bridge2 protocol-mode=none
/ppp profile
add bridge=bridge2 name=bridge_profile
/interface bridge port
add bridge=bridge1 interface=vlan10
add bridge=bridge1 interface=ether4
/interface vlan
add interface=bridge2 name=vlan10 vlan-id=10
/interface l2tp-client
add connect-to=XXXXX disabled=no mrru=1600 name=l2tp-client password=XXXXX profile=bridge_profile user=XXXXXX
– Nathan

Mikrotik wiki states, that this workaround is the type of config better to be avoided, because of broken MAC learning functionality:
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_on_a_bridge_in_a_bridge
And in my experience it really causing problems at least with STP.

gius64 · August 20, 2018, 1:43pm

NathanA, thank you very much for your help! Your solution works great: unfortunately I can’t change the other side because I need to have VLAN tagged on other devices over the tunnel.

xvo , I would like to use the correct configuration using bridge VLAN filter in RouterOS, but I can’t understand how to adapt the wiki example to my situation… Could you help me ?
I disabled STP as I don’t need it on this bridge and it works without any apparent issue.

xvo · August 20, 2018, 2:24pm

Does this simple example work in your case?
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.29

Your l2tp connection as a trunk (tagged) port for vlan-ids=10.
And your ether4 as untagged port for the same vlan-ids=10.

Well maybe there will be no visible issues since bridge2 has only one port in it.
Or some minor issues.
Or none at all.
For now.
But the fact that MAC learning is not passing from bridge2 further to ether4 can lead to potential problems in future config, that will be hard to diagnose.

gius64 · August 20, 2018, 5:26pm

It doesn’t let me to add the L2TP connection to the bridge port, it’s added dynamically when the connection is up and I can’t edit it.
Any idea of how to change its settings in bridge?

xvo · August 20, 2018, 7:33pm

Hmmm… the number of bridge options in ppp profile is quite limited.
So it seems that the “bad way” you already tried, can be the only way.