After 6.41, master port changed to bridge, I find my vlan does not work as intended.
Some vlan-100 clients get vlan-1 IPs, some didn’t get any IP.
My network topology is as follows:
hEX config related with VLAN as follows:
This setting was working long ago, not sure if it’s not working because of 6.41 update.
VLAN-100 gets no traffic in /interface.
Where should I start to look?
I read some post that VLAN-1 doesn’t need to be set, we can use bridge as vlan-1 interface.
I tried this recommendation, wireless VLAN-100 clients still get VLAN-1 IPs.
First you need to upgrade your firmware its dated, use the latest LONG version of firmware for best results.
Then read this link which shows vlan1 does not need to be identified as it already exists by default.
No one creates and uses vlan1 as a traditional vlan.
I am using 6.48.1 (latest stable), do you mean downgrading to 6.47.9 (latest long-term)?
I have read that link, maybe I missed something, will read again.
If you are already at 6.48 you can leave it at that… I simply prefer the more stable long term versions.
You should post the entire config as its all inter related.
/export hide-sensitive file=anynameyouwish
(1) My advice besides posting the complete config as noted above is to remove this rule /interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
as its very tricky to use properly and is only needed in special cases whereas the normal firewall rules work for 99% of needs.
(2) Change VLAN1 for home to VLAN10
(3) Good idea to keep eth5 on separate LANsubnet in case there are problems on the bridge and get locked out.
(5) Bridgeport config cannot be commented on unless we know what is attached to each port (smart device - can read vlan tags) or dumb device.
(1) OK, I will change this
(2) I doubt it will work, because VLAN-100 doesn’t work. Besides, I have to figure out a proper procesure, in case I am locked out of AP or switch management interfaces. Do you have any suggestions?
(3) Because I was locked out several times.
(4) I will post the full config below, only masked some username/password/MAC address. vlan.rsc (23.9 KB)
(5) only two devices connected to hEX directly, eth1 connects to fiber modem, eth2 connects to CISCO Switch.
(1) Am I to assume that all three ports are going to ‘Smart Devices’ that can read vlan tags?? /interface bridge port
add bridge=bridge-home interface=ether2
add bridge=bridge-home interface=ether3
add bridge=bridge-home interface=ether4
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge-home tagged=ether2,bridge-home,ether3,ether4 vlan-ids=100
(2) Am I to assume that you have two networks/subnets travelling over ether2,3,4 VLAN100 and the home subnet? /ip address
add address=192.168.11.1/24 comment=“hotspot network” interface=vlan-guest
network=192.168.11.0
add address=192.168.1.1/24 comment=home interface=bridge-home network=
192.168.1.0
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
(3) The way you have setup ether5 to be separate from the bridge should allow you to access the router if the bridge setup kicks you out.
(4) I am not used to mixing vlans and non-vlans ( my lack of confidence in doing so more than anything else),
I suspect your issues are self-caused in having a way too complicated for me to understand dhcp server setup coupled with add firewall rules to the bridge.
What I would do is ensure that a plain jane vanilla setup works and then add in dhcp stuff after…
The configuration you have posted as a file seems fine to me regarding VLANs. VLAN 100 is tagged on both the bridge and ether2 ports of the bridge, VLAN1 is not tagged on either of the two, and the DHCP servers are attached as appropriate, the one for VLAN 100 is attached to the /interface vlan and the one for VLAN 100 is attached directly to the bridge interface of the router.
What are your reasons to use use-ip-firewall-for-vlan=yes under /interface bridge settings? Can you change that to no and try again?
