Vlan Tagging not working (/interface bridge vlan)

g3726480 · December 10, 2020, 1:59pm

Hi, as already mentioned [here]http://forum.mikrotik.com/t/vlan-port-tagging-hap-ac2-atheros-8327/141943/1] I have some trouble with my Atheros8327 (RB750GL).

Goal: Untagged VLAN on ether2.

Steps:
I configured
/interfaces/vlan,
/interfaces/bridge/ports and
/interfaces/bridge/vlans

While the same configuration runs fine on another router (cAP-AC). Here it somehow does not tag the interface, so the table is empty. Screenshot attached

Here is export (hide-sensitive compact):

[admin@MikroTik] > export hide-sensitive compact 
# jan/02/1970 02:42:44 by RouterOS 6.46.8
# software id = W8AP-5ETV
#
# model = 750GL
# serial number = 000REDACTED000
/interface bridge
add comment=MK-DG-01-Bridge name=bridge
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan100 vlan-id=100
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=100
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=vlan1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=vlan100 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=bridge,vlan100 untagged=ether2 vlan-ids=100
add bridge=bridge tagged=vlan1,bridge vlan-ids=1
/ip address
add address=10.20.30.40/24 interface=bridge network=10.20.30.0
/ip cloud
set update-time=no
/ip dns
set servers=10.20.30.240
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system ntp client
set enabled=yes primary-ntp=10.20.30.1
/tool bandwidth-server
set enabled=no
[admin@MikroTik] >

Things I alredy tried:
Router Reset, Backup Restore
Router Reset, Manuel Config
VLAN via Switch/VLAN

VLAN Filtering on Bridge is currently not active, since it disconnects me from the router (even PVID1 seems not tagged).

mkx · December 10, 2020, 3:19pm

A few problems with your setup:

/interface bridge

without vlan-filtering enabled bridge doesn’t do anything about VLAN tags, so it doesn’t tag ingress packets on access ports

add comment=MK-DG-01-Bridge name=bridge > vlan-filtering=yes
/interface vlan

Try to use any other VLAN ID. VID 1 is used as default setting in awfully lots of places and if you don’t

fix it everywhere, the resulting behaviour can be slightly undeterministic

add interface=bridge name=vlan1 > vlan-id=1
add interface=bridge name=vlan100 vlan-id=100
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether2 pvid=100
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

vlan interface, anchored to bridge (as created in /interface vlan)

must never be member interface of own parent bridge, because

it would create a kind of a loop.

add bridge=bridge interface=vlan1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=vlan100 pvid=100
/interface bridge vlan

see comment above

add bridge=bridge tagged=bridge> ,vlan100 > untagged=ether2 vlan-ids=100
add bridge=bridge tagged=> vlan1,> bridge vlan-ids=1

Besides the errors in the config … no ethernet port is member of VLAN 1, neither tagged nor untagged. For trunk ports you still have to explicitly declare vlan membership.

erlinden · December 10, 2020, 3:32pm

VLAN1 is default vlan and therefor should not be used.
For more information on VLAN’s, please read this topic: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

g3726480 · December 10, 2020, 4:07pm

Okay, Solution was remove vlan1 as it now is dynamicly (default) added.
I thought this is needed, but it seems not necessary anymore.
Funny enough I have an older CAP where this config is working.

Thanks for your time!