VLAN-Trunk not working [SOLVED - incorrect BPDU filtering on hAP ax lite HW offloaded trunk ports]

Hello,

currently I am using a hAP ax lite as my playground (meaning it is not a productive device) for WifiWave2. However, while trying to play with this, I ran into another issue.

The Management VLAN 10 is available as Access Port on Ethernet port 4 which works fine. The same VLAN 10 shall also be avaialble on Ethernet port 3 as a Trunk and this does not work (no network connection to or from this port; no Pings; no WinBox connection).

So far I searched for some hours and stupidly cannot find the problem . The configuration is - maybe - a little bit messed up or overcomplicated at the moment, because of the fact this MikroTik device is my playground. But I don’t want to reset it to the defaults and start over again, instead I would like to understand what the problem is. I assume it is a very small config detail I missed.

So why is VLAN 10 “MGMT” not working on my Ethernet port 3 “ETH3_DOWNSTREAM_TRUNK”?

Thanks a lot in advance,

Thomas

# jun/16/2023 23:11:45 by RouterOS 7.9.2
# model = L41G-2axD
/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ETH1_UPSTREAM_TRUNK
set [ find default-name=ether2 ] name=ETH2
set [ find default-name=ether3 ] name=ETH3_DOWNSTREAM_TRUNK
set [ find default-name=ether4 ] name=ETH4_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_2_LEGACY vlan-id=2
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
add interface=bridge_primary name=VLAN_61_GUESTS vlan-id=61
add interface=bridge_primary name=VLAN_99_DUMMY vlan-id=99
/interface list
add comment="Router management allowed" name=mgmt_allowed_interfaces
add comment="All Downstream Interfaces with DNS Access" name=\
    all_downstream_interfaces_dns
add comment="All Downstream Interfaces with Internet Access" name=\
    all_downstream_interfaces_internet
/interface wifiwave2 channel
add band=2ghz-ax name=channel1 skip-dfs-channels=disabled
/interface wifiwave2 datapath
add bridge=bridge_primary disabled=no name=VLAN10 vlan-id=10
add bridge=bridge_primary disabled=no name=VLAN61 vlan-id=61
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 name=Security passphrase=dummypassword
/interface wifiwave2 configuration
add channel=channel1 country=Germany datapath=VLAN10 disabled=no name=\
    cfg_MGMT security=Security ssid=M
add channel=channel1 country=Germany datapath=VLAN61 disabled=no name=\
    cfg_GUEST security=Security ssid=G
/ip pool
add name=dhcp_pool_vlan_2_legacy ranges=10.0.0.1-10.0.0.199
add name=dhcp_pool_vlan_61_guests ranges=10.0.1.1-10.0.1.199
/ip dhcp-server
add address-pool=dhcp_pool_vlan_2_legacy interface=VLAN_2_LEGACY lease-time=\
    12h name=DHCP_VLAN_2_LEGACY
add address-pool=dhcp_pool_vlan_61_guests interface=VLAN_61_GUESTS \
    lease-time=6h name=DHCP_VLAN_61_GUESTS
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_DOWNSTREAM_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    untagged=ETH4_MGMT vlan-ids=10
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=2
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=80
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=61
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK \
    vlan-ids=21
/interface list member
add interface=ETH4_MGMT list=mgmt_allowed_interfaces
add interface=VLAN_10_MGMT list=mgmt_allowed_interfaces
add interface=VLAN_2_LEGACY list=all_downstream_interfaces_dns
add interface=VLAN_10_MGMT list=all_downstream_interfaces_dns
add interface=VLAN_2_LEGACY list=all_downstream_interfaces_internet
add interface=VLAN_10_MGMT list=all_downstream_interfaces_internet
add interface=VLAN_61_GUESTS list=all_downstream_interfaces_dns
add interface=VLAN_61_GUESTS list=all_downstream_interfaces_internet
/interface wifiwave2 capsman
set enabled=yes interfaces=bridge_primary package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_MGMT \
    slave-configurations=cfg_GUEST supported-bands=2ghz-ax
/ip address
add address=10.0.2.254/24 interface=VLAN_10_MGMT network=10.0.2.0
add address=10.0.0.254/24 interface=VLAN_2_LEGACY network=10.0.0.0
add address=10.0.1.254/24 interface=VLAN_61_GUESTS network=10.0.1.0
/ip dhcp-client
add interface=ETH1_UPSTREAM_TRUNK
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.254 gateway=10.0.0.254
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=jump chain=input comment="Management Access to Winbox" dst-port=\
    8291 in-interface-list=mgmt_allowed_interfaces jump-target=\
    input_management_Winbox protocol=tcp
add action=jump chain=input comment="Management Access to Winbox" dst-port=80 \
    in-interface-list=mgmt_allowed_interfaces jump-target=\
    input_management_HTTP protocol=tcp
add action=accept chain=input_management_Winbox comment=\
    "Allow Winbox access from ETH4" disabled=yes in-interface=ETH4_MGMT
add action=accept chain=input_management_Winbox comment=\
    "Allow Winbox access from VLAN MGMT" in-interface=VLAN_10_MGMT
add action=drop chain=input_management_Winbox comment=\
    "Drop all other acces to Winbox" disabled=yes
add action=accept chain=input comment="Allow LAN DNS queries - UDP" \
    connection-state=new dst-port=53 in-interface-list=\
    all_downstream_interfaces_dns protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=\
    all_downstream_interfaces_dns protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment=TEST in-interface=VLAN_10_MGMT
add action=accept chain=input comment=TEST in-interface=VLAN_10_MGMT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ETH1_UPSTREAM_TRUNK
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
/tool romon
set enabled=yes

what is connected to ether3? Is it vlan aware?

add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged
interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=
ETH3_DOWNSTREAM_TRUNK pvid=99

Shot in the dark, but is ETH3_DOWNSTREAM_TRUNK pvid=99 causing the problem? The way I’m interpreting OP - if eth4 is picking up the vlan10 off the “access” configured port, you would need to have vlan10 as the native vlan on the trunk. Otherwise you would need to be tagging it from the other end.

@Buckeye: Am I anywhere close on this?

EDIT: spelling

The following looks suspect to me: ETH4_MGMT is part of the bridge, and should be getting access via VLAN_10_MGMT,
/interface list member
add interface=ETH4_MGMT list=mgmt_allowed_interfaces
add interface=VLAN_10_MGMT list=mgmt_allowed_interfaces

It is hard to follow your firewall rules, I would try moving the
add action=accept chain=input comment=TEST in-interface=VLAN_10_MGMT
rule up to see if it is never being reached where it is at the bottom, at least to see if it changes the behaviour. If it does, then you can fine tune to go where you want with respect to the other input rules.

What does this do? That is not a chain I am familiar with. I see the rule is disabled, but if it was just testing and didn’t work as you thought it would, you should delete it.
add action=accept chain=input_management_Winbox comment=
“Allow Winbox access from ETH4” disabled=yes in-interface=ETH4_MGMT

If you are using VLAN-99 as the “dummy” native vlan on the trunk/uplink, then the device on the other end needs to be aware of VLAN-99 - and configured as a trunk w/ native VLAN-99.

I can only assume he has a vlan aware switch connected to ether3. And the pvid shouldn’t make any difference given
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=
ETH3_DOWNSTREAM_TRUNK pvid=99[/quote]
Also, given the name he gave to the vlan interface associated with vlan 99
/interface vlan
add interface=bridge_primary name=VLAN_99_DUMMY vlan-id=99

I will assume it is not used, but I wouldn’t have even created a vlan interface for 99 if he didn’t plan on using it. You don’t need a vlan interace to be able to use a vlan at layer 2 only. The vlan interface only needs to exist to allow adding an ip addres and for the “routing engine” to be able to see it.

vlan 99 isn’t “configured” between the CPU and the Switch “entity” of the bridge. (/interface bridge vlan doesn’t mention 99)

It is possible to configure one port with vlan 10 tagged and another port with vlan 10 untagged. That already happens for most vlans between the CPU and the switch ASIC (only the bridge’s pvid is untagged, and pvid is 1 by default). All other vlans are tagged from the CPU side (and need a vlan interface “shim” to tag/untag the vlans for sending to ASIC/receiving from ASIC). But having eth4 with vlan 10 untagged and eth3 with all used vlans tagged (including vlan 10) and specifying a pvid that is ignored is not a problem. This would be similar to configuring an ER-X like:

    switch switch0 {
        description Local
        mtu 1500
        switch-port {
            interface eth3 {
                vlan {
                    pvid 99
                    vid 2
                    vid 10
                    vid 21
                    vid 61
                    vid 80
                }
            }
            interface eth4 {
                vlan {
                    pvid 10
                }
            }
            vlan-aware enable
        }
        vif 2 {
            address 10.0.0.254/24
            description "VLAN_2_LEGACY"
            }
            mtu 1500
        }
        vif 10 {
            address 10.0.2.254/24
            description VLAN_10_MGMT
            }
            mtu 1500
        }
        vif 21 {
            description VLAN21
            ip {
            }
            mtu 1500
        }
        vif 61 {
            address 10.0.1.254/24
            description "VLAN_61_GUESTS"
            }
            mtu 1500
        }
    }
}

Overall an incomplete and confused config.

You have no pool for two of your VLANs including vlan10
You are also missing IP DHCP-Server for two your VLANs including vlan10.

Besides that…
Basic misunderstanding on your part… or one could say you are conflicted
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=
ETH3_DOWNSTREAM_TRUNK pvid=99

(1) If its a trunk port then you DONT ADD PVID
(2) If its a hybrid port then you dont limit frame types ( assuming untagged for 99, tagged for 10 )

++++++++++++++++++++++++++++

(3) Based on then looking at what you have for interface vlan settings…
VLAN 99 has nothing to do with ether3, thus you need to get rid of PVID=99

+++++++++++++++++++++++++++++

Other Weirdness.

(4) YOu have two vlans in your interface bridge vlan settings you failed to identify.
VLAN 21 and VLAN 80 ???

(5) You fail to identify the use of VLAN 99 anywhere…

(6) If ether 3 is truly a trunk port then you could simplify the three rules to.
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK
vlan-ids=2,21,80

(7) Fail to mention vlan99 in interface members list…

What you are requesting is similar to the “find the mistake in this picture” type puzzle.

To troubleshoot, simplify the config and verify the the simple case works with vlans, then start adding complexity.

If you make a backup and an export then you should be able to reset and create a simple config with only the parts needed, just to verify that you can get the vlan part working. I still think the most likely problem in your config is the firewall. It’s easy to find how to backup if you don’t know how, just google backup and restore on mikrotik

On the subject of backups, you should be doing backups frequently when learning, because it is easy to make changes that can make the router inaccessible, and it is much easier to restore a backup than to re-enter manually. And a backup and export are very different. Backup is complete but unreadable by a human. Export is incomplete but readable.

@Buckeye: I get you with the ER-X example. Appreciate the feedback.

I tried to simply remove the PVID, but without an PVID the error message “Error in PVID - decimal number in range [1;4094] expected!” appears.
So, if RouterOS wants to have a PVID here (even that “Frame Types” is set to “admit only VLAN tagged”, shouldn’t it be irrelevant whether to use the default 1 or my 99?

@All persons that tried to support me: As I wrote at the beginning, this setup is my playground, therefore, I have some VLANs and other configuration parts there which are not used at the moment.

:Probably because your config is incomplete. Stop effing around do the config properly or stop bothering us with playground crap.

I don’t think you are telling us the whole story. Copy and paste exactly what you typed, and error message as it appeared.

if you entered pvid without specifying a numeric pvid that would generate an error, if you just omitted the pvid=99, then it would have used the default pvid=1.

Why are you getting rude? I am not effing around and if something bothers you, then simply ignore the thread, but as I wrote at the very beginning this is a playground setup for learning purposes and not all configurations have to be for productional purposes. You cannot really understand something if you only do perfect example configurations, you also have to understand what exactly is going on if something is not working. But don’t start to blame me here! The only mistake I have - maybe - done is to post into the “General” forum instead of “Beginners”.

And again, I would like to understand what exactly is going wrong. If I have some unused VLANs in my config or if I have VLANs without a DHCP server, this should not mess-up the other VLAN 10. So, either playing around messed-up something in RouterOS (than it could be a bug) or there is a configuration issue with my VLAN 10 in the configuratrion I posted which was not found here so far (and as already mentioned a not configured DHCP server on another VLAN or an unused VLAN or similar stuff should not prevent the simple forwarding of my VLAN 10 on a Trunk).

The configuration I posted is the complete configuration I got via “/export show-sensitive file=myconfig.cfg” (show-sensitive because its only a playground setup).

I tried to clear the PVID not from the console, but from the graphical part in WinBox as you can see in the screenshot attached. But again for my understanding: You said it will use the default PVID=1 in case nothing is configured via console, but what is the difference between the default PVID=1 and my PVID=99 if the Frame Type is set to “admit only VLAN tagged”? In both cases it should simply be a number that is not used, right? (Just for my understanding)

I agree that having vlan 99 should not cause a problem. That’s one of the things I said in this post.

I also said I think the most likely cause of your problem is in the firewall. Or that whatever is connected to ether3 is not expecting tagged frames.

But you haven’t provided that information (what is connected to ether3).

I have no problem with you trying things in a sandbox lab environment to try things out and learn. That’s the best way to verify that things really work as you think they do.

But I do think you should save a backup and export and then create the simplest case where you can cause it to fail.

The title of your thread is “VLAN-Trunk not working”, and I am only questioning your assumption that the problem is the trunk. It may be, but until you show us how things are connected, and the configuration of the device connected to ether3, how can we make any educated guesses as to why it isn’t working?

If you are convinced it is the vlan trunk that is the problem, then create another vlan 10 access port and verify that it works. Or better, change the ether3 interface so it have pvid 10 and change the allowed vlan types to frame-types=admit-all in /interface bridge port and the change

/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged
interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-all interface=
ETH3_DOWNSTREAM_TRUNK pvid=10
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary
untagged=ETH3_DOWNSTREAM_TRUNK,ETH4_MGMT vlan-ids=10
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK
vlan-ids=2
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK
vlan-ids=80
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK
vlan-ids=61
add bridge=bridge_primary tagged=bridge_primary,ETH3_DOWNSTREAM_TRUNK
vlan-ids=21

At this point the only things changed are that vlan 10 is now untagged on ehter3 instead of being tagged. The other vlans are still tagged. In MikroTik terminology you have configured a hybrid port on ether3. If you connect a PC to ether4, you should have access to vlan 10 (nothing changed there, and you claimed it was working). Verify that still works. Then move the cable from ether4 to ether3 on the hAP ax lite. Does the PC still have access to vlan 10? If so, the problem is in the device that was originally connected to ether3, it isn’t expecting tagged traffic. If it does not work from ether4 then there is an issue with the firewall. At least that is my best guess, given the provided info.
Then disconnect what is currently connected to ether3 and move the conn

While trying to locate the problem, I started to clean-up the config and also created a minimal setup showing the issue.

My hAP ax lite and hAP ax² are directly connected (no switch in between; hAP ax lite Ether 3 ↔ hAP ax² Ether 3) via the green connection. This is the connection via the VLAN 10 Trunk that makes problems.

The pink connection is between hAP ax lite Ether 4 (VLAN 10 Access Port) and my computer and is used for the WinBox connection (working without problems).

The orange connection is between hAP ax² Ether 2 and my computer and is used for the WinBox connection (working without problems). This connection has nothing to do with the VLAN 10, I simply added this Ethernet port to my setup to have an independent interface to WinBox.

The problem is, that both device cannot ping each other via the Trunk.
However, if I remove the green connection and try to connect my PC via one of the gray connections directly to one of the Trunk ports on the hAP ax lite or hAP ax² the communication works and I can ping the respective device (the interface on my PC is set to be VLAN 10 aware in this case). For my understanding this means, that the Trunk on both devices should basically work.

But if I connect the device again with each other via the green connection, they cannot ping each other. In my latest setup, the firewall should accept all traffic (see the config exports below).

I also recognized some strange behavior on the green connection between both MikroTik devices. Whenever a ping in the Terminal is running and I disconnect the green connection and reconnect it again, 4-5 pings over the Trunk are successful. You can see this in the following screenshot. The green box shows the successful pings, the red arrow shows roughly the point in time when I disconnected and reconnected the green connection.

And here are my cleaned-up configurations of the two devices, extrated via /export file=myconfig.cfg

Configuration of hAP ax lite

# jun/18/2023 00:48:57 by RouterOS 7.9.2
# model = L41G-2axD

/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ETH1
set [ find default-name=ether2 ] disabled=yes name=ETH2
set [ find default-name=ether3 ] comment="Connected to the hAP ax2." name=\
    ETH3_TRUNK
set [ find default-name=ether4 ] comment=\
    "My PC is connected via WinBox here." name=ETH4_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH4_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_TRUNK untagged=ETH4_MGMT \
    vlan-ids=10
/interface wifiwave2 capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=10.0.2.254/24 interface=VLAN_10_MGMT network=10.0.2.0
/ip firewall filter
add action=accept chain=forward comment="ALLOW ALL"
add action=accept chain=input comment="ALLOW ALL"
/system note
set show-at-login=no

Configuration of hAP ax²

# jun/13/2023 03:36:13 by RouterOS 7.9.2
# model = C52iG-5HaxD2HaxD

/interface bridge
add ingress-filtering=no name=bridge_primary vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ETH1
set [ find default-name=ether2 ] comment=\
    "My PC is connected via WinBox here." name=ETH2
set [ find default-name=ether3 ] comment="Connected to the hAP ax lite" name=\
    ETH3_TRUNK
set [ find default-name=ether4 ] disabled=yes name=ETH4
set [ find default-name=ether5 ] name=ETH5_MGMT
/interface vlan
add interface=bridge_primary name=VLAN_10_MGMT vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_primary frame-types=admit-only-untagged-and-priority-tagged \
    interface=ETH5_MGMT pvid=10
add bridge=bridge_primary frame-types=admit-only-vlan-tagged interface=\
    ETH3_TRUNK pvid=99
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge_primary tagged=bridge_primary,ETH3_TRUNK,ETH4 untagged=\
    ETH5_MGMT vlan-ids=10
/ip address
add address=10.0.2.253/24 interface=VLAN_10_MGMT network=10.0.2.0
add address=10.0.3.253/24 interface=ETH2 network=10.0.3.0
/ip firewall filter
add action=accept chain=forward comment="ALLOW ALL"
add action=accept chain=input comment="ALLOW ALL"
/system note
set show-at-login=no

Any ideas what could cause the problem?

Thanks,

Thomas

Just to understand the network.
Which Router is connected to the internet aka a modem and gets a public IP?
The secondary device, not connected to internet, is it acting as an access point/switch or a full router with double NAT?

Also why do you need two connections to your PC?? Assuming 2 nic cards. What is the purpose/use case?

As it is a test/playground setup, no device is connected to the Internet, both devices are used only locally.
The reason for the setup is to play around, better understanding RouterOS, and playing around especially with WifiWave2 and CAPsMAN, later.

The two connections to my PC are just because forwarding of my MGMT VLAN via the Trunk does not work, yet. Later the second device will be accessed via the first one (I know, RoMON could be another option).

Well when you decide the function of the devices I can help, otherwise just swimming in circles with no purpose.
My advice is to forget capsman if you dont have that many APs.

@thn80 thanks, that is a much easier config to deal with. What things if any were removed (i.e. not shown in the configs posted, if anything was sanitized out)? You are not setting mac addresses on any of the interfaces are you?

How many interfaces does your PC have? If multiple adapters, are they different physical adapters or virtual adapters on a VM? Are the pink and orange connected simultaneously? Just trying to eliminate a potential loop if there is a switch involved that isn’t shown in the diagram.

Which device did you run the ping on that produced the output you displayed? I will assume it was from the hap ax lite (10.0.2.254)

Can you post output of the following from both the hap ax lite and hap ax2? /ip address print, /ip route print, /interface/print detail, /ip/arp/print, /interface/bridge/host/print and /ip/neighbor/print detail Added as code block to make it easier to copy/paste into winbox terminal.

/ip address print
/ip route print
/interface/print detail
/ip/arp/print
/interface/bridge/host/print
/ip/neighbor/print detail

When you had you the PC set for tagged vlan 10, could you ping the PC from the hap as well as pinging the hap from the PC?

It is odd that it works for a short time after it is plugged in. If there are no loops then rstp shouldn’t be responsible for the pings stopping. It’s almost as if the bridge thinks the other mac address is on a different port than it is (i.e. a duplicate mac, but I would expect an error message if that was the case). For example, your PC isn’t using the same mac as one of the hap devices is it? I am trying to think of a possible explanation, but this one seems pretty unlikely.

And extra weird that when you set your PC adapter to be tagged vlan 10, that you get ping responses from the devices, but not from the “other” hap.

If you torch or sniff do you see traffic?

I posted the complete export (only remove the comments in the header about some serial number as I was not sure if this is somehow confidential).
I have not set any MAC address.

There are three 3 network connections at the moment:

• The interface to my home network/Internet (network 192.168.10.218/24).
• An exclusive USB-Ethernet adapter for the pink connection (10.0.2.10/24).
• An exclusive USB-Ethernet adapter for the orange connection (10.0.3.10/24).
  
  
  

They are connected simultaneously, each of them to its exclusive USB-Ethernet-Adapter on my PC.
The PC is a Win10 machine with no routing features on it.
The problem also occured without the orange connection, I just added the orange connection to be able to access the second MikroTik device without issues.

Correct, the ping was done from the hAP ax lite (10.0.2.254), but I have seen the same problem also in the other direction and checked it again right now.

Here is the output from hap ax lite:

[thomas@MikroTik] > /ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS        NETWORK   INTERFACE   
0 10.0.2.254/24  10.0.2.0  VLAN_10_MGMT

[thomas@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS  GATEWAY       DISTANCE
DAc 10.0.2.0/24  VLAN_10_MGMT         0

[thomas@MikroTik] > /interface/print detail
Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 
 0  X   name="ETH1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:1D ifname="eth0" ifindex=9 id=2 link-downs=0 

 1  X   name="ETH2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:1E ifname="eth1" ifindex=10 id=3 link-downs=0 

 2  RS  ;;; Connected to the hAP ax2.
        name="ETH3_TRUNK" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:1F ifname="eth2" ifindex=11 id=4 
        last-link-down-time=jun/18/2023 05:56:20 last-link-up-time=jun/18/2023 05:56:23 link-downs=1 

 3  RS  ;;; My PC is connected via WinBox here.
        name="ETH4_MGMT" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 
        max-l2mtu=2026 mac-address=48:A9:8A:7C:26:20 ifname="eth3" ifindex=12 id=5 
        last-link-up-time=jun/18/2023 05:38:31 link-downs=0 

 4  R   name="VLAN_10_MGMT" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 
        mac-address=48:A9:8A:7C:26:1F ifname="vlan8" ifindex=5 id=8 
        last-link-up-time=jun/18/2023 05:38:22 link-downs=0 

 5  R   name="bridge_primary" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 
        mac-address=48:A9:8A:7C:26:1F ifname="br0" ifindex=4 id=6 
        last-link-up-time=jun/18/2023 05:38:22 link-downs=0 

 6  X   name="wifi1" default-name="wifi1" type="wifi" mac-address=48:A9:8A:7C:26:21 id=1 link-downs=0 

[thomas@MikroTik] > /ip/arp/print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS     MAC-ADDRESS        INTERFACE   
0 DC 10.0.2.10   A0:CE:C8:87:84:15  VLAN_10_MGMT
1 D  10.0.2.253  48:A9:8A:6E:7D:7D  VLAN_10_MGMT

[thomas@MikroTik] > /interface/bridge/host/print
Flags: D - DYNAMIC; L - LOCAL; E - EXTERNAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#     MAC-ADDRESS        VID  ON-INTERFACE    BRIDGE        
0 DL  48:A9:8A:7C:26:1F       bridge_primary  bridge_primary
1 DL  48:A9:8A:7C:26:20       ETH4_MGMT       bridge_primary
2 D E 48:A9:8A:6E:7D:7D    1  ETH3_TRUNK      bridge_primary
3 DL  48:A9:8A:7C:26:1F    1  bridge_primary  bridge_primary
4 D E 48:A9:8A:6E:7D:7D   10  ETH3_TRUNK      bridge_primary
5 DL  48:A9:8A:7C:26:1F   10  bridge_primary  bridge_primary
6 DL  48:A9:8A:7C:26:20   10  ETH4_MGMT       bridge_primary
7 D E A0:CE:C8:87:84:15   10  ETH4_MGMT       bridge_primary

[thomas@MikroTik] > /ip/neighbor/print detail
 0 interface=ETH4_MGMT,bridge_primary mac-address=A0:CE:C8:87:84:15 identity="" platform="" version="" 
   unpack=none age=7m14s system-caps=repeater system-caps-enabled=telephone,station-only 
   discovered-by=lldp

Here is the output from hap ax2:

[thomas@MikroTik] > /ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS        NETWORK   INTERFACE   
0 10.0.2.253/24  10.0.2.0  VLAN_10_MGMT
1 10.0.3.253/24  10.0.3.0  ETH2        

[thomas@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS  GATEWAY       DISTANCE
DAc 10.0.2.0/24  VLAN_10_MGMT         0
DAc 10.0.3.0/24  ETH2                 0

[thomas@MikroTik] > /interface/print detail
Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 
 0  X   name="ETH1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7B ifname="eth0" ifindex=7 id=1 link-downs=0 

 1  R   ;;; My PC is connected via WinBox here.
        name="ETH2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7C ifname="eth1" ifindex=8 id=2 
        last-link-up-time=jun/13/2023 08:26:17 link-downs=0 

 2  RS  ;;; Connected to the hAP ax lite
        name="ETH3_TRUNK" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7D ifname="eth2" ifindex=9 id=3 
        last-link-down-time=jun/13/2023 08:44:16 last-link-up-time=jun/13/2023 08:44:17 link-downs=2 

 3  X   name="ETH4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7E ifname="eth3" ifindex=10 id=4 link-downs=0 

 4   S  name="ETH5_MGMT" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1568 
        max-l2mtu=9214 mac-address=48:A9:8A:6E:7D:7F ifname="eth4" ifindex=11 id=5 link-downs=0 

 5  R   name="VLAN_10_MGMT" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1564 
        mac-address=48:A9:8A:6E:7D:7D ifname="vlan11" ifindex=5 id=11 
        last-link-up-time=jun/13/2023 08:26:08 link-downs=0 

 6  R   name="bridge_primary" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1568 
        mac-address=48:A9:8A:6E:7D:7D ifname="br0" ifindex=4 id=9 
        last-link-up-time=jun/13/2023 08:26:08 link-downs=0 

 7  X   name="wifi1" default-name="wifi1" type="wifi" mac-address=48:A9:8A:6E:7D:80 id=6 link-downs=0 

 8  X   name="wifi2" default-name="wifi2" type="wifi" mac-address=48:A9:8A:6E:7D:81 id=7 link-downs=0 

[thomas@MikroTik] > /ip/arp/print
Flags: D, P - PUBLISHED; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
#    ADDRESS     MAC-ADDRESS        INTERFACE   
0 DC 10.0.3.10   A0:CE:C8:89:6A:58  ETH2        
1 DC 10.0.2.254  48:A9:8A:7C:26:1F  VLAN_10_MGMT

[thomas@MikroTik] > /interface/bridge/host/print
Flags: D - DYNAMIC; L - LOCAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#    MAC-ADDRESS        VID  ON-INTERFACE    BRIDGE        
0 DL 48:A9:8A:6E:7D:7D       bridge_primary  bridge_primary
1 DL 48:A9:8A:6E:7D:7D    1  bridge_primary  bridge_primary
2 DL 48:A9:8A:6E:7D:7D   10  bridge_primary  bridge_primary
3 D  A0:CE:C8:87:84:15   10  ETH3_TRUNK      bridge_primary

[thomas@MikroTik] > /ip/neighbor/print detail
 0 interface=ETH3_TRUNK,bridge_primary mac-address=48:A9:8A:7C:26:1F identity="MikroTik" platform="" 
   version="" unpack=none age=40s interface-name="bridge_primary/ETH3_TRUNK" 
   system-description="MikroTik RouterOS 7.9.2 (stable) May/30/2023 13:49:00 L41G-2axD" 
   system-caps=bridge,router system-caps-enabled=bridge,router discovered-by=lldp

Tested all combinations:

• The PC (10.0.2.10) can ping the hap ax lite (10.0.2.254).
• The PC (10.0.3.10) can ping the hap ax2 (10.0.3.253).
• The hap ax lite (10.0.2.254) can ping the PC (10.0.2.10).
• The hap ax2 (10.0.3.253) can ping the PC (10.0.3.10).
  
  
  

hap ax lite
ETH3: 48:A9:8A:7C:26:1F
ETH4: 48:A9:8A:7C:26:20

hap ax2
ETH2: 48:A9:8A:6E:7D:7C
ETH3: 48:A9:8A:6E:7D:7D
ETH5: 48:A9:8A:6E:7D:7F

PC
Pink: A0-CE-C8-87-84-15
Orange: A0-CE-C8-89-6A-58

hap ax lite


hap ax2


The hap ax2 seems to see some traffic from my PC (10.0.2.10), but does not react on pings via the trunk from 10.0.2.10 to 10.0.2.253.

The behavior of the hap ax lite looks a bit strange to me. The sniffer shows only TX packets on the hap ax lite.
My gut feeling tells me that there is no connection between the hap ax lite Switch and its CPU. However, when removing the green Trunk connection and connecting my pink cable to the ETH3_TRUNK and changing the USB-Ethernet-Adapter on my Windows PC to VLAN 10 I get the following on the hap ax lite:

In this case the hap ax lite seems to communicate normal