I have a few Mikrotik switches and a router that I would like to trunk a couple VLANs from my router out to other switches.The vlans are configured and working as expected on my router wall (RB4011iGS+) router os 7. However when I attempt to trunk the VLANs to my main switch CRS328-24P-4S+ traffic on that switch that is tagged for my VLANs is ending up on the untagged vlan of the switch.
My plan was to leave pvid/vlan 1 as untagged on all interfaces for both devices.
VLAN 10 and VLAN 20 are the tagged ones that I need to pass over the connection tagged between the switch and router.
Attached are configs for the router (wall) & switch (tengswitch)
How can I stop tagged vlan traffic from the switch leaking to the untagged vlan on the router?
Is it possible to use a “hybrid port” with both unagged traffic and tagged traffic to trunk the VLANs between switches?
In your context if all of the ports are the bridge subnet, then they would be access ports (prioririty and untagged) to dumb devices.
I dont see the trunk port to the next smart switch??? it should be vlan tagged only.
Classic error, once you go vlans, DONT mix bridge with DHCP.
Whatever subnet you have there just assign it as a vlan and then complete the config.
Can you expand on this a bit for me? On my router things are working as expected in regards to DHCP giving out the correct network on the ports that are tagged with VLAN.
I’m only having issues on the downstream switch. Changing the ports that connect the router to the switch to a trunked port and only allowing tagged traffic seems to be my next step.
ROUTER:
model = RB4011iGS+
In summary sort out why the subnets you use in various places dont match the address subnets ???]
Not sure why you show ether2 being tagged for both vlans, You never noted what is connected to ether2 ???
I will asssume for now its some other kind of smart device and not a dumb device…
thus needs three vlans… I am using your HOME vlan as the trusted or management VLAN
Many things dont make any sense including trying to use forward chain rules for specific port forwarding rules… its done in dstnat,
Also you cant have destination nat rules to non existing LAN servers…
subnet 192.168.206.0 is NOT on the router ??? creates real problems as you use them in many places..
subnet 192.168.192.0 is NOT on the router ???
any service not encryped disabled.
Ok thanks for that config example. So basically, this sets up a new VLAN 5 and moves what was my untagged “home” network onto VLAN 5. That enables us to use the ingress filtering and true trunked ports. Then rebuilding the admin interfaces so they work on the new config. I wasn’t able to get this working on my attempt this afternoon.
I have reset to my previous config from backups via serial console for now.
The ether2 on the router is my test system so I can validate if the vlans are working at the router. Basically just a DHCP client for untagged and tagged.
It really seems like with my current config If I can have the switch pass tagged and untagged traffic to the router it should just work as is. Right now any traffic that is on vlan 10 on the switch arrives on the router untagged. This is what I was referring to as “leaking” previously.
The switch VLAN setup looks OK - sfpplus1-4 are untagged with VLAN 10 and VLAN 20 tagged, ether1-24 are untagged only. There are some unnecessary entries in the switch configuration which I would suggest removing:
/interface vlan
add interface=sfp-sfpplus3-wall name=appletalk vlan-id=20
add interface=sfp-sfpplus3-wall name=netjibbing vlan-id=10
/interface list
add name=WAN
add name=LAN
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus4-umac,sfp-sfpplus3-wall,sfp-sfpplus2-16P-switch,sfp-sfpplus1,bridge vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus4-umac,sfp-sfpplus1,sfp-sfpplus3-wall,sfp-sfpplus2-16P-switch,bridge vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10-porch-cam list=LAN
add interface=ether11 list=LAN
add interface=ether12-loft-bottom list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16-periscope list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19-HDHR list=LAN
add interface=ether20 list=LAN
add interface=ether21-cloudkey list=LAN
add interface=ether22-media-room-AP list=LAN
add interface=ether23-loft-AP list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2-16P-switch list=LAN
add interface=sfp-sfpplus3-wall list=LAN
add interface=sfp-sfpplus4-umac list=LAN
If the issue is with clients attached to the APs connected to ether22&23 the VLAN membership on these ports and the SSID-to-VLAN association on the APs should be looked at.
Thanks for that switch config review. I have go back through both switch and router to see if I could just may the hybrid trunk port work with untagged and tagged traffic flowing between switches. At best any tagged traffic from the switch just shows up as untagged on the router and things like dhcp addresses come from the interface that is untagged on the router bridge.
For now just waiting for another bit of time to take my whole home network down and reconfigure the vlans on the switch so that the trunk ports are only tagged traffic.
The only times that one needs to use a hybrid port is if the offending attached device
a. accepts ONLY the untagged data for the main connection and a tagged connection for other connections.
( an internet phone where the untagged data is for the phone and the tagged data is for a connected PC )
b. accepts by default ( can be changed ) where the untagged is the management subnet and the rest tagged data vlans.
(ubiquiti type device).
Otherwise, one should use trunk ports or access ports.
Ensure that VLAN 10 and VLAN 20 are configured identically (tagged) on both the router (RB4011iGS+) and the main switch (CRS328-24P-4S+). Check VLAN IDs, tagging modes, and port configurations to ensure they match on both devices.
Port Configuration on Router and Switch:
On the router (RB4011iGS+), configure the ports connected to the switch (CRS328-24P-4S+) as “trunk ports”. Trunk ports carry tagged traffic for multiple VLANs.
Set VLAN 1 as untagged (PVID) and VLAN 10, VLAN 20 as tagged on these ports.
Port Isolation and VLAN Filtering:
Ensure that VLAN 1 remains untagged on all ports as planned, including the trunk ports between the router and the switch.
Use VLAN filtering or isolation features on both devices to prevent VLAN leakage:
On MikroTik devices, this typically involves setting up VLAN interfaces (/interface vlan), VLAN filtering rules (/interface ethernet switch vlan), and ensuring proper VLAN membership (/interface ethernet switch egress-vlan-tag).
By following these steps and ensuring consistent VLAN configuration between your MikroTik devices, you should be able to prevent tagged VLAN traffic from leaking into the untagged VLAN and successfully trunk VLANs between switches.
Circling back on this one. I eventually discoverd that static DHCP reservations where getting assigned to my test system from the incorrect address range for the VLAN it was connected on. Once I cleared these static DHCP assigments things started working well. In the end I was able to trunk traffic correctly with untagged and tagged traffic on the uplink between switches.