VLANs are not switched between trunk ports?

elexx · January 8, 2022, 9:36am

Hello!

The idea
The setup is heavily based on pcunite’s guide to VLANs http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 with added support for CAPsMAN in local forwarding mode, the idea being CAPsMAN uses the BASE_VLAN (99) for configuration and the actual VLANs for user-wifi-data.

RB3011 (called Main)
EG-20220108-0014.rsc (2.09 KB)
Working as router between the VLANs and WAN. Connected to WAN (ether1), trunks (ether6 and ether9), accessport vlan10 (ether10)

RB952Ui (called EG)
Main-20220108-0014.rsc (8.82 KB)
Working as accesspoint+switch: connected to trunk (ether1 → Main-ether6), accessports vlan10 (ether 2-5)

RBD52G (called DG)
DG-20220108-0014.rsc (2.08 KB)
Basically the same as EG
Working as accesspoint+switch connected to trunk (ether1 → Main-ether9), accessports vlan10 (ether 2-4), accessport vlan 99 (ether5 - this is just for debugging, once everything works this will be vlan 10 too)

Problem
My problem is: When connected to WIFIintern (vlan 10) or EG/DG accessport for vlan10, I cannot reach Main-ether10.
Also, if I’m connected to my vlan99 debugging port (DG-ether5), I can only reach DG and Main via Winbox/Web, but not EG.

What I tried so far
As you can see, there is currently a rather strange and unexpected firewall rule in the forward chain: “add action=accept chain=forward comment=“WHY?!” in-interface=BR1”. Once I added this rule I was able to get both problems resolved, BUT this also activated VLAN<->VLAN routing, which I don’t want. Once the rule is disabled I can only reach “1 hop” basically, but it looks like Main is not switching between the 2 Main-trunk ports (Main-ether6/9) or between the trunks and the accessport (Main-ether10)

I also noticed a dynamically added entry in /interface bridge vlan print (on all 3 devices, output below is from Main, entry #4), which I don’t understand. Where does this come from? Is this the culprit?

[admin@Main] > /interface bridge vlan print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE                      VLAN-IDS  CURRENT-TAGGED                      CURRENT-UNTAGGED                     
 0   BR1                         10        BR1                                 ether10                              
                                           ether6                             
                                           ether9                             
 1   BR1                         20        BR1                                
                                           ether6                             
                                           ether9                             
 2   BR1                         30        BR1                                
                                           ether6                             
                                           ether9                             
 3   BR1                         99        BR1                                
                                           ether6                             
                                           ether9                             
 4 D BR1                         1                                             BR1

I’m stuck and would really appreciate your help!
elexx

Sob · January 13, 2022, 2:53am

You most likely don’t want use-ip-firewall=yes use-ip-firewall-for-vlan=yes on bridge. That’s for advanced use only and can produce very unexpected results otherwise. Like what you’re seeing.

elexx · January 13, 2022, 6:47am

Wow, that was easy! Setting those 2 to no fixed the problem. Thank you very very much!