abatie
October 6, 2021, 6:29pm
1
Following example https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.29
# model = RB760iGS
/interface bridge
add name=uplink-bridge vlan-filtering=yes
/interface bridge port
add bridge=uplink-bridge interface=sfp1
add bridge=uplink-bridge interface=ether3 pvid=200
add bridge=uplink-bridge interface=ether1 pvid=613
/interface bridge vlan
add bridge=uplink-bridge tagged=sfp1 untagged=ether3 vlan-ids=200
add bridge=uplink-bridge tagged=sfp1 untagged=ether1 vlan-ids=613
[admin@gp-gw-new] /interface bridge<SAFE> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether5
1 207.55.104.250/24 207.55.104.0 ether3
However, while running /ping 207.55.104.1, tshark shows the packets coming out sfp1 as untagged:
Frame 30: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Interface id: 0 (en7)
Interface name: en7
Encapsulation type: Ethernet (1)
Arrival Time: Oct 6, 2021 11:21:50.550736000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1633544510.550736000 seconds
[Time delta from previous captured frame: 0.999969000 seconds]
[Time delta from previous displayed frame: 0.999969000 seconds]
[Time since reference or first frame: 686.323255000 seconds]
Frame Number: 30
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:arp]
Ethernet II, Src: b8:69:f4:86:47:4f, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff
Address: ff:ff:ff:ff:ff:ff
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: b8:69:f4:86:47:4f
Address: b8:69:f4:86:47:4f
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: ARP (0x0806)
Padding: 000000000000000000000000000000000000
Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: b8:69:f4:86:47:4f
Sender IP address: 207.55.104.250
Target MAC address: 00:00:00:00:00:00
Target IP address: 207.55.104.1
CZFan
October 6, 2021, 6:53pm
2
IP Address should be attached to Vlan interface, not ether interface
anav
October 6, 2021, 6:57pm
3
Missing. Optional
/interface bridgeingress-filtering=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes frame-type=admit-only-untagged-and-prority-tagged ingress-filtering=yes frame-type=admit-only-untagged-and-priority-tagged uplink-bridg e,sfp1 untagged=ether3 vlan-ids=200uplink-bridge ,sfp1 untagged=ether1 vlan-ids=613
For future reference and guidance read this bible…http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
anav
October 6, 2021, 8:29pm
5
Then post the complete config.
abatie
October 6, 2021, 11:26pm
6
vlan200 is the primary routed uplink for the router
Note, this config is done per https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table#BridgeVLANTable-Trunk/Accessportsetup
# jan/01/1970 16:17:06 by RouterOS 6.46.7
# software id = G0ZP-8CHD
#
# model = RB760iGS
/interface bridge
add name=uplink-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Customer 1 Handoff"
set [ find default-name=ether2 ] comment="Customer 2 Handoff"
set [ find default-name=ether3 ] comment="Dummy vlan200 interface"
set [ find default-name=ether5 ] comment="Local Access"
set [ find default-name=sfp1 ] comment="Uplink"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=uplink-bridge interface=ether2 pvid=613
add bridge=uplink-bridge interface=ether3 pvid=200
add bridge=uplink-bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=uplink-bridge tagged=sfp1 untagged=ether3 vlan-ids=200
add bridge=uplink-bridge tagged=sfp1 untagged=ether2 vlan-ids=613
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether5 network=\
192.168.88.0
add address=10.55.104.250/24 interface=ether3 network=10.55.104.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=<addresses> list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="Allowed from PEAK" src-address-list=\
allowed_to_router
add action=accept chain=input comment="Allow established and related" \
connection-state=established,related
add action=drop chain=input comment="Block input from anywhere else"
add action=jump chain=forward jump-target=suspended src-address-list=\
suspended
add action=accept chain=suspended dst-port=53 protocol=tcp
add action=accept chain=suspended dst-port=53 protocol=udp
add action=drop chain=suspended
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=<addresses>
set ssh address=<addresses>
set api address=<addresses>
set winbox address=<addresses>
set api-ssl address=<addresses>
/snmp
set contact=Engineering enabled=yes location=Here
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=vlan-new
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
vlan-example.pdf (22.3 KB)
anav
October 7, 2021, 12:14am
7
You dont define the vlans??
You still havent fixed your /interface bridge vlan as provided.
Where are your firewall rules or does this not face the internet (aka an ISP)
What is ether3 doing with an IP address.
Not much makes sense to me.
abatie
October 7, 2021, 12:30am
8
At the moment this is a lab router; I’m just trying to get vlan tagging to work following the instructions in mikrotik url I gave.
I removed the uplink-bridge from the tagged clause as it didn’t change anything
sorry, I forgot to update the diagram with ether 3, when I used vlans, it didn’t send packets out sfp1 at all
Here’s the correct diagram:vlan-example-ether3.pdf (23.5 KB)
anav
October 7, 2021, 1:10am
9
abatie
October 7, 2021, 2:07pm
10
“The internet crap” is mikrotik’s official documentation
anav
October 7, 2021, 3:15pm
11
abatie
October 8, 2021, 12:13am
12
All three docs (old, new, forum) say basically the same thing. In the end, the issue was mixing layer2/3 just doesn’t seem to work and I solved the problem by using two hexes, one as a switch and one as a router.
but I’ll check out your link…