VLANs on RouterBoard not working

Hello Folks,

I am trying to set up a very basic lab environment and have followed the excellent document available at link below, but any of the ports assigned to the VLANs are not working. Test laptop connected to these ports does not get dhcp IP address. If I connect it to a port (ether9) that is set up with PVID 1, then it gets IP address from this native vlan scope (labeled Mgmt). I am running 6.47.3 code.

https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Here is the configuration being tested. Please help me troubleshooting this issue. Thanks much in advance.

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface vlan
add interface=bridge1 name=Guest vlan-id=20
add interface=bridge1 name=Staff vlan-id=72


/interface list
add name=WAN
add name=LAN

/ip pool
add name=Mgmt ranges=10.10.100.1-10.10.100.250
add name=Guest ranges=10.10.20.2-10.10.21.254
add name=Staff ranges=172.17.10.2-172.17.10.254

/ip dhcp-server
add address-pool=Mgmt disabled=no interface=bridge1 name=Mgmt
add address-pool=Guest disabled=no interface=Guest name=Guest
add address-pool=Staff disabled=no interface=Staff name=Staff

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
add bridge=bridge1 interface=ether3 pvid=72
add bridge=bridge1 interface=ether4 pvid=72
add bridge=bridge1 interface=ether5 pvid=72
add bridge=bridge1 interface=ether6 pvid=72
add bridge=bridge1 interface=ether7 pvid=72
add bridge=bridge1 interface=ether8 pvid=72
add bridge=bridge1 interface=ether9

/interface bridge vlan
add bridge=bridge1 tagged=ether9 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether9 untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=72

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

/ip address
add address=10.10.100.254/24 interface=ether2 network=10.10.100.0
add address=10.10.20.1/23 interface=Guest network=10.10.20.0
add address=172.17.10.1/24 interface=Staff network=172.17.10.0

/ip dhcp-client
add disabled=no interface=ether1

/ip dns
set servers=8.8.8.8,1.1.1.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

**** this following was tried just in desperation but did not help *****

/interface ethernet switch vlan
add ports=ether4 switch=switch2 vlan-id=72

/interface ethernet switch port
set 3 default-vlan-id=72 vlan-header=always-strip vlan-mode=secure

You need to add “tagged bridge1” to your /interface bridge vlan.
The relevant section should look like this:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether9 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether9 untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=72

Your VLAN interfaces (Staff,Guest) are technically attached to the Bridge1, therefore bridge interface must be considered as a trunk/tagged port and transfer tagged frames.

In addition, your IP address 10.10.100.254/24 shouldn’t be attached to Ether2, instead, it should be attached to Bridge1, because your dhcp-server for Mgmt pool is attached to the Bridge1 as well. At the moment, it works just by accident, because Ether2 is slave to Bridge1, therefore RouterOS automatically move the IP from slave to master interface (dang, are we still allowed to use this master-slave terminology?)


Finally, I am missing /ip dhcp-server networks , but I guess you have it set up right, just did not copy it into this export (because without that, even your ether9 wouldn’t give you address)

Without a complete config its hard to assess further.
As pointed out, nothing wrong with the router, but the configurer needs adjustment. :wink:

Thank you so much vecernik87. Yes your diagnosis is right to the point. I can now get dhcp IP addresses on both untagged vlan ports. And yes, I missed including the ip dhcp-server networks. It is there in the config.

I believe the URL that I referred to, did not include tagging on the bridge interface itself and I simply followed that document. Hopefully that document can be improved.

I will also assume that they should automatically set pvid to be the same as untagged vlan ID set up on the port. I am not sure the use case of PVID / native vlan in an access / edge port. If an edge port has been set up as untagged member of a VLAN, it should use that ID to tag any incoming traffic into that port and strip away the tag leaving that port.

I have another question. First I had all these ports bridged with no pvid defined ( so it was 1). I tried to edit the configuration by something like:

interface bridge port
set interface=ether3 pvid=72
it will then prompt for number:, which I had no idea, so I simply hit enter and nothing then changes. I then looked at the document and it simply had command
interface bridge port set ether3 pvid=72 but that also did not work.

What will be the correct CLI to edit an existing configuration to append or change something like a PVID?

I ended up changing that thru GUI and then it took effect.

Thanks again for your very prompt help and support. Stay healthy and God bless you and yours.

And appreciate anav also for looking into my post. I should have included full configuration as you never know. But setting up VLANs on RouterOS seems to be convoluted. But once you know the process, it is then simple to repeat it. Thanks again and keep doing good work.

By the way, it looks like in presence of a pool / range defined for each dhcp scope, dhcp-server network is redundant. I only had it for Mgmt network as that was added as part of the initial wizard setup. The other two scopes I added by defining the pools and then made use of those pools when I defined the dhcp scopes. These scopes thus don’t have the network section.

On further checking, I did find that I missed a step to add the networks, which includes the gateway IP for that vlan. So ip dhcp-server networks stanza is in fact required.

Thanks

I am very glad that it helped :slight_smile:

re. your second question: When working with /interface bridge port , each row has its own number as a unique indentifier (if you know SQL, imagine it as a primary key in the DB). Then, each row has parameters (e.g. interface, pvid etc..). Your command actually said that you want to set interface to Ether3 and PVID to 72, however, it did not define which row (number) you want to modify. In theory, the syntax as it is written would modify all your entries (and break your config) but fortunately RouterOS is too smart to do that.

There are two ways to approach it:

  • You may firstly find out the number with /interface bridge port print (notice the first column) and then use the number in your command /interface bridge port set 2 pvid=72 (number 2 is an example, you may have it under different number)
  • You may use “find” command, for example: /interface bridge port set pvid=72 [find interface=ether3]

You don’t need to set your interface again if you are just changing PVID. It just increases risk you will change it to something else accidentally


@anav: mwah :stuck_out_tongue: ASSess me harder daddy

Glad its working now!!
Yes, its amazing how many times there are multiple errors, not just vlan filtering specific errors, in config and
firewall rules that get in the way, so to quickly/efficiently provide accurate help the full config is beneficial.