VLANs on WAN port

Hello,
I have scenario in attachment with RB4011.

VLAN 1, 10 → internal LANS. In mikrotik solved via bridge port and bridge vlans. Working well.
My WAN eth port is ether1. My ISP need trunk 2 vlans to my WAN port:

• VLAN 99 → my access to internet
• VLAN 6 - ISP management VLAN. ISP have his aruba switch and this need access to ISP router through my RB4011 with VLAN 6 tagged on my WAN port.

Actually i have VLAN 99 configured as slave interface on ether1 - like vlans with old way. But I don’t know how to transparently bridge VLAN on WAN and LAN interface.

Thank you for advice.
Rob

Use VLAN-aware bridge with all ports members of it. This tutorial should explain things pretty well.

ok, so all of the LAN and WAN ifaces with one bridge with vlan?

Yes. All ports in one bridge, configure vlan settings for bridge ports, enable bridge vlan filtering, create WAN interface as vlan interface with id 99 on top of the bridge itself.

I tried this today and have problem with LTE.
I have 2 VLANs on WAN:
VLAN 1 - mgmt - IPs of LHG a HexS routers, access to mikrotik
VLAN 99 - internet
both tagged between routers

I’ve using VLAN 99 for internet access - on LHG with IPv4 passthrough. I got IP WAN IP address on hexs VLAN 99 on DHCP client well, but no internet.
If remove vlan 99 from bridge and add it as a vlan on physical interace (like old way tagged vlans), internet working well. But with WAN interface with bridge and vlans on WAN iface in bridge LTE passthrough seems not work.

Other vlans (LAN/CCTV etc.) working well.
Newest stable fw.

Post config (/export hide-sensitive, optionally obfuscate sensible information) and describe which port connects to what.

I would not use VLAN1 for managment, use 111 for example…

@anav, you finally became a mentalist?

okey, setup in attachment.

LTE is LTE router (not important if LHG, LtAP, SXT..), Router is main router (HexS, RB951 etc..)
Newest firmware.

If i use bridge and VLAN 1, 10, 22, 99 all in one bridge and VLAN 1 and 99 like trunk between routers, LTE passthrough add addresses well, but cannot work (ping from Router to 8.8.8.8 timeout - LTE router return no route to host.
If I remove VLAN 99 from bridge and add it as slave on ether ports between routers, LTE passthrough add addresses well, and can ping from Router to 8.8.8.8 and if add masquarade on Router and default route on LTE, i can access to internet from LTE via VLAN 1.
But with standard all vlan in bridge that don’t work:(

config - cleanup wireless and gps for better look

router:

# oct/06/2020 08:39:11 by RouterOS 6.47.4
# software id = 2ZF7-28KW
#
# model = 951G-2HnD
# serial number = 642E0557C75D
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan22 vlan-id=22
add interface=bridge1 name=vlan99 vlan-id=99
/ip pool
add name=pool_lan ranges=192.168.88.100-192.168.88.150
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=vlan10 name=server_lan
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=22
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=1
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether5 vlan-ids=22
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
/ip address
add address=10.10.10.1/24 interface=vlan1 network=10.10.10.0
add address=192.168.88.1/24 interface=vlan10 network=192.168.88.0
/ip dhcp-client
add disabled=no add-default-route=no interface=vlan22
add disabled=no interface=vlan99
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/system clock
set time-zone-name=Europe/Prague

LTE:

# oct/06/2020 08:40:49 by RouterOS 6.47.4
# software id = NJK9-VZHU
#
# model = RB912R-2nD
# serial number = ACE60A7E996F
/interface lte
set [ find ] name=lte1
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan99 vlan-id=99
/interface lte apn
set [ find default=yes ] apn=internet.t-mobile.cz passthrough-interface=vlan99 passthrough-mac=E4:8D:8C:46:3A:15
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=1
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
/ip address
add address=10.10.10.2/24 interface=vlan1 network=10.10.10.0
/system clock
set time-zone-name=Europe/Prague

from Router:

[admin@MikroTik] > /ip address print      
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                                                                                                     
 0   10.10.10.1/24      10.10.10.0      vlan1                                                                                                                                                                                                                                                                                                         
 1   192.168.88.1/24    192.168.88.0    vlan10                                                                                                                                                                                                                                                                                                        
 2 D 192.168.3.197/24   192.168.3.0     vlan22                                                                                                                                                                                                                                                                                                        
 3 D 100.109.130.4/29   100.109.130.0   vlan99                                                                                                                                                                                                                                                                                                        
[admin@MikroTik] > /ip route print        
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          100.109.130.5             1
 1 ADC  10.10.10.0/24      10.10.10.1      vlan1                     0
 2 ADC  100.109.130.0/29   100.109.130.4   vlan99                    0
 3 ADC  192.168.3.0/24     192.168.3.197   vlan22                    0
 4 ADC  192.168.88.0/24    192.168.88.1    vlan10                    0
[admin@MikroTik] > ping 8.8.8.8 count=1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                                                                                                                                                                  
    0 100.109.130.5                              84  64 0ms   net unreachable                                                                                                                                                                                                                                                                         
    sent=1 received=0 packet-loss=100%

from LTE:

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                       
 0   10.10.10.2/24      10.10.10.0      vlan1                                                                                                                                           
 1 D 100.109.130.5/29   100.109.130.0   vlan99                                                                                                                                          
[admin@MikroTik] > /ip route print   
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.10.10.0/24      10.10.10.2      vlan1                     0
 1 ADC  100.109.130.0/29   100.109.130.5   vlan99                    0
[admin@MikroTik] > ping 8.8.8.8 count=1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                    
    0                                                         no route to host                                                                                                          
    sent=1 received=0 packet-loss=100%

I cannot add on LTE default route to Router - packet will go from LTE to Router and back until ttl

If i change vlan 99 be slave from bridge to ether port, it works…

Router:

# oct/06/2020 08:51:22 by RouterOS 6.47.4
# software id = 2ZF7-28KW
#
# model = 951G-2HnD
# serial number = 642E0557C75D
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan22 vlan-id=22
add interface=[b]ether1[/b] name=vlan99 vlan-id=99
/ip pool
add name=pool_lan ranges=192.168.88.100-192.168.88.150
/ip dhcp-server
add address-pool=pool_lan disabled=no interface=vlan10 name=server_lan
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=22
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=1
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether5 vlan-ids=22
add bridge=bridge1 [b]disabled=yes[/b] tagged=bridge1,ether1 vlan-ids=99
/ip address
add address=10.10.10.1/24 interface=vlan1 network=10.10.10.0
add address=192.168.88.1/24 interface=vlan10 network=192.168.88.0
/ip dhcp-client
add add-default-route=no disabled=no interface=vlan22
add disabled=no interface=vlan99
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/system clock
set time-zone-name=Europe/Prague

LTE:

# oct/06/2020 08:53:15 by RouterOS 6.47.4
# software id = NJK9-VZHU
#
# model = RB912R-2nD
# serial number = ACE60A7E996F
/interface lte
set [ find ] name=lte1
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=[b]ether1[/b] name=vlan99 vlan-id=99
/interface lte apn
set [ find default=yes ] apn=internet.t-mobile.cz passthrough-interface=vlan99 passthrough-mac=E4:8D:8C:46:3A:15
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=1
add bridge=bridge1 [b]disabled=yes[/b] tagged=bridge1,ether1 vlan-ids=99
/ip address
add address=10.10.10.2/24 interface=vlan1 network=10.10.10.0
/system clock
set time-zone-name=Europe/Prague

from Router:

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                                                                                                     
 0   10.10.10.1/24      10.10.10.0      vlan1                                                                                                                                                                                                                                                                                                         
 1   192.168.88.1/24    192.168.88.0    vlan10                                                                                                                                                                                                                                                                                                        
 2 D 192.168.3.197/24   192.168.3.0     vlan22                                                                                                                                                                                                                                                                                                        
 3 D 100.81.85.42/30    100.81.85.40    vlan99                                                                                                                                                                                                                                                                                                        
[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          100.81.85.41              1
 1 ADC  10.10.10.0/24      10.10.10.1      vlan1                     0
 2 ADC  100.81.85.40/30    100.81.85.42    vlan99                    0
 3 ADC  192.168.3.0/24     192.168.3.197   vlan22                    0
 4 ADC  192.168.88.0/24    192.168.88.1    vlan10                    0
[admin@MikroTik] > ping 8.8.8.8 count=1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                                                                                                                                                                  
    0 8.8.8.8                                    56  60 124ms
    sent=1 received=1 packet-loss=0% min-rtt=124ms avg-rtt=124ms max-rtt=124ms

from LTE:

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                       
 0   10.10.10.2/24      10.10.10.0      vlan1                                                                                                                                           
 1 D 100.81.85.41/30    100.81.85.40    vlan99                                                                                                                                          
[admin@MikroTik] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.10.10.0/24      10.10.10.2      vlan1                     0
 1 ADC  100.81.85.40/30    100.81.85.41    vlan99                    0
[admin@MikroTik] > ping 8.8.8.8 count=1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                    
    0                                                         no route to host                                                                                                          
    sent=1 received=0 packet-loss=100%

However now i can add default masquarade on Router and default route on LTE via VLAN 1 to Router and ping works also from LTE:
Router:

[admin@MikroTik] > /ip firewall nat add place-before=0 action=masquerade chain=srcnat out-interface=vlan99

LTE:

[admin@MikroTik] > /ip route add dst-address=0.0.0.0/0 gateway=10.10.10.1
[admin@MikroTik] > ping 8.8.8.8 count=1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                    
    0 8.8.8.8                                    56  59 133ms
    sent=1 received=1 packet-loss=0% min-rtt=133ms avg-rtt=133ms max-rtt=133ms

Don’t know why:(

My bad, yes he should use 666 for vlan and not 111

Thank you, but no working lte vlan is 99, not 1, 111 or 666.