Community discussions

MikroTik App
 
quentin9696
just joined
Topic Author
Posts: 5
Joined: Tue Nov 17, 2020 11:32 pm

Communicate outside the bridge

Tue Nov 17, 2020 11:48 pm

Hi,

I would like to communicate from my bridge to an interface of my router.

I have a bridge, and the port sfp+ 1 is in access mode on 1110 VLAN.

I also have a port eth0.1110. I set and IP to this interface ether1.1110, and I can't communicate from my laptop on port sfp+ 1 to the ether1.1110. But, I can ping from sfp+1 to my vlan bridge interface 10.0.100.254.

What is missing ?

Here is my configuration :
# nov/17/2020 22:44:13 by RouterOS 6.47.7
# software id =
#
# model = CCR2004-1G-12S+2XS
# serial number = 
/interface bridge
add comment="Layer 2 core switch" ingress-filtering=yes name=switch_core_L2 pvid=1110 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface vlan
add interface=ether1 name=test vlan-id=1110
add comment="Admin subnet" interface=switch_core_L2 name=vl_admin vlan-id=1110
add comment="Wifi guest" interface=switch_core_L2 name=vl_guest vlan-id=2000
add comment="LAN subnet" interface=switch_core_L2 name=vl_lan vlan-id=1000
add comment="LTE Orange" interface=switch_core_L2 name=vl_lte vlan-id=2255
add comment="NAS subnet" interface=switch_core_L2 name=vl_nas vlan-id=1100
add comment="VPN subnet" interface=switch_core_L2 name=vl_vpn vlan-id=2128
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Admin dynamic pool" name=admin ranges=10.0.100.1-10.0.100.100
/ip dhcp-server
add address-pool=admin disabled=no interface=vl_admin lease-time=1w name=admin
/interface bridge port
add bridge=switch_core_L2 ingress-filtering=yes interface=sfp-sfpplus1 pvid=1110
add bridge=switch_core_L2 interface=sfp-sfpplus2
add bridge=switch_core_L2 interface=sfp-sfpplus3
add bridge=switch_core_L2 interface=sfp-sfpplus4
add bridge=switch_core_L2 interface=sfp-sfpplus5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=switch_core_L2 comment="LAN subnet" tagged=switch_core_L2 vlan-ids=1000
add bridge=switch_core_L2 comment="NAS subnet" tagged=switch_core_L2 vlan-ids=1100
add bridge=switch_core_L2 comment="Admin subnet" tagged=switch_core_L2 untagged=sfp-sfpplus1 vlan-ids=1110
add bridge=switch_core_L2 comment="VPN subnet" tagged=switch_core_L2 vlan-ids=2128
add bridge=switch_core_L2 comment="Wifi guest" tagged=switch_core_L2 vlan-ids=2000
add bridge=switch_core_L2 comment="LTE Orange" tagged=switch_core_L2 vlan-ids=2255
/ip address
add address=10.0.0.254/24 comment="LAN gateway" interface=vl_lan network=10.0.0.0
add address=10.0.1.126/25 comment="NAS gateway" interface=vl_nas network=10.0.1.0
add address=10.0.100.254/24 comment="Admin gateway" interface=vl_admin network=10.0.100.0
add address=172.16.0.126/25 comment="Guest wifi gateway" interface=vl_guest network=172.16.0.0
add address=172.16.0.254/25 comment="VPN gateway" interface=vl_vpn network=172.16.0.128
add address=10.0.100.253/24 interface=test network=10.0.100.0
/ip dhcp-server network
add address=10.0.100.0/24 gateway=10.0.100.254
/ip service
set telnet disabled=yes
set www disabled=yes
Also, here is my ARP table on my laptop:
10.0.100.253 dev enp5s0  FAILED
10.0.100.254 dev enp5s0 lladdr 48:xx:xx:xx:xx REACHABLE
I miss something but not sur what is wrong.

Quentin.
 
mkx
Forum Guru
Forum Guru
Posts: 5015
Joined: Thu Mar 03, 2016 10:23 pm

Re: Communicate outside the bridge

Wed Nov 18, 2020 2:52 pm

Probably the best is to go all-tagged, which you already started by using vl_admin for L3 setup. So you should remove pvid setting from switch_core_L2 fi]interface[/i] configuration:

/interface bridge
add comment="Layer 2 core switch" ingress-filtering=yes name=switch_core_L2 pvid=1110 vlan-filtering=yes
BR,
Metod
 
quentin9696
just joined
Topic Author
Posts: 5
Joined: Tue Nov 17, 2020 11:32 pm

Re: Communicate outside the bridge

Wed Nov 18, 2020 3:24 pm

Hi,

Thanks for your reply.

I remove it, but it still the same:
# nov/18/2020 14:22:11 by RouterOS 6.47.7
# software id = 
#
# model = CCR2004-1G-12S+2XS
# serial number = 
/interface bridge
add comment="Layer 2 core switch" ingress-filtering=yes name=switch_core_L2 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface vlan
add interface=ether1 name=test vlan-id=1110
add comment="Admin subnet" interface=switch_core_L2 name=vl_admin vlan-id=1110
add comment="Wifi guest" interface=switch_core_L2 name=vl_guest vlan-id=2000
add comment="LAN subnet" interface=switch_core_L2 name=vl_lan vlan-id=1000
add comment="LTE Orange" interface=switch_core_L2 name=vl_lte vlan-id=2255
add comment="NAS subnet" interface=switch_core_L2 name=vl_nas vlan-id=1100
add comment="VPN subnet" interface=switch_core_L2 name=vl_vpn vlan-id=2128
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Admin dynamic pool" name=admin ranges=10.0.100.1-10.0.100.100
add comment="LAN DHCP network" name=lan ranges=10.0.0.1-10.0.0.100
add comment="Guest subnet pool" name=guest ranges=172.16.0.1-172.16.0.100
/ip dhcp-server
add address-pool=admin disabled=no interface=vl_admin lease-time=1w name=admin
add address-pool=lan disabled=no interface=vl_lan lease-time=1w name=lan
add address-pool=guest disabled=no interface=vl_guest lease-time=1w name=guest
/interface bridge port
add bridge=switch_core_L2 ingress-filtering=yes interface=sfp-sfpplus1 pvid=1110
add bridge=switch_core_L2 interface=sfp-sfpplus2
add bridge=switch_core_L2 interface=sfp-sfpplus3
add bridge=switch_core_L2 interface=sfp-sfpplus4
add bridge=switch_core_L2 interface=sfp-sfpplus5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=switch_core_L2 comment="LAN subnet" tagged=switch_core_L2,sfp-sfpplus4 vlan-ids=1000
add bridge=switch_core_L2 comment="NAS subnet" tagged=switch_core_L2 vlan-ids=1100
add bridge=switch_core_L2 comment="Admin subnet" tagged=switch_core_L2,sfp-sfpplus4 untagged=sfp-sfpplus1 vlan-ids=1110
add bridge=switch_core_L2 comment="VPN subnet" tagged=switch_core_L2 vlan-ids=2128
add bridge=switch_core_L2 comment="Wifi guest" tagged=switch_core_L2,sfp-sfpplus4 vlan-ids=2000
add bridge=switch_core_L2 comment="LTE Orange" tagged=switch_core_L2 vlan-ids=2255
/ip address
add address=10.0.0.254/24 comment="LAN gateway" interface=vl_lan network=10.0.0.0
add address=10.0.1.126/25 comment="NAS gateway" interface=vl_nas network=10.0.1.0
add address=10.0.100.254/24 comment="Admin gateway" interface=vl_admin network=10.0.100.0
add address=172.16.0.126/25 comment="Guest wifi gateway" interface=vl_guest network=172.16.0.0
add address=172.16.0.254/25 comment="VPN gateway" interface=vl_vpn network=172.16.0.128
add address=10.0.100.253/24 interface=test network=10.0.100.0
/ip dhcp-client
add disabled=no interface=sfp-sfpplus12
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.254
add address=10.0.100.0/24 gateway=10.0.100.254
add address=172.16.0.0/25 dns-server=1.1.1.1 gateway=172.16.0.126
/ip firewall filter
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=172.16.0.0/25
add action=drop chain=forward dst-address=172.16.0.128/25 src-address=172.16.0.0/25
add action=drop chain=input in-interface=sfp-sfpplus12 src-address=0.0.0.0/0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus12 to-addresses=0.0.0.0/0
/ip service
set telnet disabled=yes
set www disabled=yes
/system clock
set time-zone-name=Europe/Paris
Quentin.
 
mkx
Forum Guru
Forum Guru
Posts: 5015
Joined: Thu Mar 03, 2016 10:23 pm

Re: Communicate outside the bridge

Wed Nov 18, 2020 3:56 pm

What exactly do you mean by
I also have a port eth0.1110. I set and IP to this interface ether1.1110, and I can't communicate from my laptop on port sfp+ 1 to the ether1.1110. But, I can ping from sfp+1 to my vlan bridge interface 10.0.100.254.

Where do you connect laptop etc.?

If you actually want to use ether1 as untagged port for management VLAN, then you should add ether1 as access port to the same bridge with SFP+ interfaces ...
BR,
Metod
 
quentin9696
just joined
Topic Author
Posts: 5
Joined: Tue Nov 17, 2020 11:32 pm

Re: Communicate outside the bridge

Thu Nov 19, 2020 1:15 am

Here is my test case that is not working :

I connect my laptop, on DHCP mode (I got the IP 10.0.100.1/24), on the port sfp+ 1 (access mode, PVID 1110) . I can ping my gateway (10.0.100.254, vlan 1110) and also all the other gateway on the bridge (10.0.0.254 vlan 1000).
Then, I add an IP address on the port ether1.1110 (vlan 1110) (IP 10.0.100.253/24). I try to ping this address from my laptop but I got an ICMP host unreachable error.

I don't know what is missing ...
Quentin.
 
tdw
Long time Member
Long time Member
Posts: 556
Joined: Sat May 05, 2018 11:55 am

Re: Communicate outside the bridge  [SOLVED]

Thu Nov 19, 2020 2:28 am

Just because you create two /interface vlan with the same VLAN ID on differing interfaces (ether1 and switch_core_L2), and assign addresses from the same subnet to each of them will not allow access from one to the other. A diagram of what you wish to achieve may be helpful.
 
quentin9696
just joined
Topic Author
Posts: 5
Joined: Tue Nov 17, 2020 11:32 pm

Re: Communicate outside the bridge

Sat Nov 21, 2020 11:24 am

Oh, ok I got my error. I need to add this port in a bridge to able to communicate.

Thanks.

Who is online

Users browsing this forum: mituakter, thesteef000 and 27 guests