Community discussions

MikroTik App
 
Myshob
just joined
Topic Author
Posts: 3
Joined: Tue Feb 23, 2021 1:40 pm

Bridge VLANs on RB4011iGS+RM

Tue Feb 23, 2021 4:48 pm

Hi,

I have my RB4011iGS+RM currently set up with three bridges for three subnets (management, LAN, IoT), each bridge has two physical ethernet ports. I need to have all three subnets on a Wi-Fi AP that will be connected on ether10 (the only PoE port), so I figured I'd create 3 VLANs corresponding to the subnets via /interface vlan, add them to their respective bridges and use ether10 as a trunk port with all three, but while reading through the wiki, I've found that this is one of the common misconfigurations and probably won't work - https://wiki.mikrotik.com/wiki/Manual:L ... _interface

Apparently the new way is to use Bridge VLAN Filtering, which if I understand correctly turns the bridge into a VLAN-aware virtual switch, creating something like a virtual router-on-a-stick setup.

I think I understand most of the principles of this setup from reading the wiki, but I still have a few questions:

- A physical interface (ether10 in my case) cannot be added to multiple bridges. Is the best practice to create one big bridge with all the VLANs and then separate the ports using PVIDs (set them as access ports), or can I keep the three separate bridges (I noticed you can add a tagged port under /interface bridge vlan even if the port wasn't added to the bridge using /interface bridge ports)?

- If I will have to create one big bridge for all the subnets, I will be left with only one L3 interface (the new bridge). How do I set up firewall between the subnets? The PVID field on the bridge itself can be used to allow all VLANs to the CPU for routing, but what would be the settings in /ip addresses and /ip firewall?

- are there any extra performance or security settings that I should be aware of?

I hope the description isn't too confusing :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge VLANs on RB4011iGS+RM

Wed Feb 24, 2021 5:51 pm

If going to use bridge vlans, this is the reference guide you will need!
viewtopic.php?f=23&t=143620
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLANs on RB4011iGS+RM

Wed Feb 24, 2021 7:10 pm

The guide mentioned by @anav and the wiki/help pages are a good start, in general random blogs/videos found on the web tend to use obsolete methods, less than optimal, or wrong.

- A physical interface (ether10 in my case) cannot be added to multiple bridges. Is the best practice to create one big bridge with all the VLANs and then separate the ports using PVIDs (set them as access ports)
Yes

or can I keep the three separate bridges (I noticed you can add a tagged port under /interface bridge vlan even if the port wasn't added to the bridge using /interface bridge ports)?
The /interface bridge vlan settings only apply to members added under /interface bridge port. It would be nice if Winbox/CLI added a warning comment if VLAN settings are applied to ports which are not bridge members, but they don't.

- If I will have to create one big bridge for all the subnets, I will be left with only one L3 interface (the new bridge). How do I set up firewall between the subnets? The PVID field on the bridge itself can be used to allow all VLANs to the CPU for routing, but what would be the settings in /ip addresses and /ip firewall?
The bridge itself has an interface to the CPU for access to services such as an IP address, DHCP server, etc. This interface, which has the same name as the bridge, is automatically a member of the bridge - it doesn't appear under /interface bridge port. Other than that it is like any other member and can be included in the /interface bridge vlan settings, but is often overlooked and the cause of lack of connectivity.

Just as with your ether10 interface you would configure the bridge interface to have the VLANs tagged, but in the case of the bridge interface you then use /interface vlan objects to provide the VLAN encapsulation/decapsulation for each VLAN you wish the CPU to have access to. If you previously had three bridges, e.g. bridge10, bridge20 & bridge30 you would instead use three VLAN interfaces, e.g. bridge-vlan10, bridge-vlan20 & bridge-vlan30 attached to the single bridge
 
Myshob
just joined
Topic Author
Posts: 3
Joined: Tue Feb 23, 2021 1:40 pm

Re: Bridge VLANs on RB4011iGS+RM

Sat Feb 27, 2021 2:06 am

Thanks to both of you, while the settings are not very intuitive, they make perfect sense and work like a charm once understood. This was the main thing I was missing (for some reason I thought the /interface vlan menu was deprecated):
...in the case of the bridge interface you then use /interface vlan objects to provide the VLAN encapsulation/decapsulation for each VLAN you wish the CPU to have access to.

My setup now works as expected, but I'm still curious about this:

- Once I enable Bridge VLAN filtering, the IP address set on the bridge is ignored? So far it seems like it is, but it's not marked as invalid in /ip address

- Is there a way to restrict which VLANs are sent to which trunk port? For example if I would like to send VLANs 10, 20 and 30 via ether10, but only 10 and 20 via ether9 (with both ethernet interfaces in the same bridge)
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLANs on RB4011iGS+RM

Sat Feb 27, 2021 3:02 am

- Once I enable Bridge VLAN filtering, the IP address set on the bridge is ignored? So far it seems like it is, but it's not marked as invalid in /ip address
The implicit bridge-to-CPU port can be configured as an access, trunk or hybrid port, just as with any other bridge ports. An IP address on the bridge itself relates to untagged bridge-to-CPU traffic. The untagged membership for access or hybrid ports is dynamically added - an /interface bridge vlan shows the actual memberships.

To convert a hybrid port to a trunk port, i.e. tagged only, add frame-types=admit-only-vlan-tagged ingress-filtering=yes to the bridge definition for the bridge-to-CPU port, or the interface ports under /interface bridge port for the other ports

- Is there a way to restrict which VLANs are sent to which trunk port? For example if I would like to send VLANs 10, 20 and 30 via ether10, but only 10 and 20 via ether9 (with both ethernet interfaces in the same bridge)
That is configured by the interface ports added to tagged= under /interface bridge vlan, so tagged=bridge,ether9,ether10 for both VLAN IDs 10 & 20, but tagged=bridge,ether10 for VLAN ID 30.
 
Myshob
just joined
Topic Author
Posts: 3
Joined: Tue Feb 23, 2021 1:40 pm

Re: Bridge VLANs on RB4011iGS+RM

Sun Feb 28, 2021 2:17 am

To convert a hybrid port to a trunk port, i.e. tagged only, add frame-types=admit-only-vlan-tagged ingress-filtering=yes to the bridge definition for the bridge-to-CPU port, or the interface ports under /interface bridge port for the other ports
Good to know.

That is configured by the interface ports added to tagged= under /interface bridge vlan, so tagged=bridge,ether9,ether10 for both VLAN IDs 10 & 20, but tagged=bridge,ether10 for VLAN ID 30.
Oh, I had everything under one entry in /interface bridge vlan (-‸ლ). I got confused by the fact that you can add multiple VLAN IDs under one entry. It makes much more sense now.

Thanks a lot for all the info, this is all I needed to know.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLANs on RB4011iGS+RM

Sun Feb 28, 2021 2:49 am

I got confused by the fact that you can add multiple VLAN IDs under one entry. It makes much more sense now.
You can, and it is fine if you have a large collection of the same VLANs on several tagged interfaces. However, if you wish to have differing sets of VLANs on the interfaces you should create separate /interface bridge vlan entries as any VLAN ID can only exist in one entry.

There is also a warning in the documentation regarding having multiple VLAN IDs with trunk and access ports - "The vlan-ids parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the PVID value."

Who is online

Users browsing this forum: kkeyser, mtkvvv and 38 guests