Community discussions

MikroTik App
  4. RouterOS
  5. General

Router become unreacheable after adding VLAN on bridge

Post Reply
 
n1am
just joined
Topic Author
Posts: 16
Joined: Tue Nov 04, 2014 12:00 pm

Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 5:48 pm

Hi guys,
I've got a strange problem on my routerboard.
Adding a VLAN on a bridge makes the router unreachable via L3 and L2. Mac telnet discovery works, but connection fails.

This is the configuration of the 3011.
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] master-port=ether1-LAN name=ether2-LAN-S
set [ find default-name=ether3 ] master-port=ether1-LAN name=ether3-LAN-S
set [ find default-name=ether4 ] master-port=ether1-LAN name=ether4-LAN-S
set [ find default-name=ether5 ] master-port=ether1-LAN name=ether5-LAN-S
/interface vlan
add interface=ether1-LAN name=vlan10-WIFI-PRIVATE vlan-id=10
/interface bridge
add name=bridge-LAN protocol-mode=none
/interface bridge port
add bridge=bridge-LAN interface=ether1-LAN
add bridge=bridge-LAN interface=vlan10-WIFI-PRIVATE #THE ISSUE IS HERE
As you can see from the configuration the bridge use ether1 interface and vlan10 on ether1.
I tried to disable spanning tree on the routerboard and on the switch but the issue persist.

Does anyone have any idea?
Thank You
Top
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 174
Joined: Mon Feb 04, 2013 7:00 pm
Contact:
Contact BlackVS

Re: Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 7:32 pm

Possibly you assigned IP to interfaces in bridge and trying access router using them?
Correct way - to assign ip to bridge not to interfaces in bridge.
Top
 
n1am
just joined
Topic Author
Posts: 16
Joined: Tue Nov 04, 2014 12:00 pm

Re: Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 8:01 pm

Hi,
thank you for the reply.

The IP address is assigned to the bridge interface.
Code: Select all
/ip address
add address=192.168.5.254/24 interface=bridge-LAN network=192.168.5.0
Top
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 174
Joined: Mon Feb 04, 2013 7:00 pm
Contact:
Contact BlackVS

Re: Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 8:18 pm

Put here full config (except sensitive information of course).
As variant you have default drop all input rule in firewall (but allow rules for vlan interface).
Inserting vlan interface into the bridge will cause ignoring specific interface rules in such case (due to interfaces become slave, in new Winbox they even will be shown red) and access to the router will be blocked by default rule.
Top
 
sid5632
Long time Member
Long time Member
Posts: 554
Joined: Fri Feb 17, 2017 6:05 pm

Re: Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 8:36 pm

I've got a strange problem on my routerboard.
Adding a VLAN on a bridge makes the router unreachable via L3 and L2. Mac telnet discovery works, but connection fails.
What are you trying to do?
Seems like you've created some sort of loop ether1-bridge-vlan-ether1 so it's not surprising it doesn't do what you want.
Top
 
n1am
just joined
Topic Author
Posts: 16
Joined: Tue Nov 04, 2014 12:00 pm

Re: Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 9:15 pm

Hi,
I've got a series of Ubiquiti UniFi AP. These AP use a dedicated management network (vlan 8 ) and cast two SSID: one for hotspot users (traffic on vlan 100) and one for private network.
The private network is on the default vlan (vlan 1).
I need to bridge the collision domain from the private SSID to the private network, and I need a vlan (in my case vlan10) to transport to the routerboard. Otherwise the wireless client will be connected to the AP management network and not the private.

This is a "lab experiment", not a production environment.
Code: Select all
/interface bridge
add name=bridge-HS protocol-mode=none
add name=bridge-LAN protocol-mode=none
add name=bridge-UNIFI protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] master-port=ether1-LAN name=ether2-LAN-S
set [ find default-name=ether3 ] master-port=ether1-LAN name=ether3-LAN-S
set [ find default-name=ether4 ] master-port=ether1-LAN name=ether4-LAN-S
set [ find default-name=ether5 ] master-port=ether1-LAN name=ether5-LAN-S

/interface vlan
add interface=ether1-LAN name=vlan8-UNIFI vlan-id=8
add interface=ether1-LAN name=vlan10-WIFI-PRIVATE vlan-id=10
add interface=ether1-LAN name=vlan100-HS vlan-id=100

/ip pool
add name=pool-dhcp-UNIFI ranges=192.168.8.100-192.168.8.200
add name=pool-dhcp-HS ranges=192.168.100.100-192.168.100.200
add name=pool-dhcp-LAN ranges=192.168.5.100-192.168.5.200

/ip dhcp-server
add address-pool=pool-dhcp-LAN authoritative=yes disabled=no interface=\
    bridge-LAN lease-time=1h name=dhcp-LAN
add address-pool=pool-dhcp-UNIFI authoritative=yes disabled=no interface=\
    bridge-UNIFI name=dhcp-UNIFI

/interface bridge port
add bridge=bridge-LAN interface=ether1-LAN
add bridge=bridge-HS interface=vlan100-HS
add bridge=bridge-UNIFI interface=vlan8-UNIFI
add bridge=bridge-LAN disabled=yes interface=vlan10-WIFI-PRIVATE

/ip address
add address=192.168.5.254/24 interface=bridge-LAN network=192.168.5.0
add address=192.168.100.254/24 interface=bridge-HS network=192.168.100.0
add address=192.168.8.254/24 interface=bridge-UNIFI network=192.168.8.0

/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.254 gateway=192.168.5.254
add address=192.168.8.0/24 dns-server=192.168.8.254 gateway=192.168.8.254
Top
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Router become unreacheable after adding VLAN on bridge

Tue Apr 25, 2017 11:40 pm

na1m, Thanks it always helps us when we get the why behind the experiment.

Let's talk about VLANs from a RouterBoard perspective. We specify the VLAN ID when we use the VLAN interface command and only then. We also leverage bridges to perform loop prevention with technologies like RSTP and to be able to combine multiple ports. That said let's focus on the bridges as the foundation of your VLANs even though we don't put the VLAN ID there.
Code: Select all
/interface bridge add name=br1
/interface bridge add name=br8
/interface bridge add name=br10
/interface bridge add name=br100
Great, we have 4 bridges. These represent the separate broadcast domains I desire br1 for VLAN1, br8 for VLAN8, br10 for VLAN10 and br100 for VLAN100. Now how do we make these stinkers work? Bridge ports. We'll want to add ports to our bridges. What ports say you? We can add physical interfaces like Ethernet interfaces for untagged (native VLAN) traffic. We can add VLAN interfaces for tagged traffic.

So, my router has 4 Ethernet interfaces. I've named them eth1, eth2, eth3 and eth4.

eth1, is plugged into a computer that needs to be untagged for VLAN1
eth2, is plugged into a UniFi AP that needs untagged VLAN1, tagged VLAN8 and tagged VLAN100

How do we make it so? Tagged ports need to VLAN interfaces, those VLAN interfaces need to be added to the respective bridge and the Ethernet interfaces where we want untagged traffic to go has to be on the Ethernet interface directly.
Code: Select all
/interface bridge port add bridge=br1 interface=eth1
/interface vlan add name=eth2-vlan8 vlan-id=8 interface=eth2
/interface vlan add name=eth2-vlan100 vlan-id=100 interface=eth2
/interface bridge port add bridge=br1 interface=eth2
/interface bridge port add bridge=br8 interface=eth2-vlan8
/interface bridge port add bridge=br100 interface=eth2-vlan100
I've got a series of Ubiquiti UniFi AP. These AP use a dedicated management network (vlan 8 ) and cast two SSID: one for hotspot users (traffic on vlan 100) and one for private network.
The private network is on the default vlan (vlan 1).
I need to bridge the collision domain from the private SSID to the private network, and I need a vlan (in my case vlan10) to transport to the routerboard. Otherwise the wireless client will be connected to the AP management network and not the private.
^^ You're confusing me here but after you've read the above post if you have questions still we can sort it out. What's confusing is what purpose does VLAN10 serve?
Top
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 174
Joined: Mon Feb 04, 2013 7:00 pm
Contact:
Contact BlackVS

Re: Router become unreacheable after adding VLAN on bridge

Wed Apr 26, 2017 7:11 am

As wrote idleman you created loop.
Due to ether1-lan act here as trunk i.e. it catches all packets including vlan tagged.
After they are untagged and sent to the vlans (due to vlan in bridge), then they via vlan go to bridge and again to the trunk and go-go-go-go... again %) until die %)
You can easily check this by running Torch on this interface with "VLAN id" option set on.

In my office I have UniFi APs too.
But I did differently - I have separate interface on router dedicated only to WiFi. Name it as ether5-wifi.
Different SSIDs (in my case "public" and "private") have own VLAN ids (set in UniFi).
The same vlans created on ether5-wifi.
Management and work segments are on different interfaces too.
In such case I can easily control access from wifi to network using mikrotik's firewall (sure some control can be done using UniFi features too).
In such case if you need L2 level connection - just bridge "private" wifi with correspondent ether interface (but not with ether5-wifi!).
But don't forget assign IP to bridge %) before.
In such case you will not have loop.
Top
 
n1am
just joined
Topic Author
Posts: 16
Joined: Tue Nov 04, 2014 12:00 pm

Re: Router become unreacheable after adding VLAN on bridge

Wed Apr 26, 2017 5:54 pm

Thank You idleman and BlackVS,
as you said I created a loop in bridge... silly me.

Below the net diagram of my little "lab" setup.

All this madness start with the fact that you can't set VLAN 1 on an SSID in the UniFi platform, see here.


A possibile solution is to change the VLAN for the private network from VLAN 1 to VLAN 10. In this case the private SSID will be on VLAN 10 and everything will work. Another solution is use a separate interface only for wireless, as suggested by BlackVS.
You do not have the required permissions to view the files attached to this post.
Top
 
sunshuvo
just joined
Posts: 4
Joined: Wed Aug 09, 2017 7:34 am

Re: Router become unreacheable after adding VLAN on bridge

Wed Aug 09, 2017 7:39 am

Hi N1am,

Did you find any solution for your issues? I also face the same problem. If you find any solution please share with me...
Hi guys,
I've got a strange problem on my routerboard.
Adding a VLAN on a bridge makes the router unreachable via L3 and L2. Mac telnet discovery works, but connection fails.

This is the configuration of the 3011.
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] master-port=ether1-LAN name=ether2-LAN-S
set [ find default-name=ether3 ] master-port=ether1-LAN name=ether3-LAN-S
set [ find default-name=ether4 ] master-port=ether1-LAN name=ether4-LAN-S
set [ find default-name=ether5 ] master-port=ether1-LAN name=ether5-LAN-S
/interface vlan
add interface=ether1-LAN name=vlan10-WIFI-PRIVATE vlan-id=10
/interface bridge
add name=bridge-LAN protocol-mode=none
/interface bridge port
add bridge=bridge-LAN interface=ether1-LAN
add bridge=bridge-LAN interface=vlan10-WIFI-PRIVATE #THE ISSUE IS HERE
As you can see from the configuration the bridge use ether1 interface and vlan10 on ether1.
I tried to disable spanning tree on the routerboard and on the switch but the issue persist.

Does anyone have any idea?
Thank You
Top
Post Reply

Who is online

Users browsing this forum: almdandi, AndHe, herger, johnson73, KpuCko, patrikg and 133 guests
  4. RouterOS
  5. General