Community discussions

MikroTik App
 
Airell
just joined
Topic Author
Posts: 8
Joined: Fri Mar 25, 2016 3:40 pm

Two subinterfaces in a bridge not working?

Thu Feb 08, 2018 12:41 pm

Dear all,

I'm trying to set up, what is seems, a fairly simple first setup of working with VLANs.
My router (RB850Gx2) have been happily serving untagged traffic on eth3,4,5 which have been upgraded to a bridge, created from the master port after upgrading to 6.41. Using the 192.168.48.0/24 range with DCHP, no problems at all.

Now I want to start 'migrating' pc's, servers, IoT, guests machines, wifi SSIDs to different VLANs with different subnets. Where the ip's third octet will correspond with the VLAN number to keep it simple.

There are several implementation examples to find with VLANs and bridges and wiki's are being rewritten to reflect the new bridge setup. Unfortunately I can not find a suitable example which will help me, the closest one seems to be https://wiki.mikrotik.com/wiki/Manual:I ... d_Ports.29 .

A friend of mine had his router (an RB3011) already setup with bridges before the 'switch-to-bridge' changes and it all seemed clear to me. After the 6.41 update his setup kept on working, but for me unfortunately something breaks when I try to set up something like he did. He has a bridge per vlan implementation, where vlan-sub-interfaces are added to the bridge. My idea was to implement this as well, but I'm not sure if this is the way to go now with the new 6.41 implementation of a 'single bridge' and vlan-filtering.

This in place now, which works fine. I don't have any switch settings (VLAN-Mode=disabled):
/interface bridge
add name=br-untgd-48 comment="created from master port"

/interface bridge port
add bridge=br-untgd-48 interface=eth3
add bridge=br-untgd-48 interface=eth4
add bridge=br-untgd-48 interface=eth5

/ip address
add address=192.168.48.1/24 network=192.168.48.0 interface=br-untgd-48 comment=studio48

/ip dhcp-server
add add-arp=yes address-pool=dhcp-pool-48 interface=br-untgd-48 name=dhcp-48

/ip dhcp-server network
add address=192.168.48.0/24 gateway=192.168.48.1 netmask=24 dns-server=192.168.48.1 comment=studio48
Now I want to use VLAN's and add this to my configuration and later more bridges for different VLANs:
/interface vlan
add interface=eth4 name=eth4-vlan76 vlan-id=76 comment="tagged 76 from wifi"
add interface=eth5 name=eth5-vlan76 vlan-id=76 comment="tagged 76 from vm's"

/interface bridge
add name=br-client-76

/interface bridge port
add bridge=br-client-76 disabled=yes interface=eth4-vlan76
add bridge=br-client-76 interface=eth5-vlan76

/ip address
add address=192.168.76.1/24 network=192.168.76.0 interface=br-client-76 comment=client

/ip dhcp-server
add add-arp=yes address-pool=dhcp-pool-76 interface=br-client-76 name=dhcp-76

/ip dhcp-server network
add address=192.168.76.0/24 gateway=192.168.76.1 netmask=24 dns-server=192.168.76.1 comment=client
I hope it's clear what I'm trying to do. Now some might have noticed bridge port 'eth4-vlan76' is disabled, but that's because the issue starts there.

With this is disabled I'm able to send tagged traffic to the router, can torch it and see vlan 76 comming in on interface eth5 and it's handed over to 'eth5-vlan76'. The test machine gets an IP from DCHP (192.168.76.98), but also a static address will work. I can ping the gateway (192.168.76.1) and go online and without having setup vlan-filtering and/or firewall rules I can reach the machine from the 'untagged' 192.168.48.xxx network.

Now when I enable the bridge port 'eth4-vlan76' and I restart the network on the '.76.98' machine (systemctl restart network), 'everything' breaks. I does get an IP from the DCHP server (I can see the lease time being reset), but it can not ping the gateway any more and it's not reachable anymore from the machines on the '.48.xxx' network which all did work before adding bridge port 'eth4-vlan76'.

Not within a second when I disable bridge port 'eth4-vlan76' from the GUI, 'everything' start working again like before the network restart.

This scenario also works when eth4-vlan76 is enabled and eth5-vlan76 is disabled. A (WiFi) machine gets an IP from 'eth4-vlan76' (tagged on the AP) but stops working as soon bridge port 'eth5-vlan76' is enabled.

Is it not possible to have two VLAN sub-interfaces in a bridge in a setup like this? What am I doing wrong here or should there be a totally different approach?

Kind regards, Airell.
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two subinterfaces in a bridge not working?  [SOLVED]

Thu Feb 08, 2018 10:59 pm

With or without single bridge configuration, I'm afraid you cannot (maybe this is new since 6.41?) make a single ethernet interface a slave of several other interfaces simultaneously, which is what you attempt to do - you set e.g. ether4 a member interface of bridge br-untgd-48 and at the same time a carrier interface for interface eth4-vlan76.

So use a single bridge,
/interface bridge add name=the-only-brg
Create a VLAN type interface for each VLAN for which you want an IP address to be up on your Mikrotik. Indicate the single bridge as the carrier interface of all these VLAN interfaces.
/interface vlan
add interface=the-only-brg name=vlan-48 vlan-id=48
add interface=the-only-brg name=vlan-76 vlan-id=76
Define all member ethernet interfaces of the bridge and if any of them should be an access (untagged) port to some VLAN, set its PVID accordingly:
/interface bridge port
add bridge=the-only-brg disabled=no interface=ether3 pvid=48
add bridge=the-only-brg disabled=no interface=ether4 pvid=48
add bridge=the-only-brg disabled=no interface=ether5 pvid=48
Attach IP addresses and DHCP servers to the VLAN interfaces:
/ip address
add address=192.168.48.1/24 network=192.168.48.0 interface=vlan-48 comment=studio48
add address=192.168.76.1/24 network=192.168.76.0 interface=vlan-76 comment=client

/ip dhcp-server
add add-arp=yes address-pool=dhcp-pool-48 interface=vlan-48 name=dhcp-48
add add-arp=yes address-pool=dhcp-pool-76 interface=vlan-76 name=dhcp-76
The above should be enough for vlan-filtering=no in the the-only-brg configuration.

To enable vlan-filtering (and thus unlock MSTP), you have to define the mapping of VLANs to individual ports of the bridge - for each list of VLANs which share the same topology, define on which interfaces that VLAN(s) should be permitted and whether they should be untagged on egress.
/interface bridge vlan
add bridge=the-only-brg disabled=no tagged=the-only-brg,vlan-48 untagged=ether3,ether4,ether5 vlan-ids=48
add bridge=the-only-brg disabled=no tagged=the-only-brg,ether4,ether5,vlan-76 untagged="" vlan-ids=76
Note that the bridge must be indicated as a tagged member of itself (or at least it was true in 6.41) if you want to have a VLAN type interface or WLAN connected to that VLAN.
Once the bridge vlan mapping is configured, you can permit vlan filtering:
/interface bridge
set [find where name=the-only-brg] vlan-filtering=yes
There will be extra fun with WLANs, so come back once the above starts working for you.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Airell
just joined
Topic Author
Posts: 8
Joined: Fri Mar 25, 2016 3:40 pm

Re: Two subinterfaces in a bridge not working?

Sat Feb 10, 2018 11:55 am

Hi Sindy,

Thank you for your answer!
I have (for a start) added vlan-76 / ether3 to 'the-only-brg' (see config below) and kept my ether4 and ether5 assigned to 'br-untgd-48'.
It works, so I'm happy to have an starting config towards the new single bridge solution :)
In the passed I have locked myself out a couple of times, so I'm careful not touching the other bridge yet as long I don't have to.

Getting to understand the '/interface bridge vlan' part, is the following correct, because that was the part most confusing me:
- vlan-48 is allowed on the bridge and will be untagged if ergess on ether3,ether4,ether5
- vlan-76,ether4,ether5 is allowed on the bridge and noting will be untagged (setting vlan-ids=76 not necessary?)

Should I check MSTP in the bridge now? I need to get into the protocol difference of spanning tree to understand the differences.
The pvid is not set at bridge level? If I do that would mean any untagged traffic getting into the bridge will belong that subnet, but then something else would be misconfigured if that happens.

What kind of extra fun with WLAN do you mean? My WLAN will come tagged (76 and 27) and untagged (48) into ether4. I will try to get that working with your reply.

Thanks again, Airell.

.
/interface bridge
add name=the-only-brg

/interface vlan
add interface=the-only-brg name=vlan-76 vlan-id=76

# ether3, access port to vlan-76
/interface bridge port
add bridge=the-only-brg disabled=no interface=ether3 pvid=76

/ip address
add address=192.168.76.1/24 network=192.168.76.0 interface=vlan-76 comment=client

/ip pool
add name=dhcp-pool-76 ranges=192.168.76.10-192.168.76.99

/ip dhcp-server
add add-arp=yes address-pool=dhcp-pool-76 interface=vlan-76 name=dhcp-76

# vlan-76 permitted on bridge and traffic from ether3 will be untagged on egress
/interface bridge vlan
add bridge=the-only-brg disabled=no tagged=the-only-brg,vlan-76 untagged=ether3 vlan-ids=76
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two subinterfaces in a bridge not working?

Sat Feb 10, 2018 1:26 pm

In the past I have locked myself out a couple of times, so I'm careful not touching the other bridge yet as long I don't have to.
Hint 1: use safe mode (Ctrl-X in command line mode toggles it) whenever you make changes which may cut you off.
Hint 2: backup working intermittent configurations into files. When you restore default configuration, no files are removed, so you can restore the last working configuration from the backup file.

Getting to understand the '/interface bridge vlan' part, is the following correct, because that was the part most confusing me:
  • vlan-48 is allowed on the bridge and will be untagged if egress on ether3,ether4,ether5
Correct.
  • vlan-76,ether4,ether5 is allowed on the bridge and noting will be untagged (setting vlan-ids=76 not necessary?)
General purpose info: Mikrotik lists item parameters in alphabetical order no matter whether their values are used to match something or to set something.
In particular, vlan-ids=76 indicates for which VLANs the mapping is applicable. Whether frames will be untagged on egress or not is determined by placing the interface to the untagged or tagged list, respectively. So vlan-ids is a mandatory parameter of each "/interface bridge vlan" item.

Should I check MSTP in the bridge now? I need to get into the protocol difference of spanning tree to understand the differences.
The difference is that with MSTP (M=multiple), you can maintain an individual spanning tree for each of several groups of VLANs, while all VLANs in the same group must have identical topology in your whole network. At each bridge you map a group of VLANs to a MSTP "instance", and the BPDUs carry individual information for each instance between the bridges.

There is no point in switching over to MSTP on a single machine if none of its neighbours supports it. On the border of an MSTP-enabled network island, MSTP behaves as a plain RSTP.

The pvid is not set at bridge level? If I do that would mean any untagged traffic getting into the bridge will belong that subnet, but then something else would be misconfigured if that happens.
Cannot answer as I haven't found out yet how pvid at bridge level works.

What kind of extra fun with WLAN do you mean? My WLAN will come tagged (76 and 27) and untagged (48) into ether4.
As your WLANs are external to the RouterBoard you're twisting here, there will be no extra fun :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Airell
just joined
Topic Author
Posts: 8
Joined: Fri Mar 25, 2016 3:40 pm

Re: Two subinterfaces in a bridge not working?

Mon Feb 12, 2018 12:21 pm

Hint 1: yes, I should use that one more often.
Hint 2: I have a daily job backup up saving the config in timestamped files, but still it's hard to get back on it. I haven't figured out how to run a default script after an hard reset (if possible).

Thanks for all the help!

Cheers. Airell.
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two subinterfaces in a bridge not working?

Mon Feb 12, 2018 12:43 pm

I haven't figured out how to run a default script after an hard reset (if possible).
If you use the "backup" functionality, you can use a "restore" without any problems to replace any existing configuration by the one from the backup file.

If you use "export", you can read the result but the documentation provides no instruction how to clear the existing configuration so that e.g. duplicate "add" commands would not fail because the object already exist. So it requires an export of the current configuration, a diff to the saved one, and replacing some "add"s with "set"s.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: alitalib, Baidu [Spider], FurfangosFrigyes and 97 guests