Hi,
First I would like to say thank you to the following members in no particular order: @sindy @CZFan and @acrul. I have read through your man post and a grateful for what I have gleaned.
But - I have been really struggling this week trying to get this sorted. I am hoping someone can set me straight. I am interested in making this work with RBX011 routers. I am going to start this out general and get to specific and end by posting my test config in an effort to help others. I will have different managed switches downstream - Unifi, netronix, cisco, etc... So to speak conceptually -
General - I would like the setup with 2 trunk ports that carry multiple VLANs in as a trunk. Lets say V100, V200 and V300 each with corresponding IP, DNS, DHCP, etc... and be filtered in the firewall using an address list.
RB3011 connections
ether1 - WAN
ether2 - Trunk 1 (V100, V200, V300)
ether3 - Trunk 2 (V100, V200, V300)
ether4 - access port vlan 100
ether5 - access port vlan 200
In the past when needed only one trunk port it was much easier as I can run the VLANs on the trunk interface (ether2) and created a bridge to tie the VLAN to any bridge along with any access port needed (VLAN100 > ether 4). I setup IP address and DHCP on the VLAN and it works fine. Pretty standard way to do it I believe - at the very least it worked.
Now I would like 2 trunk ports and use 6.41 and beyond. I have looked at several posts including sindy's #8 below:
viewtopic.php?f=2&t=133909&p=659104#p659104
I could make the 1st approach work by essentially creating a bridge for each vlan. I assume this is all CPU driven.
I then tried his 2nd example making one bridge and using the VLAN filtering (enabled) on the bridge. I could not get tags to pass on ether1 or ether3. I believe the access port worked however. This scenario makes the most sense to me because i can specify what is tagged and untagged by interface. Something like this with ether2-5 on the "my-bridge".
The Bridge/VLANs tab indicates they are "current tagged" - but the VLAN tags are not on the wire as in Option 1. It makes sense that it should work as it says "tagged", but I must be missing something.
This looked promising but do not work for me as well from CZFan. This is a bit different with assigning a PVID to the bridge port, and made sense, but did not work.
viewtopic.php?t=131079
Then I see others using the VLAN configuring in the switch menu. I have not had good success with this approach. For example:
viewtopic.php?f=2&t=82414&p=663097&hili ... ts#p663097
Can someone help me make sense of this? I am confused as to what role the bridge/vlan should play a part VS the switch settings. I appears that you can use some of both to get his done but it is lost on me. I am also a bit unclear as to what the performance ramifications either approach is.
Is the bridge approach a better option?
- create one bridge
- run the VLANs on the bridge
- add ports the bridge
- use the vlan tab to create trunk and access ports
- set IP addresses and DHCP on the VLANs.
- what role should bridge or port PVID play?
Thanks in advance for any all help. I am upset with myself that I cannot get my head around it. I can seem to get access ports up and running, but I cannot create multiple trunk ports - ugh. I hope this post will help others if they are in the same spot as me.
VLAN, Trunk and access port help requested with 6.41 changes
You do not have the required permissions to view the files attached to this post.
Re: VLAN, Trunk and access port help requested with 6.41 changes
Please paste here the output of /export hide-sensitive after obfuscating the public IP addresses you don't want to publish, with the two trunk ports configured the way you think they should be using the common-bridge-for-all-VLANs method.
QCA8337 must work even with hybrid ports when using hardware tagging/untagging, so plain trunk ports with software vlan filtering should not be an issue.
P.
QCA8337 must work even with hybrid ports when using hardware tagging/untagging, so plain trunk ports with software vlan filtering should not be an issue.
P.
Re: VLAN, Trunk and access port help requested with 6.41 changes
Thanks for responding. I will have to build it from your option 2 and will post back.
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: VLAN, Trunk and access port help requested with 6.41 changes
its easy to trunk 2 ports in mikrotik. just bridge em...... if you need traffic from one of the vlan inside trunk - add the vlan to the bridge interface
Re: VLAN, Trunk and access port help requested with 6.41 changes
here is the config - note the default was left to keep it simple so I could connect.
Thanks again.
Code: Select all
# jun/08/2018 15:16:55 by RouterOS 6.42.3
# software id =
#
# model = 2011UiAS
/interface bridge
add admin-mac=64:D1:54:1E:B4:AE auto-mac=no comment=defconf name=bridge
add fast-forward=no name=my-bridge vlan-filtering=yes
/interface vlan
add interface=my-bridge name=vlan100 vlan-id=100
add interface=my-bridge name=vlan200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=v100 ranges=192.168.100.10-192.168.100.254
add name=v200 ranges=192.168.200.10-192.168.200.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=v100 disabled=no interface=vlan100 name=V100
add address-pool=v200 disabled=no interface=vlan200 name=V200
/interface bridge port
add bridge=bridge comment=defconf interface=ether9
add bridge=my-bridge interface=ether2
add bridge=my-bridge interface=ether3
add bridge=my-bridge interface=ether4
add bridge=my-bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=my-bridge tagged=my-bridge,ether2,ether3 untagged=ether4 vlan-ids=100
add bridge=my-bridge tagged=my-bridge,ether2,ether3 untagged=ether5 vlan-ids=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=...defcon gateway=192.168.88.1
add address=192.168.100.0/24 comment=V100 gateway=192.168.100.1
add address=192.168.200.0/24 comment=V200 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANRe: VLAN, Trunk and access port help requested with 6.41 changes
The only mistake I can spot is that under /interface bridge port, you haven't set the pvid for the access ports ether4 and ether5.
So you have to add the pvid parameter to these lines in accord with the rules under /interface bridge vlan:
/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=200
The point is that /interface bridge vlan only defines filtering, but the pvid which has to be untagged on egress and tagged to on ingress must be configured under /interface bridge port.
If tagged packets do not pass between ether2 and ether3 with this configuration, I believe the issue is not the Mikrotik configuration but something else.
So you have to add the pvid parameter to these lines in accord with the rules under /interface bridge vlan:
/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=200
The point is that /interface bridge vlan only defines filtering, but the pvid which has to be untagged on egress and tagged to on ingress must be configured under /interface bridge port.
If tagged packets do not pass between ether2 and ether3 with this configuration, I believe the issue is not the Mikrotik configuration but something else.
Re: VLAN, Trunk and access port help requested with 6.41 changes
Yes - I missed that in my haste, thank you for catching it. I still to do not get either VLAN tag 100 or 200 on ether2 or ether3. So the access port part of this works great and is intuitive to me.The only mistake I can spot is that under /interface bridge port, you haven't set the pvid for the access ports ether4 and ether5.
So you have to add the pvid parameter to these lines in accord with the rules under /interface bridge vlan:
/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=200
The point is that /interface bridge vlan only defines filtering, but the pvid which has to be untagged on egress and tagged to on ingress must be configured under /interface bridge port.
If tagged packets do not pass between ether2 and ether3 with this configuration, I believe the issue is not the Mikrotik configuration but something else.
Not sure I understand your last sentence. I am trying have VLAN 100 and 200 present (egress?) on ether2 to and 3 to pass tagged to a downstream switch. The Tags simply aren't there. I can confirm this with a test downstream switch and a Netool.io scan device. When I use your option 1 from the first link that defines a bridge for each VLAN it works correctly and the tags pass.
Any other ideas? I tried adding the VLAN100 and VLAN200 to the bridge and to the tagged interfaces under the bridge/vlan tab but same result. I know if I put the VLAN on the an interface it will work. On the bridge it does not seem to. Thanks for your help. I will keep working at it - this is where I am stuck.
Also - I assume this does not use any of the HW offload and is lower performance? Is the switch/vlan a better place to try and do this?
Re: VLAN, Trunk and access port help requested with 6.41 changes
So what you say is that if you ping from the local IP address 192.168.100.1 assigned to interface=vlan100 to some other address in Vlan 100, i.e. in the 192.168.100.0/24 subnet, you can see the arp requests for that other address coming from 192.168.100.1 as tagless on ether2 and/or ether3 when you use the "one bridge all vlans" configuration, but you can see them tagged when using the "one bridge per vlan" configuration?Not sure I understand your last sentence. I am trying have VLAN 100 and 200 present (egress?) on ether2 to and 3 to pass tagged to a downstream switch. The Tags simply aren't there. I can confirm this with a test downstream switch and a Netool.io scan device. When I use your option 1 from the first link that defines a bridge for each VLAN it works correctly and the tags pass.
That is very strange to put it softly. I admit I haven't tested that on 6.42.3 but I did on previous "current" versions and it works properly there.
Well, that's a topic where I miss some bits. In general on devices with 8337/8237/8227 switch chips, switching vlan-filtering to yes on bridges disables the hw-offload (forwarding of frames by the switch chip itself). The reason is that all the tagging and untagging has to be done in software because these switch chips are not sophisticated enough to distinguish STP frames from other tagless frames and treat them differently. So yes, with vlan-filtering=yes on a bridge, even when a frame is forwarded between two Ethernet interfaces of the same switch chip, it goes via the CPU, so the total bridging throughput is limited. In this mode, the frames are left unchanged on the switch, except that a proprietary tag is added to indicate the port ID on ingress to inform the CPU about the ingress port, and the CPU uses the same proprietary tag to address the egress port when sending the frames out.Also - I assume this does not use any of the HW offload and is lower performance? Is the switch/vlan a better place to try and do this?
When you disable vlan-filtering, set protocol=none and hw-offload=yes for that bridge alone, you can configure the switch chip to do tagging/untagging and vlan filtering on the member ports of that bridge, but I'm not sure how exactly the frame exchange with the CPU looks like in that case. Nevertheless, if you make the CPU port of the switch chip a member of all VLANs you want to create /interface vlan for and keep the /interface bridge port configuration unchanged as if the switch chip was not doing any filtering, the switch chip forwards frames directly between the ports and does the vlan filtering.
So the switch chip configuration would look something like
Code: Select all
/interface ethernet switch port
set [find name=ether2] default-vlan-id=1 vlan-mode=secure
set [find name=ether3] default-vlan-id=1 vlan-mode=secure
set [find name=ether4] default-vlan-id=100 vlan-mode=secure
set [find name=ether5] default-vlan-id=200 vlan-mode=secure
/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=100
add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=200One remark here, you've mentioned 3011 but your configuration export reveals you actually use a 2011, where the second switch chip (ether6-ether10) is an 8227, and that one doesn't support hybrid ports so the configuration for /interface ethernet switch port looks slightly different depending on whether you want the port to be a trunk one or an access one. Another difference is that the 8227 does not support independent learning of vlans (so if the same MAC address is accessible via different ports for different VLANs, the chip won't cope with it).
-
-
samsung172
Forum Guru
- Posts: 1191
- Joined:
- Location: Østfold - Norway
- Contact:
Re: VLAN, Trunk and access port help requested with 6.41 changes
do it the old way...
RB3011 connections
ether1 - WAN
ether2 - Trunk 1 (V100, V200, V300)
ether3 - Trunk 2 (V100, V200, V300)
ether4 - access port vlan 100
ether5 - access port vlan 200
1. make a bridge. br1
2. add ether2 and 3 to the bridge.
3 make vlan 100 and 200 as port to the bridge. vlan100_br1 and vlan200_br1
4 make a bridge br_vlan100 and a br_vlan200
add vlan100_br1 to br_vlan100 and vlan200_br1 to br_vlan200
add ether4 to br_vlan100 and ether5 to br_vlan200
RB3011 connections
ether1 - WAN
ether2 - Trunk 1 (V100, V200, V300)
ether3 - Trunk 2 (V100, V200, V300)
ether4 - access port vlan 100
ether5 - access port vlan 200
1. make a bridge. br1
2. add ether2 and 3 to the bridge.
3 make vlan 100 and 200 as port to the bridge. vlan100_br1 and vlan200_br1
4 make a bridge br_vlan100 and a br_vlan200
add vlan100_br1 to br_vlan100 and vlan200_br1 to br_vlan200
add ether4 to br_vlan100 and ether5 to br_vlan200
Re: VLAN, Trunk and access port help requested with 6.41 changes
So what you say is that if you ping from the local IP address 192.168.100.1 assigned to interface=vlan100 to some other address in Vlan 100, i.e. in the 192.168.100.0/24 subnet, you can see the arp requests for that other address coming from 192.168.100.1 as tagless on ether2 and/or ether3 when you use the "one bridge all vlans" configuration, but you can see them tagged when using the "one bridge per vlan" configuration?Not sure I understand your last sentence. I am trying have VLAN 100 and 200 present (egress?) on ether2 to and 3 to pass tagged to a downstream switch. The Tags simply aren't there. I can confirm this with a test downstream switch and a Netool.io scan device. When I use your option 1 from the first link that defines a bridge for each VLAN it works correctly and the tags pass.
That is very strange to put it softly. I admit I haven't tested that on 6.42.3 but I did on previous "current" versions and it works properly there.
Sorry for the late reply on this - I have not had much time to work on it over the past few days. But I have made progress...
@Sindy - your were most correct. It was working. I reconfigured my switch and deleted the defcon bridge and things began to work. Although to be honest I do not think the defcon bridge had anything to do with it. I did get the pings to work when with either config. My managed switch worked perfectly allowing for both access and trunk port configurations. I may have seen some differences between the way broadcast traffic was handled on the with the VLAN on the bridge VS on the interface. If I will look at wireshark to see what is going on. The short of it is my test equipment did not pick up the tags on the bridge config but it did with the interface config. This could be timing and anecdotal as it had a difficult time getting it to reproduce exactly the same behavior.
Well, that's a topic where I miss some bits. In general on devices with 8337/8237/8227 switch chips, switching vlan-filtering to yes on bridges disables the hw-offload (forwarding of frames by the switch chip itself). The reason is that all the tagging and untagging has to be done in software because these switch chips are not sophisticated enough to distinguish STP frames from other tagless frames and treat them differently. So yes, with vlan-filtering=yes on a bridge, even when a frame is forwarded between two Ethernet interfaces of the same switch chip, it goes via the CPU, so the total bridging throughput is limited. In this mode, the frames are left unchanged on the switch, except that a proprietary tag is added to indicate the port ID on ingress to inform the CPU about the ingress port, and the CPU uses the same proprietary tag to address the egress port when sending the frames out.Also - I assume this does not use any of the HW offload and is lower performance? Is the switch/vlan a better place to try and do this?
When you disable vlan-filtering, set protocol=none and hw-offload=yes for that bridge alone, you can configure the switch chip to do tagging/untagging and vlan filtering on the member ports of that bridge, but I'm not sure how exactly the frame exchange with the CPU looks like in that case. Nevertheless, if you make the CPU port of the switch chip a member of all VLANs you want to create /interface vlan for and keep the /interface bridge port configuration unchanged as if the switch chip was not doing any filtering, the switch chip forwards frames directly between the ports and does the vlan filtering.
So the switch chip configuration would look something like
On my-bridge, you must set hw-offload to yes and vlan-filtering to no to make this work; the /interface bridge ports configuration must remain unchanged, the /interface bridge vlan configuration may be kept unchanged but its items related to bridges with vlan-filtering=no are ignored.Code: Select all/interface ethernet switch port set [find name=ether2] default-vlan-id=1 vlan-mode=secure set [find name=ether3] default-vlan-id=1 vlan-mode=secure set [find name=ether4] default-vlan-id=100 vlan-mode=secure set [find name=ether5] default-vlan-id=200 vlan-mode=secure /interface ethernet switch vlan add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=100 add ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=200
Thank you again for this. I put some trials together to see how this comes together. What is hard to gauge what "size" of system begins to tax the CPU. In other words - when do the limits of CPU usage begin to cause issues, or when is HW issue a must. I understand the HW offloading should lead to better performance but where does it begin to impact user experience. This approach certainly adds complexity and adds more room for configuration error. The bridge/vlan is pretty straight forward and keeps everything in one spot.
One remark here, you've mentioned 3011 but your configuration export reveals you actually use a 2011, where the second switch chip (ether6-ether10) is an 8227, and that one doesn't support hybrid ports so the configuration for /interface ethernet switch port looks slightly different depending on whether you want the port to be a trunk one or an access one. Another difference is that the 8227 does not support independent learning of vlans (so if the same MAC address is accessible via different ports for different VLANs, the chip won't cope with it).
You are correct as the 2011 is out "bench" test unit. Thanks for pointing this out. I will keep it in mind.
Thank you for sticking with me on this. You are a credit and value to everyone here.
Re: VLAN, Trunk and access port help requested with 6.41 changes
Thank you as well. That certainly still works.do it the old way...
RB3011 connections
ether1 - WAN
ether2 - Trunk 1 (V100, V200, V300)
ether3 - Trunk 2 (V100, V200, V300)
ether4 - access port vlan 100
ether5 - access port vlan 200
1. make a bridge. br1
2. add ether2 and 3 to the bridge.
3 make vlan 100 and 200 as port to the bridge. vlan100_br1 and vlan200_br1
4 make a bridge br_vlan100 and a br_vlan200
add vlan100_br1 to br_vlan100 and vlan200_br1 to br_vlan200
add ether4 to br_vlan100 and ether5 to br_vlan200