/interface bridge
add admin-mac=E4:8D:8C:49:EE:4A auto-mac=no fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-router
set [ find default-name=ether2 ] name=ether2-BOX
set [ find default-name=ether3 ] name=ether3-AV
set [ find default-name=ether4 ] name=ether4-TV
/interface vlan
add interface=bridge name=vlan-42 vlan-id=42
/interface ethernet switch
set 0 mirror-source=ether1-router
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=fallback
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether1-router,ether3-AV,ether4-TV,ether5 switch=switch1 vlan-id=42
add independent-learning=no ports=ether1-router,ether2-BOX switch=switch1 vlan-id=3999
add independent-learning=no ports=switch1-cpu,ether1-router switch=switch1 vlan-id=41
add independent-learning=no ports=switch1-cpu,ether1-router,ether2-BOX switch=switch1 vlan-id=40
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
country=slovenia disabled=no frequency=2472 frequency-mode=\
regulatory-domain mode=ap-bridge name=wifi-42 security-profile=mkxNet \
ssid=mkxNet vlan-id=42 vlan-mode=use-tag wireless-protocol=802.11 \
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E4:8D:8C:49:EE:50 \
master-interface=wifi-42 multicast-buffering=disabled name=wifi-guest-41 \
ssid=mkxGuest vlan-id=41 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge interface=ether1-router
add bridge=bridge interface=wifi-42
add bridge=bridge interface=wifi-guest-41
add bridge=bridge interface=ether2-BOX
add bridge=bridge interface=ether3-AV
add bridge=bridge interface=ether4-TV
add bridge=bridge interface=ether5
/ip address
add address=192.168.42.3/23 interface=vlan-42 network=192.168.42.0
/ip route
add distance=1 gateway=192.168.42.1
/interface bridge
add admin-mac=B8:69:F4:20:A5:49 auto-mac=no name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-router
set [ find default-name=ether2 ] name=ether2-BOX
set [ find default-name=ether3 ] name=ether3-AV
set [ find default-name=ether4 ] name=ether4-TV
/interface vlan
add interface=bridge name=vlan-42 vlan-id=42
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
country=slovenia disabled=no distance=indoors frequency=2452 \
frequency-mode=regulatory-domain mode=ap-bridge name=wifi-42-2G \
security-profile=mkxNet ssid=mkxNet vlan-id=42 vlan-mode=use-tag \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \
country=slovenia disabled=no distance=indoors frequency=auto \
frequency-mode=regulatory-domain mode=ap-bridge name=wifi-42-5G \
security-profile=mkxNet ssid=mkxNet vlan-id=42 vlan-mode=use-tag \
wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=B8:69:F4:20:A5:50 \
master-interface=wifi-42-2G multicast-buffering=disabled name=\
wifi-guest-41 ssid=mkxGuest vlan-id=41 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-router
add bridge=bridge interface=ether2-BOX pvid=40
add bridge=bridge interface=ether3-AV pvid=42
add bridge=bridge interface=ether4-TV pvid=42
add bridge=bridge interface=ether5 pvid=42
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-42-2G
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-42-5G
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-guest-41
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-router,wifi-42-2G,wifi-42-5G untagged=ether3-AV,ether4-TV,ether5 vlan-ids=42
add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999
add bridge=bridge tagged=bridge,ether1-router,wifi-guest-41 vlan-ids=41
add bridge=bridge tagged=bridge,ether1-router untagged=ether2-BOX vlan-ids=40
/ip address
add address=192.168.42.6/23 interface=vlan-42 network=192.168.42.0
/ip route
add distance=1 gateway=192.168.42.1
This can't be repeated enough. So many people tout the "new way", but there are major caveats that need to be considered.Keep in mind that if you enable VLAN filtering on bridge (and without that VLANs essentially don't work), you loose HW offload and every packet passes CPU. This kills performance on slower routerboards, such as RG951G. I advise you to configure your Powerbox pro in the old way by using /interface ethernet switch section.
Thanks @proximus for reminder about the explanation from MT.So many people tout the "new way", but there are major caveats that need to be considered.
Here is a good explanation from MT. Focus is on CRS, but also covers other RB's.
viewtopic.php?t=133129#p654102
add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999
add bridge=bridge tagged=bridge,ether1-router,ether2-BOX vlan-ids=3999
This is fine. If there's nothing to be done by RB for a particular VLAN, bridge doesn't have to be part of it. In my particular case, that VLAN is used by my ISP to deliver multicast of IPTV and what I'm doing is just to pass it on through my "switches" to "subscriber" devices while router parts don't need to touch it. This is same as not including switch-cpu in list of VLAN member ports in the classical way of doing the same.@mkx
I may see some missing configuration in your example.
This:Code: Select alladd bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999
If you don't need any routing between vlans performed on the devices in question, you don't need to create vlan interfaces and even add the bridge as a port for the vlans (except for the management vlan - to give an address the device itself).@xvo
Thank you for input. These MikroTik devices are really acting as switches -- they're hanging off a Cisco switch (upstream) and the core router is an RB1100ahx4..
So is my entire issue because I never added this master bridge interface to the list of interfaces that need to be set to tagged under bridge > vlans?
using an Hex S and PowerBox as switches hence need the ports to be trunked (tagged). Hanging off these MT's are Engenius AP's
So, I need to still add the VLAN' under /interfaces vlan under the master bridge that I create that specifies all the vlan Id's.
Correct.For mgmt of these devices -- I can just leave the device IP address on the bridge interface and it be accessible via a 'management port' or a port that I leave as untagged vlan PVID? as once it is connected to switch upstream - it will work or should be accessible from within the network.
I can't confirm that.I'd correct it a small bit - for a given VID, you need to add bridge X itself to the list of tagged member ports of bridge X not only if you want to add an /interface vlan for that VID, to which you could attach an IP configuration (static address or dhcp client), but also if you want to make some wireless or virtual interface a member port of that bridge for that VLAN. In another words, if you need the frames tagged with that VID to reach the CPU. I don't understand the reason why it has been done this way but it has. The only case when you may omit setting the bridge as a tagged member port of itself for a given VID is when it is enough that frames tagged with this VID are forwarded between Ethernet ports of the same switch chip - even though with vlan-filtering=yes the actual forwarding is also done by the CPU.
It may even be version dependent, as last time I've tried and came to this conclusion I was runnnig 6.41.something.So either this thing is device-dependent, or this doesn't apply to wireless interfaces, as they can turn out to be that connection to cpu themselves.
I'd saydefault route...
route all back to core switch IP or should I just route all to default IP of the Mikrotik RB1100 router?
ip route 0.0.0.0/24 to IP ADDR of router?
All the VLANs on one line must have the identical tagged/untagged settings for all ports, and all member ports of the same VLAN must be on a single line. Which means that each VLAN with at least one untagged (access) port must have its own line. Hence two lines, one listing all the VLANs which have all member ports tagged, and an individual line for VLAN 10 which has one port untagged.question:
/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 tagged=all-vlan-bridge,ether1,ether2 untagged=ether5
add bridge=all-vlan-bridge vlan-ids=20,40,60,88 tagged=all-vlan-bridge,ether1,ether2
you list 2 different add statements. I only had one large interface bridge vlan. Where I listed all vlan ID's, and all the tagged and untagged. Will it let me create two? I create the untagged vlan ID seperate
Well, that was the other way how to do it, which is out of the usual thinking about switches. On a normal switch, you cannot have tagless frames inside the switch. Here you can - if you set bridge's pvid to 10, ingress packets tagged with VID 10 get untagged as they enter the bridge. So in that case, you attach the IP configuration for VLAN 10 directly to the bridge, not to /interface vlan.Note: mgmt of device I want on the primary subnet which is VLAN 10 - which is also untagged. SO that is probably why I lost access to device as even though eth1 is trunk port, ingress is tagged.. I had interface=all-vlan-bridge PVID set to 10 and was working just fine. but when I changed that bridge PVID back to default '1'. I lost connection and it never rolled back.
Well, that was the other way how to do it, which is out of the usual thinking about switches. On a normal switch, you cannot have tagless frames inside the switch. Here you can - if you set bridge's pvid to 10, ingress packets tagged with VID 10 get untagged as they enter the bridge. So in that case, you attach the IP configuration for VLAN 10 directly to the bridge, not to /interface vlan.Note: mgmt of device I want on the primary subnet which is VLAN 10 - which is also untagged. SO that is probably why I lost access to device as even though eth1 is trunk port, ingress is tagged.. I had interface=all-vlan-bridge PVID set to 10 and was working just fine. but when I changed that bridge PVID back to default '1'. I lost connection and it never rolled back.
Well, bridge can be a bit confusing due to it's twin personality I already described in one of my previous posts.
So, if bridge is declared untagged (by setting PVID), then it's the interface personality of bridge that acts as untagged, while switch-like personality of bridge still carries those packets tagged. Hence ether1 will carry those packets tagged as it exchanges packets with switch-like personality of bridge, not interface personality of bridge.
This is exactly the reason why, if one dives into VLANs, it's better to declare bridge as tagged (by not defining PVID) and explicitly use /interface vlan whenever routerboard device needs to interact with that VLAN. For example: if you decide to change PVID of "untagged" bridge, then IP address associated to bridge will move over to another VLAN where it most probably doesn't make any sense. This can happen with /interface vlan, but if name of this device resembles VLAN ID in some way, mistake is much easier to see (and avoid).
Untagging and tagging work symmetrically between ingress and egress on the same port, and depends on port pvid and bridge pvid combination. So if ether1 has pvid=1 and ether5 has pvid=10, the behaviour depending on pvid of the bridge will be the following:Will this effect the eth1 being a trunk port? Considering its going to untag vlan 10 on ingress? What about vlan 10 traffic egress, that'll re-tag and so the upstream Cisco will ingest it back as tagged traffic?
This would be wrong because 192.168.88.251/24 would end up attached to the bridge itself so in VLAN 10. If you want it to be in VLAN 88, the last line must beI'll also create a secondary mgmt IP and set as a vlan (tagged). Just incase. As I think this will be fail-safe access if connectivity gets blipped as I make config changes.
/interface vlan
vlan-id=88
name=vlan-mgmt
interface=all-vlan-bridge
/ip address=192.168.88.251/24 interface=all-vlan-bridge
# aug/27/2018 21:17:28 by RouterOS 6.41.3
# software id = QLBM-QQJI
#
# model = RB760iGS
# serial number = 976C094D4A89
/interface bridge
add fast-forward=no name=all-vlan-bridge pvid=10 vlan-filtering=yes
add admin-mac=B8:69:F4:05:9B:D1 auto-mac=no name=bridge_switch
/interface ethernet
set [ find default-name=ether5 ] name=ether5_phone poe-out=forced-on
/interface vlan
add interface=all-vlan-bridge name=VLAN10_LAN-Mgmt vlan-id=10
add interface=all-vlan-bridge name=VLAN88_MGMT vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=all-vlan-bridge interface=ether2
add bridge=all-vlan-bridge interface=ether3
add bridge=all-vlan-bridge interface=ether4
add bridge=all-vlan-bridge interface=ether5_phone pvid=10
add bridge=all-vlan-bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=all-vlan-bridge tagged=ether1,ether2,ether3 untagged=ether5_phone,all-vlan-bridge vlan-ids=10
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2,ether3 vlan-ids=20,40,60,88
/interface list member
add comment=defconf interface=bridge_switch list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.251/24 comment=Bkup-Mgmt interface=VLAN88_MGMT network=192.168.88.0
add address=192.168.128.251/24 comment="Switch Mgmt" interface=all-vlan-bridge network=192.168.128.0
/ip dns
set allow-remote-requests=yes servers=192.168.128.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.128.1
# aug/27/2018 21:21:17 by RouterOS 6.42.7
# software id = UNXD-I877
#
# model = 960PGS
# serial number = 8A320942F8E2
/interface bridge
add admin-mac=B8:69:F4:0F:34:E1 auto-mac=no name=all-vlan-bridge pvid=10 vlan-filtering=yes
add admin-mac=B8:69:F4:0F:34:E1 auto-mac=no name=bridge_lan
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=all-vlan-bridge name=vlan10_LAN vlan-id=10
add interface=all-vlan-bridge name=vlan88_MGMT vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=all-vlan-bridge interface=ether2
add bridge=bridge_lan hw=no interface=sfp1
add bridge=all-vlan-bridge interface=ether3
add bridge=all-vlan-bridge interface=ether4
add bridge=all-vlan-bridge interface=ether5 pvid=10
add bridge=all-vlan-bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=all-vlan-bridge tagged=ether1,ether2,ether3,ether4 untagged=ether5,all-vlan-bridge vlan-ids=10
add bridge=all-vlan-bridge tagged=ether1,ether2,ether3,ether4,all-vlan-bridge vlan-ids=20,40,60,88
/interface list member
add comment=defconf interface=bridge_lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=bridge_lan list=discover
add interface=all-vlan-bridge list=discover
add interface=bridge_lan list=mactel
add interface=bridge_lan list=mac-winbox
/ip address
add address=192.168.88.252/24 comment="backup mgmt" interface=vlan88_MGMT network=192.168.88.0
add address=192.168.128.252/24 comment="Mgmt IP" interface=all-vlan-bridge network=192.168.128.0
add address=192.168.99.252/24 interface=ether4 network=192.168.99.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.128.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name="Bears PowerBox - Trailer"
/system ntp client
set enabled=yes primary-ntp=192.168.128.1 server-dns-names=0.us.pool.ntp.org
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
# enable VLAN tagging on wlan interfaces ... all physical as well as virtual. VLAN IDs can be different on every wlan interface.
# The commands below go on top of "regular" WiFi configuration.
/interface wireless
set [ find name=wlan1 ] vlan-id=42 vlan-mode=use-tag
set [ find name=virtual_wlan ] vlan-id=666 vlan-mode=use-tag
# If wlan interfaces are not yet members of bridge, add them as tagged (trunk) - no PVID!!!
/interface bridge port
add bridge=all-vlan-bridge interface=wlan1
add bridge=all-vlan-bridge interface=virtual_wlan
# if wlan interfaces are members of bridge, change their VLAN settings. On wired (bridge) side, these interfaces carry tagged traffic!
# adjust the commands below to fit the rest of /interface bridge vlan setup!!!
/interface bridge vlan
add bridge=all-vlan-bridge tagged=wlan1 vlan-ids=42
add bridge=all-vlan-bridge tagged=virtual_wlan vlan-ids=666
As you have published only the working configuration, there is nothing to review so I'm afraid it will remain and unsolved mystery - unless you'd try to revert to that confuguration just in order to learn what was wrong.I tried to do PVID=1 on the /interface bridge all-vlan-bridge (as in example #1 provided by Sindy). I was not able to access device from core switch/network. So performed reset. I was able however, to get working 100% using the unorthodox method #2. Perhaps review config and let me know why?
Thanks for the tip! I will try the switch chip vlan method first - and perhaps also the new bridge vlan way as well. I'll know more later today about the performance or lack there of when this old AP is installed at far side of campground. Few campers and sites ~1000ft LOS with some maple in way. I'm doubtful it will cut the mustard, as its an older ENH202 model. The mANT 2 12's seems it'll do the trick for this part of site. Wish MikroTik had some newer outdoor devices that were dual band 2.4/5ghz and do band steering. But I regress on that notion. I used what they had bought and that was new Engenius ENH620ext AP's (4) and a single ENH1750EXT (very nice). These are omni-radio's - not my suggestion; but had to use what they already had investment with. Rest of network is all MikroTik and Cisco for core switch.When configuring WiFi interfaces as VLAN tagged, you need to do configuration like this:
Just remember to set proper VID on both /interface wireless as well as /interface gridge vlan and you're all set. The rest of setup (regarding ethernet ports) is just the same...Code: Select all# enable VLAN tagging on wlan interfaces ... all physical as well as virtual. VLAN IDs can be different on every wlan interface. # The commands below go on top of "regular" WiFi configuration. /interface wireless set [ find name=wlan1 ] vlan-id=42 vlan-mode=use-tag set [ find name=virtual_wlan ] vlan-id=666 vlan-mode=use-tag # If wlan interfaces are not yet members of bridge, add them as tagged (trunk) - no PVID!!! /interface bridge port add bridge=all-vlan-bridge interface=wlan1 add bridge=all-vlan-bridge interface=virtual_wlan # if wlan interfaces are members of bridge, change their VLAN settings. On wired (bridge) side, these interfaces carry tagged traffic! # adjust the commands below to fit the rest of /interface bridge vlan setup!!! /interface bridge vlan add bridge=all-vlan-bridge tagged=wlan1 vlan-ids=42 add bridge=all-vlan-bridge tagged=virtual_wlan vlan-ids=666
If, instead of using bridge VLAN ,one goes HW way using switch chip VLAN, VLAN-tagged wifi config is even simpler: you only define VLAN IDs on /interface wireless exactly tha same as in config sample above, no need to do anything anywhere else (no VLAN-special setup on bridge).