Community discussions

 
User avatar
harvey
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Apr 05, 2012 8:16 pm

Bridge VLAN Filtering help

Tue Sep 11, 2018 1:21 pm

Hi,

I am testing out Bridge VLAN filtering to understand how it works. I have built a working example:-
Current Setup.png
CHR-1:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=ether3 name=vlan200 vlan-id=200
add interface=ether3 name=vlan300 vlan-id=300
add interface=ether3 name=vlan400 vlan-id=400
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=20.0.0.2-20.0.0.254
add name=dhcp_pool1 ranges=30.0.0.2-30.0.0.254
add name=dhcp_pool2 ranges=40.0.0.2-40.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan200 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan300 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan400 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=ether3
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether3 vlan-ids=300
add bridge=bridge1 tagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether3 vlan-ids=400
/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
add address=30.0.0.1/24 interface=vlan300 network=30.0.0.0
add address=40.0.0.1/24 interface=vlan400 network=40.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=20.0.0.0/24 gateway=20.0.0.1
add address=30.0.0.0/24 gateway=30.0.0.1
add address=40.0.0.0/24 gateway=40.0.0.1
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
/system identity
set name=r1
And CHR-2:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=200
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether4 pvid=300
add bridge=bridge1 interface=ether5 pvid=400
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=200
add bridge=bridge1 tagged=ether1 untagged=ether4 vlan-ids=300
add bridge=bridge1 tagged=ether1 untagged=ether5 vlan-ids=400
/ip dhcp-client
# DHCP client can not run on slave interface!
add dhcp-options=hostname,clientid disabled=no interface=ether1
/system identity
set name=switch
This all works absolutely fine. However, I'm struggling to work out how to add PC-5 untagged to ether2 of CHR-1 like this:-
Proposed Setup.png
I have tried a number of options but PC-5 would never get an IP from DHCP.

It has certainly crossed my mind that I should only be using 'Bridge VLAN Filtering' on CHR-2 and use the more traditional VLAN setup on CHR-1 but is it possible to use 'Bridge VLAN Filtering' on CHR-1 in this way? If so, how?

Your thoughts and help would be appreciated.

Thanks

Update: With the help of @xvo and @sindy this is solved. I have posted my final config's in this post viewtopic.php?f=2&t=139054&p=685811#p685811 for anyone that this may help.
You do not have the required permissions to view the files attached to this post.
Last edited by harvey on Wed Sep 12, 2018 5:39 pm, edited 3 times in total.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 577
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Bridge VLAN Filtering help

Tue Sep 11, 2018 1:42 pm

/interface vlan
add interface=ether3 name=vlan200 vlan-id=200
add interface=ether3 name=vlan300 vlan-id=300
add interface=ether3 name=vlan400 vlan-id=400
This part on CHR-1 is wrong: the interfaces should be created on top of the bridge, not ether3.
Then you add ether2 to the same bridge1, set PVID=400 for it and add it as untagged in /interface bridge vlan.
 
User avatar
harvey
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Apr 05, 2012 8:16 pm

Re: Bridge VLAN Filtering help

Wed Sep 12, 2018 12:25 pm

/interface vlan
add interface=ether3 name=vlan200 vlan-id=200
add interface=ether3 name=vlan300 vlan-id=300
add interface=ether3 name=vlan400 vlan-id=400
This part on CHR-1 is wrong: the interfaces should be created on top of the bridge, not ether3.
Then you add ether2 to the same bridge1, set PVID=400 for it and add it as untagged in /interface bridge vlan.

Thanks for coming back to me on this. I changed just part 1 of your advice under `/interface vlan` so the interface is `bridge1` for each vlan but now PC-1 through 5 no longer get an IP from DHCP. CHR-1 currently looks like this:-
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=bridge1 name=vlan300 vlan-id=300
add interface=bridge1 name=vlan400 vlan-id=400
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=20.0.0.2-20.0.0.254
add name=dhcp_pool1 ranges=30.0.0.2-30.0.0.254
add name=dhcp_pool2 ranges=40.0.0.2-40.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan200 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan300 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan400 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=ether3
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether3 vlan-ids=300
add bridge=bridge1 tagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether3 vlan-ids=400
/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
add address=30.0.0.1/24 interface=vlan300 network=30.0.0.0
add address=40.0.0.1/24 interface=vlan400 network=40.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=20.0.0.0/24 gateway=20.0.0.1
add address=30.0.0.0/24 gateway=30.0.0.1
add address=40.0.0.0/24 gateway=40.0.0.1
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
/system identity
set name=r1
CHR-2 remains unchanged. Any ideas?
 
sindy
Forum Guru
Forum Guru
Posts: 3895
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge VLAN Filtering help  [SOLVED]

Wed Sep 12, 2018 12:55 pm

In the /interface bridge vlan node, you have to put the bridge itself to the list of its tagged (or untagged in some cases) members if you want to process the frames locally, e.g. by /interface vlan.

So in your particular case, it has to be
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=300
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=400
And as you handle all three VLANs in a uniform way, you can also simplify that into
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=200,300,400
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 527
Joined: Tue Jun 23, 2015 2:35 pm

Re: Bridge VLAN Filtering help

Wed Sep 12, 2018 1:19 pm

harvey, what kind of routers do you use?
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
sindy
Forum Guru
Forum Guru
Posts: 3895
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge VLAN Filtering help

Wed Sep 12, 2018 1:32 pm

what kind of routers do you use?
CHR = Cloud Hosted Router, a virtual machine running on one of x86 virtualization platforms. No need to think about switch chip type - none equipped :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 577
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Bridge VLAN Filtering help

Wed Sep 12, 2018 1:58 pm

/interface vlan
add interface=ether3 name=vlan200 vlan-id=200
add interface=ether3 name=vlan300 vlan-id=300
add interface=ether3 name=vlan400 vlan-id=400
This part on CHR-1 is wrong: the interfaces should be created on top of the bridge, not ether3.
Then you add ether2 to the same bridge1, set PVID=400 for it and add it as untagged in /interface bridge vlan.

Thanks for coming back to me on this. I changed just part 1 of your advice under `/interface vlan` so the interface is `bridge1` for each vlan but now PC-1 through 5 no longer get an IP from DHCP. CHR-1 currently looks like this:-
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=bridge1 name=vlan300 vlan-id=300
add interface=bridge1 name=vlan400 vlan-id=400
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=20.0.0.2-20.0.0.254
add name=dhcp_pool1 ranges=30.0.0.2-30.0.0.254
add name=dhcp_pool2 ranges=40.0.0.2-40.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan200 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan300 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan400 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=ether3
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether3 vlan-ids=300
add bridge=bridge1 tagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether3 vlan-ids=400
/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
add address=30.0.0.1/24 interface=vlan300 network=30.0.0.0
add address=40.0.0.1/24 interface=vlan400 network=40.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=20.0.0.0/24 gateway=20.0.0.1
add address=30.0.0.0/24 gateway=30.0.0.1
add address=40.0.0.0/24 gateway=40.0.0.1
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
/system identity
set name=r1
CHR-2 remains unchanged. Any ideas?
You have the answer from sindy.
I missed that you don't have that part in your config as well.
 
User avatar
harvey
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Thu Apr 05, 2012 8:16 pm

Re: Bridge VLAN Filtering help

Wed Sep 12, 2018 5:35 pm

Thank you to both @xvo and @sindy' for your help, it's working perfectly. For completeness for anyone else in the future, I have included the final working configs and diagram are below:-
Screen Shot 2018-09-12 at 15.29.26.png
CHR-1
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=bridge1 name=vlan300 vlan-id=300
add interface=bridge1 name=vlan400 vlan-id=400
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=20.0.0.2-20.0.0.254
add name=dhcp_pool1 ranges=30.0.0.2-30.0.0.254
add name=dhcp_pool2 ranges=40.0.0.2-40.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan200 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan300 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan400 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2 pvid=400
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=300
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=200
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=400
/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
add address=30.0.0.1/24 interface=vlan300 network=30.0.0.0
add address=40.0.0.1/24 interface=vlan400 network=40.0.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=20.0.0.0/24 gateway=20.0.0.1
add address=30.0.0.0/24 gateway=30.0.0.1
add address=40.0.0.0/24 gateway=40.0.0.1
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan
/system identity
set name=r1
CHR-2
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=200
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether4 pvid=300
add bridge=bridge1 interface=ether5 pvid=400
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=200
add bridge=bridge1 tagged=ether1 untagged=ether4 vlan-ids=300
add bridge=bridge1 tagged=ether1 untagged=ether5 vlan-ids=400
/ip dhcp-client
add interface=ether1
/system identity
set name=switch
You do not have the required permissions to view the files attached to this post.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 527
Joined: Tue Jun 23, 2015 2:35 pm

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 12:32 pm

one question regarding this topic.
So as soon as VLAN filtering is enabled traffic will go through CPU?
i mean if i want to get ether and wlan i have to tick VLAN Filtering

in my case i have 3 routerOS, and the thing is i need to run VLAN on ether and wlan. So acording that traffic will go through CPU,is that correct?
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
sindy
Forum Guru
Forum Guru
Posts: 3895
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 12:52 pm

I don't know any Mikrotik model on which frames between wireless and Ethernet interface would not go through the CPU, regardless whether vlan-filtering is activated or not. Other than that, there is a table on the wiki regarding bridge (I'm writing from a mobile, you'll have to find the exact page on your own) which gives an overview regarding which features are compatible with hardware forwarding between Ethernet ports for which switch chip type.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 527
Joined: Tue Jun 23, 2015 2:35 pm

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 12:57 pm

and also Does it make sance?

"if you have DHCP, etc on the device, you will have to also add the bridge to tagged"
on the Router wich is running DHCP-Server
Last edited by nichky on Wed Aug 28, 2019 1:02 pm, edited 1 time in total.
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 1:40 pm

What I found very confusing when setting up my bridge with VLAN filtering is: when you specify a certain port as untagged in the /interface bridge vlan definition, you STILL need to set the pvid to the same value in the /interface bridge port definition!
This is the case in some switches too. It probably means the pvid on the port definition is used for input tagging and the untagged membership in the vlan definition is four output, but I cannot think of a situation where you would use this.
In my Netgear switch the same port can be untagged member of several different VLANs and the pvid defines what tag the received packets get, and I think the configuration of the MikroTik bridge VLAN filtering allows the same thing, but why would you want that?

In other switches I know the configuration either sets up VLANs and you define the ports that are tagged and untagged members of that VLAN, where each port can be untagged for only one single VLAN, or you set up the tagged and untagged VLAN memberships for each port (so a port can obviously only be untagged for one VLAN).
 
Reinis
MikroTik Support
MikroTik Support
Posts: 67
Joined: Wed Jan 02, 2019 12:14 pm
Location: Latvia
Contact:

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 2:04 pm

one question regarding this topic.
So as soon as VLAN filtering is enabled traffic will go through CPU?
i mean if i want to get ether and wlan i have to tick VLAN Filtering

in my case i have 3 routerOS, and the thing is i need to run VLAN on ether and wlan. So acording that traffic will go through CPU,is that correct?

Not really, VLAN filtering itself will not cause CPU to process all packets on CRS3xx series, but will on others due to disabled HW offloading. You also have to take into consideration other parameters, for example:

Config:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3 vlan-ids=300
add bridge=bridge1 tagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether3 vlan-ids=400
This will allow VLAN300 packets to be received by CPU for CRS3xx series, but does not necessary mean that all packets will be processed by CPU. CPU will receive/process only broadcasts, unknown unicasts, packets which destination is the bridge itself etc.

To understand RouterOS VLAN configuration possibilities/best practices, check out our documentation at:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
https://wiki.mikrotik.com/wiki/Manual:L ... figuration
 
pe1chl
Forum Guru
Forum Guru
Posts: 5913
Joined: Mon Jun 08, 2015 12:09 pm

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 2:57 pm

Is there an explanation why "VLAN filtering itself will not cause CPU to process all packets on CRS3xx series, but will on others due to disabled HW offloading." even when those other models can do the same thing WITH HW offloading when you configure it in the switch menu instead of the bridge menu? Can't the bridge configuration just silently configure the switch when HW offloading is requested and only VLAN tagging is requested? (no spanning tree, no bridge filtering, etc)
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 7:20 pm

From previous articles.
- Bridge port is INGRESS behaviour.
- Interface Bridge Vlan is EGRESS behaviour.
- on bridge ports, - Trunk ports do not require identification of pvid setting but access ports do!
- bridge port pvid setting tells router to tag incoming frames with vlan tag associated
- security on bridge ports is usually only tagged frames (trunk), only untagged and priority frames (access).
- If require bridge to perform L3 activities it must be included on an interface bridge vlan settings.
- interface vlan bridge setting tells router to untag packets heading back to devices (usually non vlan capable0

Just to clarify on the first router, the config shows this.............

/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2 pvid=400
/interface bridge vlan
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=300
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=200
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=400 ??????

Should it not show................
/interface bridge vlan
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=300
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=200
add bridge=bridge1 tagged=ether3,bridge1, untagged=eth2 vlan-ids=400 ??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN Filtering help

Wed Aug 28, 2019 10:47 pm

In my Netgear switch the same port can be untagged member of several different VLANs and the pvid defines what tag the received packets get, and I think the configuration of the MikroTik bridge VLAN filtering allows the same thing, but why would you want that?

My good old Dlink switch has this functionality, there it's called "assymetrical VLAN". I used to use it as kind of L2 firewall or split horizon ... For example: on one port I have connection to my smart TV. I want this TV to be member of LAN (to be able to play media served by my DLNA server) but I don't want it to have internet access (because one can't disable automatic firmware updates nor I trust the phoning-home appliances). Surely this can easily be achieved using decent firewall (which my router at the time didn't really have) or by port security features (such as horizon - which the said switch doesn't have) or you can do it using the multi-untagged vlan feature. For example:
#let's assume that router/firewall is some other, non-VLAN device
/interface bridge port
add bridge=bridge interface=router pvid=10
add bridge=bridge interface=TV pvid=11
add bridge=bridge interface=DLNA pvid=12  # DLNA server
add bridge=bridge intefface=LAN pvid=12  # some other LAN host
/interface bridge vlan
add bridge=bridge untagged=DLNA,LAN vlan-ids=10 # router can send packets to DLNA and LAN ports
add bridge=bridge untagged=DLNA,LAN vlan-ids=11 # TV can send packets to DLNA and LAN ports, but not router
add bridge=bridge untagged=router,DLNA,LAN,TV vlan-ids=12 # DLNA and LAN can send packets to all other devices
[edit] the last config line was missing interface TV as untagged member of VLAN 12.
Last edited by mkx on Thu Aug 29, 2019 8:16 am, edited 1 time in total.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Bridge VLAN Filtering help

Thu Aug 29, 2019 1:17 am

Focus mkx! ;-) See my germane question above the fluffy D-stink post.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN Filtering help

Thu Aug 29, 2019 8:11 am

@anav, you're such a moving target (and my eyes are getting old as well) so it's hard to focus on you ;-) ... but anyway, I was just jumping in to explain @pe1chl the possible use case of this "huh?" feature. You boys are doing well so I'll stop to interfere.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Bridge VLAN Filtering help

Thu Aug 29, 2019 2:06 pm

All kidding aside MKX, I think there was a possible error/omission in the config and that was what I was pointing out or at least asking.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN Filtering help

Thu Aug 29, 2019 3:16 pm

I think there was a possible error/omission in the config and that was what I was pointing out or at least asking.

So I didn't react to your post. I'll deny that it might be due to oversight from my side ;-)

Seriously though: yes, you're right (and that's why I didn't react ... so sorry I deprived you of a well deserved pat on your back :-P ).

OK, kidding aside: the only reason that it might actually work for @harvey is that PC-5 might be windows and @sindy explained more than once that the first thing many windows drivers do for ingress packet is rip off all VLAN headers. So packets in direction CHR1-> PC-5 pass due to this driver feature and packets in the opposite direction get tagged by CHR1 on ingress due to pvid setting.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Bridge VLAN Filtering help

Thu Aug 29, 2019 10:55 pm

Thank you Sir, for the pat on the back, the acknowledgment of my attention to detail, wisdom, vlan acumen etc etc etc....... ;-P

I just wanted to make sure I am not stark raving mad wrt vlan understanding (for the consumer router and CCR devices - dont ask me about actual chip driven devices).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1434
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Bridge VLAN Filtering help

Thu Aug 29, 2019 11:59 pm

It did not make sense to me that a access port can be a member of mulipless VLAN's, so I just read up on d-links asymmetrical vlan, and all it is is a hybrid port, which Mikrotik already does.

Or am I missing something?

EDIT: Nevermind, found another article, and it sounds quite cool, in a nutshell, assymetric vlan allows you to "switch" between VLAN's, so you don't have to "route" between these VLAN's
MTCNA, MTCTCE, MTCRE & MTCINE
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN Filtering help

Fri Aug 30, 2019 8:31 am

... in a nutshell, assymetric vlan allows you to "switch" between VLAN's, so you don't have to "route" between these VLAN's

Well, actually it does on egress what a typical windows NIC driver does on ingress ... strips all VLAN headers :lol: "switching" between VLANs is one of (benefitial if admin is aware of it) side effects.
BR,
Metod

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 116 guests