Hello,
Having some odd issues with bridge VLAN not working, thinking I'm either missing something basic. Come from a Juniper switch environment so I've got the basic understanding so I'm confident I'm breaking something.
The issues I'm seeing are:
1) A device plugged into ether2/ether3/ether4 does not get any dhcp. I see the dhcp discover on a wireshark dump but no answer.
2) A device plugged into ether5 (VLAN 200) is seeing ARP broadcasts from vlan100. I can also ping 192.168.88.1 (vlan100 router interface) from a device in vlan200 (on 192.168.20.254 / ether5 port) On a similar Juniper config arp requests would not be broadcast across vlans nor would an interface bound to vlan100 be directly pingable on interface vlan200.
Hardware: Hex S
Goal:
VLANS: 100,200,300,400,500
Internal IP on VLAN 100: 192.168.88.1/24 (pool 192.168.88.10-254)
Internal IP on VLAN 200: 192.168.20.1/24 (pool 192.168.20.10-254)
VLAN 300/400/500 are to carry customer tagged traffic being tagged
Ether1 = WAN uplink (this part's not really relevant/works fine)
Ether2 - Untagged (pcs/devices won't be adding any vlan tags to traffic) vlan 100, device tagged traffic allowed for vlan 200,300,400, 500.
Ether3 - Untagged (pcs/devices won't be adding any vlan tags to traffic) vlan 100, device tagged traffic allowed for vlan 200,300,400, 500.
Ether4 - Untagged (pcs/devices won't be adding any vlan tags to traffic) vlan 100, device tagged traffic allowed for vlan 200,300,400, 500.
Ether5 - Untagged (pcs/devices won't be adding any vlan tags to traffic) vlan 200, device tagged traffic allowed for vlan 100,300,400, 500.
Statements used (from a default config)
/interface bridge port remove [find where interface="ether2"]
/interface bridge port add bridge=bridge interface=ether2 pvid=100
/interface bridge port remove [find where interface="ether3"]
/interface bridge port add bridge=bridge interface=ether3 pvid=100
/interface bridge port remove [find where interface="ether4"]
/interface bridge port add bridge=bridge interface=ether4 pvid=100
/interface bridge port remove [find where interface="ether5"]
/interface bridge port add bridge=bridge interface=ether5 pvid=200
/interface bridge vlan add bridge=bridge vlan-ids=100 tagged=bridge,ether5 untagged=ether2,ether3,ether4
/interface bridge vlan add bridge=bridge vlan-ids=200 tagged=bridge,ether1,ether2,ether3,ether4 untagged=ether5
/interface bridge vlan add bridge=bridge vlan-ids=300 tagged=bridge,ether1,ether2,ether3,ether4,ether5
/interface bridge vlan add bridge=bridge vlan-ids=400 tagged=bridge,ether1,ether2,ether3,ether4,ether5
/interface bridge vlan add bridge=bridge vlan-ids=500 tagged=bridge,ether1,ether2,ether3,ether4,ether5
/interface vlan add name=vlan100 vlan-id=100 interface=bridge
/interface vlan add name=vlan200 vlan-id=200 interface=bridge
/interface vlan add name=vlan300 vlan-id=300 interface=bridge
/interface vlan add name=vlan300 vlan-id=400 interface=bridge
/interface vlan add name=vlan300 vlan-id=500 interface=bridge
/ip address set [find where address=192.168.88.1/24] interface=vlan100
/ip address add address=192.168.20.1/24 interface=vlan200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=vlan100 name=defconf
add address-pool=vlan200 disabled=no interface=vlan200 name=vlan200
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.20.0/24
/interface bridge set bridge vlan-filtering=yes
Full config:
# oct/12/2018 12:16:03 by RouterOS 6.43.2
# software id = GBVI-ZYLG
#
# model = RB760iGS
# serial number = 87F2093EE262
/interface bridge
add admin-mac=B8:69:F4:01:DF:4D auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
add interface=bridge name=vlan300 vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan200 ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=vlan100 name=defconf
add address-pool=vlan200 disabled=no interface=vlan200 name=vlan200
/system logging action
set 3 remote=64.246.100.226
/interface bridge port
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether2 pvid=100
add bridge=bridge interface=ether3 pvid=100
add bridge=bridge interface=ether4 pvid=100
add bridge=bridge interface=ether5 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=200
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5 vlan-ids=300
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5 vlan-ids=400
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5 vlan-ids=500
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=500
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=64.246.97.6/29 network=64.246.97.0
add address=192.168.88.1/24 interface=vlan100 network=192.168.88.0
add address=192.168.20.1/24 interface=vlan200 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan300 network=192.168.30.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
add address=censored.ips list=amplex-mgnt
/ip firewall filter
add action=accept chain=input comment=amplex-mgnt-in src-address-list=amplex-mgnt
add action=accept chain=forward comment=luckey-testaccount-subnet-500 dst-address=64.246.97.0/29
add action=accept chain=forward src-address=64.246.97.0/29
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.20.0/24
/ip service
set telnet disabled=yes
set ftp port=8021
set www port=8080
set ssh port=8022
set winbox disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=luckey-testaccount-mtr
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=ether1
add store-on-disk=no
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no