Hi All,

This has been driving me nuts for weeks. Our local Mikrotik mail list hasn't been a huge amount of help - seems like it's just broken behaviour in RouterOS, and no amount of workarounds will fix it permanently. Hoping someone here has a solution I have a bunch of CRS109's both at home and in the DC, all with a similar configuration.

What I'm trying to do is fairly simple.. CRS109 with say three VLAN's.
1) vlan 100, 101, 102 all trunked on ether1.
2) vlan100 native vlan on ether2-ether8
3) wlan0 bridged to vlan 100
4) wlan0-alias1 bridged to vlan102
5) vlan101 has management IP for switch.

in 6.40.x this worked perfectly with master/slave ports. I'd simply do:
1) put ether2-8 as slaves to ether1.
2) create all three vlans under ether1
3) create two bridges - bridge_vlan100 and bridge_vlan102.
4) drop vlan100 and wlan0 into bridge_vlan100
5) drop vlan102 and wlan0-alias1 into bridge_vlan102
6) pop an IP onto vlan101
7) under /interface switch vlan, add all three vlans, and set ingress/egress translation rules to translate vlan 100 to 0 outbound, and 0 to 100 inbound on ether2-8

That has worked perfectly on multiple CRS109's for many years now.

And then I upgraded to 6.42.10 with this new bridge configuration. Oh my lord

I've tried two different ways - the 'right' way, and a slightly hacky-er way

First way:

1) Pop ether1-8 AND wlan0 and wlan0-alias1 into bridge1. PVID on ether2-8 and wlan0 is 100, PVID on wlan0-alias1 is 102
2) Using bridge vlan rules, set vlan 101 tagged on ether1. set vlan100 tagged on ether1, and wlan0, and untagged on ether2-8. set vlan102 tagged on ether1 and wlan0-alias1.
3) IN the wlan interfaces, set them to use-tag, and set vlan id to 100 for wlan0 and 102 for wlan0-alias1
4) Add a vlan101 under bridge1 and put an IP on it for management. (On the CRS109 that's also the router, I also create vlan100 and vlan102 and put IP's on those)
5) enable vlan filtering on the bridge.

This 'works', but wifi devices can't talk to ethernet devices. tcpdump on one of the ethernet devices shows that all wifi packets are arriving on the switch ports tagged as vlan100, even though vlan100 is the PVID for the ethernet ports, so should be coming out untagged. Since apparently hardware offload isn't supported on CRS 1xx devices, the whole network comes crashing down if a network connected device goes to pull more than ~50mbps across the LAN, as the CPU of the device it's connected to hits 100%.

Second way:

1) pop ether1-8 into bridge1.
2) create vlan100, vlan101, vlan102 under bridge1
3) Create bridge_vlan100 and bridge_vlan102, and put vlans 100 and 102 as ports in these bridges. set protocol to none on these bridges (otherwise spanning tree loses its mind..)
3) Pop an IP on vlan101 for management. (and on bridge_vlan100 and bridge_vlan102 on the CRS109 that runs as the router)
4) add wlan0 to bridge_vlan100 and wlan0-alias1 to bridge_vlan102. no vlan tagging set on the wireless interface configurations.
5) in /interface switch vlan, add all three vlans, and set ingress/egress translation rules to translate vlan 100 to 0 outbound, and 0 to 100 inbound on ether2-8

This works much the same as it did in 6.40, EXCEPT I *still* have the issue of wifi packets out ethernet are tagged vlan100 - it's like wifi packets, even passing through the bridge, are bypassing the switch egress translation rules?? Note: when I *first* reboot the CRS109, it WORKS. for about 5 minutes, then the translation rules stop working on wifi packets. I downgraded from 6.42.10 to 6.42.9, and it lasted about an hour. I upgraded to 6.43.7, incase it was an issue with the 6.42 branch, but had the same issue.

Does anyone know HOW to get this working? My whole reason for using CRS109's is that they're relatively inexpensive, they work great as switches and wifi AP's, and they have JUST enough routing power to happily route the 50mbps of an Australian internet connection And I have a lot of them between my house, my parents' house, and my gear in Datacenters.. (not operating as routers for the gear in datacenters though, only for switching, and OOB access routing...).

Is it just a peculiarity of the 109's that hasn't been tested with the new firmware properly since they don't do hardware offload, so haven't bothered testing fully? Is there another 'tik model that will do switching and wifi and routing that's confirmed working correctly between wifi and ethernet with multiple vlans, that I could slowly migrate to? I'm rather losing my mind at the moment

Thanks,

Damien

/interface bridge
add admin-mac=xx.xx.xx.xx.xx.xx auto-mac=no comment=defconf name=\
bridge_rendrag vlan-filtering=yes

/interface vlan
add interface=bridge_rendrag name=Vlan_101 vlan-id=101
add interface=bridge_rendrag name=Vlan_100 vlan-id=100
add interface=bridge_rendrag name=Vlan_102 vlan-id=102

/interface list
add name=WAN
add name=LAN

/interface bridge port
add bridge=bridge_rendrag comment=defconf interface=ether1 (repeat for all
add bridge=bridge_rendrag comment=defconf interface=WLAN0
add bridge=bridge_rendrag comment=defconf interface=WLAN0-Alias1

/interface bridge vlan
add bridge=bridge_rendrag tagged=bridge_rendrag, eth1,eth2,eth3,eth4,eth5,eth6,eth7,eth8,WLAN0 vlan-ids=100
add bridge=bridge_rendrag tagged=WLAN0-alias1 vlan-ids=102
(not sure how to handle managment vlans on these units)
(add bridge.....)

/interface list member
add interface=bridge_rendrag=LAN
add interface=Vlan_100 list=LAN
add interface=Vlan_101 list=LAN
add interface=Vlan_102 list=LAN
add interface=ethXX? list=WAN

Hey Anav,

Thanks for your reply

Unfortunately, that didn't work - couple of reasons

1) As I mentioned, the new RouterOS bridge code doesn't support hw offload on the crs1xx platform, so max throughput available would be about 50mbps.
But besides that
2) that would be pushing all traffic out the ethernet ports as tagged vlan 100 - I need it native vlan (i.e. untagged) - which is the configuration I already posted, which has the issue where wifi traffic isn't getting untagged as it traverses out the ethernet ports

I'm really hoping *someone* has this working with the new bridge code, one one of the other cheap-ish mikrotik hardware platforms. I'd *like* to get this working on my CRS109's, but if I can't, then I'll go with something of a similar price, and just slowly replace them.. or if worst comes to worst, I know as the traffic passes through ANOTHER CRS109, the vlan translation cleans things up, so I can always just put TWO crs-109's into each location - one for wifi, one for ethernet.. (but that's kinda yuck..) Would be REALLY nice if Mikrotik could just fix this issue, but I know from previous experience, there's simply no point trying to report a bug to them.. :\

Then create and add the wireless interfaces to the bridge, the important point are the use-tag and tag value settings which attach the wlan interfaces to the bridge with VLAN tagging:

.
This is the important part. wlan interfaces are not the same as ether interfaces when it comes to bridge vlan filtering.

Thanks tdw,

I'm thinking there's an actual problem hardware-wise on the CRS109 then I've just replicated your config onto one of my spare CRS109's, and still have the issue where packets from the wlan are still tagged vlan100 when passed out the ether interfaces.

So tempted to just buy a bunch of RB952's to sit beside each CRS109 to do wireless, but there's none in stock at our 'tik dealer here in .au until next year :\

Ok, so I borrowed an RB951-2n, and an RB2011-2HnD-IN from work for the holidays to do some more in-depth testing, alongside a spare CRS-109-8G-1S-2HnD-IN. Rolled all three back to 6.40.9 and defaulted configuration. Some interesting notes..

1) CRS* looks to be the only platform which supports vlan-egress* and vlan-ingress* nodes under the switch chip config. Must admit, I'd assumed that was just a standard RouterOS feature, as I couldn't imagine why it *wouldn't* exist, as all our Huawei and Extreme gear at work does it out of the box. - working CRS config https://nextcloud.rendrag.net/index.php ... 5WoyfYt7Ae

2) RB951 doesn't work at all for having access ports on something other than the default vlan (i.e. NOT on a vlan at all) - i.e. documentation suggests that the following should do it (and RB2011 works perfectly like this): - nonworking RB951 config: https://nextcloud.rendrag.net/index.php ... jQBnXdmMEK
RB2011 works perfectly with the above to drop vlan100 as the untagged vlan onto ether2 and ether3. Ethernet->RouterOS and Wifi->Ethernet work perfectly this way. -> https://nextcloud.rendrag.net/index.php ... 5ng2Ea2w32

3) If you mistakenly think that 'format NAND' is the fastest way to clear the config on an RB2011, and needed to run netinstall in a windows VM in parallels Desktop on your mac, you want to completely shutdown Parallels, and look for the config.pvs file inside the VM directory, and then look for the PktFilter noded in the XML, and set all three options (PreventPromisc, PreventIpSpoof, and PreventMacSpoof) to 0, then start Parallels back up. That was an hour of my life I want back

Upgrading the three devices to 6.42.9...

The RB2011 works exactly was everyone has suggested things should work. Create a bridge for each vlan, create a vlan under the main bridge, and then put the vlan and the wifi into the vlan-specific bridge. VOILA, works perfectly. -> https://nextcloud.rendrag.net/index.php ... Rcxwgpsos6

The RB951 then works correctly. Weirdly, on this platform, your IP can be on EITHER the bridge or the vlan, and still works fine. Also interestingly, the wlan interface can actually be in either bridge, and it can talk to ethernet fine (Neither of these is the case on the RB2011, I went back and checked..). -> https://nextcloud.rendrag.net/index.php ... GypMSGCaWj

The CRS109 Also works correctly, which is interesting! 400mbps between switch ports pushes the CPU to 95%. 80mbps between Wifi and a switch port pushes the CPU to 30%, so would probably be about the same. Has me wondering now why my main CRS109 was falling in a heap at ~20mbps.. I'll re-try reconfiguring the main CRS tomorrow morning - https://nextcloud.rendrag.net/index.php ... KxBQpCbcsc

If I turn VLAN Filtering *off*, and try to use vlan translations to do customer-vlan=100 new-customer-vlan=0 on egress and vice-versa on ingress on the ether2-5 ports, then wlan-sourced packets are egressing to ethernet still tagged, so looks like a bug with the CRS. - config at https://nextcloud.rendrag.net/index.php ... 7xz7bawaEx

So question: Is there any point me trying to lodge a bug with Mikrotik? The previous times I've tried to lodge support issues with them (granted, that was 4+ years ago), I haven't even had a reply for six months, and then it has been 'please contact the company you purchased your device through in the first instance'... It seems like a pretty big bug, that would be great to have fixed, as it's basically stopping you doing ethernet->wifi bridging while still maintaining wire speed switching on the CRS1/2 series devices.