Community discussions

MikroTik App
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 8:59 pm

I'd like to use the VLAN filtering capability on a HAP AC2. No HW chip VLAN settings are used, all are on defaults since I want to use the bridge facility for this entirely. This is the config I'm using:
/interface bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge-lan protocol-mode=none pvid=20 vlan-filtering=yes

/interface vlan
add interface=bridge-lan name=vlan20 vlan-id=20

/ip address
add address=192.168.1.222/24 interface=vlan20 network=192.168.1.0

/interface bridge port
add bridge=bridge-lan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5 pvid=20

/interface bridge vlan
add bridge=bridge-lan tagged=ether5 vlan-ids=20
When I ping for instance 192.168.1.65 vlan-filtering=no, it works and other traffic also passes. When I change it to vlan-filtering=yes, traffic stops going out on VLAN 20. I can see broadcasts coming in on VLAN 20, though. This seems a simple enough configuration to me, yet it fails. What did I overlook?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 9:18 pm

You need to include bridge itself as tagged member in "/interface bridge vlan" definition.

See also https://wiki.mikrotik.com/wiki/Manual:I ... _Bridge.29
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 9:33 pm

Thanks, I did that, but it didn't help. It's not an inter-VLAN routing problem, though, since I have only one VLAN. Unless I'm misunderstanding something, of course.
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan vlan-ids=20

/interface bridge vlan print  detail 
Flags: X - disabled, D - dynamic 
 0   bridge=bridge-lan vlan-ids=20 tagged=bridge-lan untagged="" current-tagged="" current-untagged=bridge-lan 
It somehow becomes an untagged port after adding it to the tagged ones.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 9:36 pm

Please post entire config as I hate playing whacka mole!

/export hide-sensitive file=yourconfig
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 9:40 pm

It's a basic test config not too far from the default one. Thanks.
You do not have the required permissions to view the files attached to this post.
Last edited by kobuki on Thu Feb 07, 2019 9:54 pm, edited 1 time in total.
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 9:50 pm

From the full config you can see that ether5 is added to bridge-lan, and that is the interface connected to a trunk port on a switch with vlan 20 where only tagged packets travel. If I add the vlan on ether5, it starts working, with vlan filtering turned on. It's as if vlan filtering only allows traffic from/to tagged interfaces or something like that. Unfortunately the documentation is not very good regarding this.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 10:21 pm

Thanks, I did that, but it didn't help. It's not an inter-VLAN routing problem, though, since I have only one VLAN. Unless I'm misunderstanding something, of course.
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan vlan-ids=20

/interface bridge vlan print  detail 
Flags: X - disabled, D - dynamic 
 0   bridge=bridge-lan vlan-ids=20 tagged=bridge-lan untagged="" current-tagged="" current-untagged=bridge-lan 
It somehow becomes an untagged port after adding it to the tagged ones.
AND the ether5...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 10:23 pm

The /interface bridge vlan configuration is incomplete. It should be something like this:

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether5 vlan-ids=20

The code assumes you want ether5 to carry tagged frames. You should also remove pvid=20 from definition of bridge-lan in /interface bridge as you're using vlan20 interface to properly deal with traffic. Also setting pvid=20 for ether5 on /interface bridge port is redundant and should be removed.

If, on the other hand, you want to make ether5 access port for VLAN 20 (i.e. untagged frames live outside routerboard), then pvid setting on ether5 port in /interface bridge port is fine, but you have to change frame-types to admit-only-untagged-and-priority-tagged. The /interface bridge vlan setting above should be changed so that ether5 port is listed as untagged member port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 10:54 pm

/interface bridge
add admin-mac=CC:2D:E0:C2:CA:FB auto-mac=no name=bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes \
not sure if this is required............
name=bridge-lan protocol-mode=none pvid=20 vlan-filtering=yes
Remove and should be the default pvid=1

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
WHERE IS THE IP POOL FOR THE VLAN???

/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
WHERE IS THE DHCP-Server for the VLAN??

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge-lan frame-types=admit-only-vlan-tagged ingress-filtering=\
yes interface=ether5 pvid=20

TRY
add bridge=bridge interface=ether5 pvid=20 ingress filtering=yes
I am assuming that this port leads to a device that is not able to tag or recognize tagged packets.

/interface bridge vlan
add bridge=bridge-lan vlan-ids=20 hmmmm??????
TRY
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan untagged=eth5 vlan-ids=20


/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
need
add interface=vlan20 list=LAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
[add address=192.168.1.222/24 interface=vlan20 network=192.168.1.0[/b]

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1
Need dhcp-server network for VLAN

/ip dns
set allow-remote-requests=yes
okay but which static servers, seeing as you have not opted for ISP dns servers in client settings??

/ip dns static
add address=192.168.88.1 name=router.lan (this is a default setting that can be removed when fixing the above)
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 11:04 pm

@sebastia, @mkx, thanks, one of these might be the overlook, I'll try them and also anav's suggestions.

@anav: thanks for the thorough inspection of the export, but please don't mind all the defaults and missing bits (dhcp, pool, etc.), when I'll have the vlan issue fixed, I'll reconfigure the whole thing, it's just an isolated test now for the bridge and vlans (for the live config), nothing else.
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: Bridge VLAN filtering blocks all traffic

Thu Feb 07, 2019 11:21 pm

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether5 vlan-ids=20
This one solved it, thanks! I know the PVIDs are redundant but they do practically nothing in this setup, so it doesn't hurt either. ROS defaults to PVID 1 and I tend to change it from 1 to one of my VLAN IDs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge VLAN filtering blocks all traffic

Fri Feb 08, 2019 12:36 am

So ether 5 is a TRUNK port and not an access port?????
 
kobuki
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: Bridge VLAN filtering blocks all traffic

Fri Feb 08, 2019 1:21 am

So ether 5 is a TRUNK port and not an access port?????
Yes.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge VLAN filtering blocks all traffic

Fri Feb 08, 2019 6:14 am

Damn I wish you hadn't said that, it just irks me that mkx was correct. :-)

thus (add bridge=bridge interface=ether5) works and
(/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,eth5 vlan-ids=20) works

Who is online

Users browsing this forum: 4l4R1, Ahrefs [Bot], Bing [Bot], mertak, Renfrew and 79 guests