Page 1 of 1

Tagged VLANs in Bridge Issue

Posted: Fri Apr 19, 2019 12:18 am
by lynx649
Hi everyone,

I'm suffering from the following issue on a RB in production. I have a switch plugged into Eth3 and another router in Eth4, with it's own DHCP server on VLAN 10. The switch is aware of VLAN 10 and passes this tag onto APs which have a WLAN untagged on VLAN 10.

I created a bridge (bridge-10) just for vlan 10 and bridged together Ether3(VLAN10) and Ether4(VLAN10) i also have another bridge (bridge-lan) with dhcp server on mikrotik and bridged Ether3 and Ether4.

On the surface, everything looks ok until you start pinging the router WAN ip on Ether4 and get about 5% packet loss over extended duration. What I also noticed is that the interfaces Ether3(VLAN10) and Ether4(VLAN10) do not show any traffic going through them ( and there is traffic), all the traffic is showed on bridge-lan and it's interfaces.

I reviewed the layer2 misconfiguration article and tried disabling (R)STP on bridge-10 but no luck. What i then did was disable bridge-10 and it's interfaces altogether, then everything starts working normally, no packet loss, people can surf on VLAN (as far as i can tell remotely)

2 questions.

1. is it ok to leave it without vlan 10 tagged anywhere on the mikrotik if it is working, or will i start to see weird thing happen.

2. Does anyone know why I would receive packet loss with the 2 vlan interfaces bridged and no other configuration applied (I've actually done this at other sites with no issue, and see the VLAN traffic passing on the individual VLAN interfaces)

RB is on 6.44.2

Thanks!!

Re: Tagged VLANs in Bridge Issue

Posted: Fri Apr 19, 2019 8:32 am
by mkx
Post your configuration (/export hide-sensitive).

However, preferred configuration since ROS 6.41 is to have single bridge in the device. Depending on device type and desired setup then VLAN filtering is either done on bridge (bridge setting fi]vlan-filtering=yes[/i]) or on switch-chip (the same way as it was done already in previous versions). Your post did not give much detail so it's not possible to advise you further.

Re: Tagged VLANs in Bridge Issue

Posted: Fri Apr 19, 2019 9:05 am
by lynx649
Hopefully it's enough to just post bridge and vlan config below. I am curious to try the vlan filtering but am not sure how I would do the DCHP server, for example, for VLAN's 11 and 20 below, I am doing DHCP from the Mikrotik and assigning that server to their respective bridges. but that's another topic, main issue here is when i enable ether3.10 and ether4.10 along with bridge-2, it creates packet loss to the router WAN (not Mikrotik router) on ether4 when on other Mikrotiks we have in production, it just works and I can see vlan 10 traffic on the Interfaces (in this case ether3.10 and ether4.10)

It seems to be working at the moment with bridge-2 disabled as I'm assuming by bridging physical ether3 and ether4 on bridge-3 it is passing those VLAN tags?
If I were to do vlan filtering, I'll set up a test router in the office but how would I do DHCP server for a particular VLAN originating from the Mikrotik if everything is on just one bridge?

One note, as you see below, I tried disabling fast forward, fast path, also assigning an admin mac to bridge-3 incase that was causing an issue, no luck.

/interface bridge
add fast-forward=no name=bridge-1
add disabled=yes fast-forward=no name=bridge-2
add admin-mac=***redacted*** auto-mac=no fast-forward=no name=bridge-3
add fast-forward=no name=bridge-4
/interface vlan
add disabled=yes interface=ether3 name=ether3.10 vlan-id=10
add interface=ether3 name=ether3.11 vlan-id=11
add interface=ether3 name=ether3.20 vlan-id=20
add disabled=yes interface=ether4 name=ether4.10 vlan-id=10
/interface bridge port
add bridge=bridge-2 interface=ether4.10
add bridge=bridge-2 interface=ether3.10
add bridge=bridge-3 interface=ether4
add bridge=bridge-3 interface=ether3
add bridge=bridge-1 interface=ether3.20
add bridge=bridge-4 interface=ether3.11
/interface bridge settings
set allow-fast-path=no

Re: Tagged VLANs in Bridge Issue

Posted: Fri Apr 19, 2019 9:10 am
by mkx
You didn't write which RB we're talking about.

Indeed your way of using bridges doesn't prevent bridge3 to pass all tagged frames along untagged ones.

Anyhow, I recommend you to read through this excellent thread about how VLANs are supposed to be done in modern ROS. Config examples are included.

Re: Tagged VLANs in Bridge Issue

Posted: Fri Apr 19, 2019 9:59 am
by lynx649
You didn't write which RB we're talking about.

Indeed your way of using bridges doesn't prevent bridge3 to pass all tagged frames along untagged ones.

Anyhow, I recommend you to read through this excellent thread about how VLANs are supposed to be done in modern ROS. Config examples are included.
My apologies, RB is a 2011iL running 6.44.2

I'll leave it with bridge2, ether3.10 and 4.10 disabled as bridge3 is passing the VLAN tags as you mentioned. Thanks for your help, I'll read up on the VLAN configuration and do some testing in the office. One last question, do you have any theories on what would cause the packet loss when the aforementioned bridges and interfaces are enabled?

Re: Tagged VLANs in Bridge Issue

Posted: Fri Apr 19, 2019 2:18 pm
by mkx
One last question, do you have any theories on what would cause the packet loss when the aforementioned bridges and interfaces are enabled?

Other than that your current config is IMHO weird and your router might concur with me ... no idea.

Btw, CPU of RB2011iL is not a beast ... but the gigabit switch chip (ports 1-5) is a decent one. After you ingest the idea of single bridge (and have it working), you might convert it from bridge-vlan to switch-chip-vlan. But let's leave that for some later time.
Never the less, as preparation phase (and if your WAN is up to 100Mbps), you could move WAN port to one of ether6-ether10.