Community discussions

 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

VLAN over Bridge

Sat May 11, 2019 5:51 pm

Hi there! :)

I am struggling for some days on a setup I want to achieve.
Background: I want to get rid of my ISP box and let communicate my RB4011 directly to the ONT (so directly to the ISP)
For some reasons, my ISP need to receive DHCP requests through VLAN 832 at a priority to 6 to work.
I know that I can't use mangle for that as DHCP is raw sockets and I also know that my switch chip is not able to support rules to add this priority level to 6 which leaves me with the only option to create a VLAN over a bridge and then create a rule to put priority to 6 for the matching frames.
Is everybody in line with me up to now?

I have never did this, I must be messing with some settings as this is not working... I suspect that my settings around Bridge and VLAN are not correct but can't find out which ones and why (depsite the several hours spent trying various things....)
My DHCP client keeps on searching... (whereas my other DHCP client, when I go through the ISP box, quickly goes from searching, to requesting to bound)

Here is my config. Do you guys see the weak point?

Code: Select all

# may/11/2019 16:27:31 by RouterOS 6.44.2
# software id = 6DZP-Q4TF
#
# model = RB4011iGS+
# serial number = AAAF09XXXXX
/interface bridge
add admin-mac=B8:69:F4:XX:XX:XX auto-mac=no comment=defconf name=bridge
add fast-forward=no ingress-filtering=yes name=bridgePrio6 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridgePrio6 name=Vlan832 vlan-id=832
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authentication value="XXXXX"
add code=77 name=userclass value="XXXXX"
add code=60 name=vendorclass value=0x736167656d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
mac-protocol=ip new-priority=6 out-bridge=bridgePrio6 out-interface=\
ether1-WAN passthrough=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6 untagged=ether1-WAN vlan-ids=832
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridgePrio6 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-WAN
add dhcp-options=hostname,clientid,authentication,vendorclass,userclass \
disabled=no interface=bridgePrio6
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=XXXXXX
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name="sniff 11 Mai" filter-interface=bridgePrio6
Thank you in advance for the help! :)
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 6:22 pm

First of all, move ether1-WAN from untagged to tagged list below,
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6,ether1-WAN untagged=ether1-WAN vlan-ids=832


Next, change the pvid from 832 to 1 below:
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832 pvid=1.

It should be enough; if it is not, come back.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sat May 11, 2019 6:23 pm

Disagree with Sindy The Complicated!! ;-P
Dont need a bridge for WAN side of the deal.
Get rid of it using any kind of bridge.
my ont is connected to my MT on ether5

/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
/interface vlan
add interface=Bell_eth5 name=vlanbell vlan-id=xx

In my case no priority is required.
The only issue for me is that we are not given the IP gateway.
I have to go into the DHCP client menu click on the connection, check status tab, find the IP gateway and then put that into my IP Routing rules.
(dont see IP routing rules in your config?)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 6:29 pm

@anav,

your situation is different than the OPs:
Dont need a bridge for WAN side of the deal.
Get rid of it using any kind of bridge.
...
In my case no priority is required.

For some reasons, my ISP need to receive DHCP requests through VLAN 832 at a priority to 6 to work.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sat May 11, 2019 7:12 pm

So your saying that at acquiring DHCP client time, the bridge method is the only way to set QoS or CoS during initial negotiations??
Funny my ISP Bell does this for the TV side of the house, vlan plus certain priority. My Zyxel router could assign Cos but for everything but the intital handshaking (twas very frustrating to see them add the capability and then not apply at the most critical time).
Would be cool if the MT can do this for the initial handshake as well (however my days of paying ISP for Tv are long long gone).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sat May 11, 2019 7:14 pm

THis seems to apply"

The CoS field can be set in two places: /ip firewall mangle or /interface bridge filter
When working directly on the vlan interface (edge router or device that adds the tag), use /ip firewall mangle.
When dealing with bridges use /interface bridge filter.
To set the CoS field the action that is used on the rules is set-priority. When this is set on the vlan interface, it will set it´s CoS id.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: VLAN over Bridge

Sat May 11, 2019 7:26 pm

@sindy & @anav, while your little spat is cute you both have failed to notice some glaring errors in this config.

1. bridgePrio6 is the one that is supposed to filter this WAN VLAN stuff. So why is it a _member_ of the default bridge?! That's a no no.
2. There is nothing that shows bridgePrio6 has ether-1 as a member of that bridge. So that is also not correct.
3. While I've only worked on one RB4011 I don't recall all the switch menu options being set like this. But I won't know until this week when it's back up online at a the customer site to double check but wasn't there when I was doing the initial setup.
4. There is a DHCP client assigned to both ether-1 _AND_ bridgePrio6, if they are supposed to be in the bridge together and doing VLAN filtering then why do they both need a DHCP client? As far as I can tell they don't.

So this entire config is a complete mess. The minor details you are discussing need to be addressed after the entire mess is cleaned up. At least that's how I see it.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sat May 11, 2019 7:28 pm

First of all, thanks for the quick reply! :)

I did as suggested, but it doesn't change anything...
When I sniff either ether1 or bridgeprio6 I see the DHCP Discovery, there is no VLAN tag in the header... We agree that I should see the VLAN header here, right?
And of course no Offer is following...

Just to be sure, the suggested correction:
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832 pvid=1.
was in
/interface bridge port
right?

I've tried to modify the WAN interface in Interface list to Bridgeprio6 but still the same... :?

EDIT: just notice the last post, I am trying those suggestions, will revert
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 7:31 pm

@anav, I'm usually only complicated when the situation requires it. E.g. if you send me a box of chocolate, I'll just say "thank you", no complications to be expected.

Your findings are all correct, but what throws a pitchfork into it is the fact that dhcp packets (both those sent/received by a client and those sent/received by a server) bypass the /ip firewall. So the only place where you can modify the priority field of a DHCP packet carried inside a VLAN frame is the /interface bridge filter (or /interface ethernet switch rule, but we deal with a 4011 here and I have no device with the same switch chip to try on before posting), which is what the OP has properly identified and attempted to do. And the only issue is that he's spent a lot of effort to attach the VLAN tag with VLAN ID and priority to the frame only to strip it again on egress due to incorrect setting of ether1-WAN as an access port, for which I've suggested him a correction.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 7:39 pm

When I sniff either ether1 or bridgeprio6 I see the DHCP Discovery, there is no VLAN tag in the header... We agree that I should see the VLAN header here, right?
Yes, we do.

Just to be sure, the suggested correction:
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832 pvid=1.
was in
/interface bridge port
right?
Right, except that the pvid=832 was crossed out in my post in order to show that it has to be replaced by pvid=1. Hope you did it.

And, as @Samot has pointed out correctly, you have to move the dhcp-client from bridgePrio6 to the VLAN interface Vlan832 . But your bridge configuration was otherwise correct, don't change it.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 7:47 pm

1. bridgePrio6 is the one that is supposed to filter this WAN VLAN stuff. So why is it a _member_ of the default bridge?!
Where can you see bridgePrio6 as a member of bridge? I cannot see anything like that (Mikrotik lets you do a lot of things which should not be done but it refuses to make a bridge a member interface of another bridge directly).

2. There is nothing that shows bridgePrio6 has ether-1 as a member of that bridge. So that is also not correct.

/interface bridge port
...
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN pvid=832

3. While I've only worked on one RB4011 I don't recall all the switch menu options being set like this. But I won't know until this week when it's back up online at a the customer site to double check but wasn't there when I was doing the initial setup.
That was suspicious to me as well but as long as it would be harmless even if it would work I didn't care.

4. There is a DHCP client assigned to both ether-1 _AND_ bridgePrio6, if they are supposed to be in the bridge together and doing VLAN filtering then why do they both need a DHCP client? As far as I can tell they don't.
Yes, I've missed this. The client attached directly to ether1-WAN while ether1-WAN is a member port of a bridge is one of the things which RouterOS should refuse to do but it unfortunately lets you, and it is harmless in this situation; the DHCP client on the bridge rather than on the /interface vlan is the mistake which prevents the frames from getting the tag with VLAN ID.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sat May 11, 2019 8:22 pm

I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sat May 11, 2019 8:27 pm

Seriously, how would one, for traffic coming from an ISP on vlan XX, also ensure that the router meets the necessary requirements of replying with handshakes/traffic with the correct DSCP (tos), CoS or QoS.
So confusing.......... just how bout the right "priority" LOL
I thought mangling was just for "inside" the router and thus would have no bearing on traffic going back to the ISP?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1258
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN over Bridge

Sat May 11, 2019 8:38 pm

@sindy & @anav, while your little spat is cute you both have failed to notice some glaring errors in this config.

1. bridgePrio6 is the one that is supposed to filter this WAN VLAN stuff. So why is it a _member_ of the default bridge?! That's a no no.
2. There is nothing that shows bridgePrio6 has ether-1 as a member of that bridge. So that is also not correct.
3. While I've only worked on one RB4011 I don't recall all the switch menu options being set like this. But I won't know until this week when it's back up online at a the customer site to double check but wasn't there when I was doing the initial setup.
4. There is a DHCP client assigned to both ether-1 _AND_ bridgePrio6, if they are supposed to be in the bridge together and doing VLAN filtering then why do they both need a DHCP client? As far as I can tell they don't.

So this entire config is a complete mess. The minor details you are discussing need to be addressed after the entire mess is cleaned up. At least that's how I see it.

Wow, I find this post quite arrogant, and many points incorrect here. (25% success rate)

Do yourself a favor and have a look at sindy's post history so you can get some understanding of sindy's knowledge
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1258
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN over Bridge

Sat May 11, 2019 8:49 pm

...
3. While I've only worked on one RB4011 I don't recall all the switch menu options being set like this. But I won't know until this week when it's back up online at a the customer site to double check but wasn't there when I was doing the initial setup.
...

The RB4011 has a RTL8367 switch chip which does not support Vlan / Rule Tables, so as far as my knowledge goes (nothing compared to sindy's) I doubt you will find anything in the switch menu. All have to be done on Bridge (Software) level for this device
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 9:43 pm

Seriously, how would one, for traffic coming from an ISP on vlan XX, also ensure that the router meets the necessary requirements of replying with handshakes/traffic with the correct DSCP (tos), CoS or QoS.
So confusing.......... just how bout the right "priority" LOL
I thought mangling was just for "inside" the router and thus would have no bearing on traffic going back to the ISP?
/interface vlan is a pipe which takes frames tagged with its VID from the underlying interface to which it is attached and untags them; in the opposite direction, it tags untagged frames. So when you attach your (static or dynamic) IP configuration to /interface vlan and send a packet from there, the /interface vlan tags it and sends it out to the underlying bridge or other L2 interface which then handles it further.

The mangle rules can set both "real" fields in the IP packet header, like the DSCP field, and the "metafields", like connection-mark or routing-mark, which are not actual fields of the packet header but travel through the kernel along with the packet on its internal "tag". The priority field is something in between, as at IP level it is a metafield but /interface vlan can translate it into 802.1Q priority (CoS) field of the VLAN tag, and /interface wireless can translate it into a WMM field of the wireless frame (and vice versa in the opposite direction).

Terminologically,
  • QoS is a common name of the method of ensuring that more important packets get priority handling,
  • CoS (class of service) is the name of the three-bit field in the 802.1Q tag (so L2)
  • DSCP (differentiated services control point) or TOS (type of service) are two different ways to indicate the QoS class of the packet in the IP header (so L3)
In most devices, you have to define your own rules to map between CoS and DHCP/TOS, and you can assign any of them or both based on other criteria (source/destination address etc.).

Mangle rules handle IP packets before and after routing - see here and here. But the handling of DHCP packets is different and is not mentioned on these pictures. And that's the reason why you have to use a rule in /interface bridge filter, which unfortunately requires, as the first step, to insert a bridge into the path between the /interface vlan and interface ethernet.

The way Google Fiber and the OP's ISP use of the CoS field in the VLAN tag is rather a misuse to me, because normally it is used to convey the information about frame priority, not that it would have to contain a single mandatory value. But I have no idea what weakness of their system they had to circumvent this way, so I am careful to judge. See more details here.

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1258
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN over Bridge

Sat May 11, 2019 9:57 pm

...
The way Google Fiber and the OP's ISP use of the CoS field in the VLAN tag is rather a misuse to me, because normally it is used to convey the information about frame priority, not that it would have to contain a single mandatory value. But I have no idea what weakness of their system they had to circumvent this way, so I am careful to judge. See more details here.

I suspect the OP is from France and using Orange as ISP, read somewhere on this forum a post from back in 2016 IIRC talking same stuff.

My suspicion / speculation is they use it to try and lock in clients using their routers / CPE devices
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 10:04 pm

BTW, @zigjack, I think you may (or may even have to) simplify the /interface bridge filter rule down to just
action=set-priority chain=output new-priority=6 out-bridge=bridgePrio6 out-interface=ether1-WAN
i.e. that it is not necessary to set the CoS field exclusively for DHCP packets. I don't know in which order the match conditions are evaluated, but rewriting the three bits in the tag may be equally CPU consuming as finding out that the frame doesn't match udp protocol and a particular port in it.

But I admit that it may require some more fiddling if, as @CZFan suggests, the purpose of the exercise with a mandatory CoS value is to discourage clients from using their own gear. Oh yes, and my own bet is not France but Germany/Switzerland/Austria ;)

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Error0x29A
newbie
Posts: 30
Joined: Thu Feb 28, 2019 5:48 pm

Re: VLAN over Bridge

Sat May 11, 2019 11:02 pm

First of all, wait couple minutes after disconnecting the ISP box before trying your DHCP client. Some OLTs have MAC anti-spoofing mechanism.
If OLT learns the same MAC address from two or more ONTs on the same GPON it will block the inflow from the last ONT.

It also might be necessary for your DHCP client to include proper:
Client ID
User Class
Vendor Class ID
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sat May 11, 2019 11:28 pm

It also might be necessary for your DHCP client to include proper:
Client ID
User Class
Vendor Class ID
The configuration indicates the OP has taken appropriate measures :) :

/ip dhcp-client option
add code=90 name=authentication value="XXXXX"
add code=77 name=userclass value="XXXXX"
add code=60 name=vendorclass value=0x736167656d
(0x736167656d= "sagem")
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: VLAN over Bridge

Sun May 12, 2019 12:44 am

Do yourself a favor and have a look at sindy's post history so you can get some understanding of sindy's knowledge
Uhm, my point was that the little tangent that was being taken wasn't needed and there were other problems with the config. I actually am pretty aware of Sindy's knowledge and in no way think Sindy lacks knowledge or experience. I pay attention to Sindy's post when on topic because they can give insight on things. So to recap I didn't correct Sindy or say anything stated by Sindy was wrong in anyway. I just pointed out things I noticed where wrong in the config.

Also, if I my points where wrong please educate me so I won't be wrong again in the future when it comes to this.
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sun May 12, 2019 5:35 am

Thanks Sindy for the xplanation.
No harm in a bridge for DHCP purposes (was hit over the head with a ruler I think by Sob, first time I questioned WAN and bridges LOL). It just is confusing for people when adding other bits of their network on the same bridge. So, assuming then that one can have a bridge for DHCP WANVLAN to router, and another bridge for normal vlans on the network.
Hope your enjoying the virtual chocolates! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sun May 12, 2019 12:59 pm

No harm in a bridge for DHCP purposes (was hit over the head with a ruler I think by Sob, first time I questioned WAN and bridges LOL).
You'd have to provide a link to the particular case, but although I've never met Sob (or I have but haven't realized it was him), I think I know him enough to safely assume he had good reasons to do so.

It just is confusing for people when adding other bits of their network on the same bridge. So, assuming then that one can have a bridge for DHCP WANVLAN to router, and another bridge for normal vlans on the network.
Well, confusing... everything is confusing if you start learning from the middle.

Once upon a time (40 years ago maybe) all the network cards on a LAN were connected together using the same coaxial cable, so each card could hear what any other card was saying, so effectively only one could successfully transmit a packet at a time. Nominal speed 10 Mbit/s, effective speeds about 1 Mbit/s if you were lucky as if two cards started transmitting at the same time, both transmissions were corrupt and both cards had to retry.

Then, people got fed up with the plumbing-like installations where you had to physically drill a tap into the main cable to connect another network card, so they came with twisted pair and hubs, where the physical topology was a star rather than a snake-between-tables, but the logical one, i.e. that each card could hear all the other ones, was still there.

So the next step were switches which learned automatically which device is connected to which port and only sent frames for that device out that port instead of spamming all, so if four devices held two independent conversations (A<->B and C<->D) via the same switch, both pairs could use the full bandwidth of their ports as the other conversation didn't interfere. Awesome. And it also made it possible to connect several switches and make more complex topologies.

All that time, several unrelated L3 subnets could coexist on the same media. Then, people came with the idea that it would be fine to create independent topologies for different groups of devices using the same switches, so the VLANs were invented. And it was a logical evolution that people started using a dedicated VLAN for each L3 subnet, although it is not a dogma and nothing on the technical side prevents you from not using this best practice.

When you stick with hardware switches capable of handling VLANs on one hand, and devices which cannot handle VLANs on their own on the other hand, the topology with a single switch and many VLANs on it is the only one physically possible. But as everything can be done in software if you have enough time and CPU power, the general-purpose computers started implementing the L2 functionality including VLANs in software; because the word "switching" suggests that the decisions what to do with the frame are done in hardware alone, the same behaviour implemented in software is called "bridging".

So in Mikrotik, a single bridge hosting all the VLANs causes no headache to people who have previous experience with hardware switches. What may cause a headache, however, is that with vlan-filtering=no, the bridge behaves like a simple switch which is itself not VLAN-aware and just forwards the frames based on their destination MAC-address regardless whether they bear a VLAN tag or not - it cannot tag frames on ingress and untag them on egress, it cannot care about the membership of ports in a VLAN as it doesn't understand the very notion of VLAN ID. So until all this VLAN-related functionality, including the associated configuration tools, has been implemented, you had to use a separate bridge for each VLAN and do the tagging and untagging by means of /interface vlan attached directly to physical interfaces. So for each VLAN to be forwarded between ether1 and ether2, you needed two /interface vlan and one bridge. What is important is that all these bridges have independent forwarding tables relating remote MAC addresses to local ports.

Addition of vlan-filtering=yes has made it possible to work with the software bridges in Mikrotik as with VLAN-aware physical switches, but the other way of using them is still preserved, and hopefully will not be removed. So currently you can create several VLAN-aware bridges in a single device, which behave like independent switches, and on top of that several per-VLAN bridges if you want or need, so things like handling of stacked VLAN tags, VLAN ID remapping etc. are possible.

So if we get back to the OP - yes, what he's added a dedicated bridge for could have been done using the single bridge already configured by default. The question is whether it would be less confusing if he used a single bridge. Also I keep following the approach I've already advertised elsewhere - first make it work, then care about beauty.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 2433
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN over Bridge

Sun May 12, 2019 1:12 pm

... first make it work, then care about beauty.
So you're an unartistic technical geek. ;-)

Joke put aside, you hit the nail on the head ... again.
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sun May 12, 2019 1:15 pm

Uhm, my point was that the little tangent that was being taken wasn't needed and there were other problems with the config.
I agree with the green part (the DHCP client being attached to the /interface bridge rather than /interface vlan carried by that bridge), but I disagree with the red part - the very goal is to send and expect the WAN packets as tagged frames on the physical interface, and the changes I've suggested were necessary to reach that goal. The previous state was neutralizing all the effort spent by making the physical interface an access port rather than a trunk one for the VLAN ID in question.

Also, if I my points where wrong please educate me so I won't be wrong again in the future when it comes to this.
I've addressed each of your 4 points in post #11, and was expecting you to provide more details on points 1. and 2. if you insist there is something I haven't noticed.

In another words, I fully agree with you that an /interface bridge cannot be made an /interface bridge port of another bridge, so nothing to educate you about, but I cannot see such mistake in the OP's configuration.

I disagree with you in terms that the corrections I suggested in my first post were useless, for the reasons explained above (so I consider education provided on that point).

So as I see it, I've missed the misplacement of the DHCP client which you have spotted, and you have missed the correct placement of ether1-WAN in the bridge and the purpose of my suggested changes, so it again confirms that teamwork is a very useful thing :)

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sun May 12, 2019 2:25 pm

Me again!
First of all, thank you for all those feedbacks, I wasn't expecting such enthusiasm for my issue, but it's good to see! Very much appreciated! :D
Coming back quickly on the comments:

-Yes I am sure that I cannot change priority with the switch rules. I have first tried, had an error message telling me it was not the possible and had the confirmation through Mikrotik documentation that this chip, in RB4011, is not able to handle that. Hence, the need for the vlan over bridge :)
-I don' really know why this VLAN and priority is needed, but I saw them in what was coming out of the ISP box and had the confirmation through the french forums of the people with the same ISP than me.
-Same thing for the options, I got them from the ISP box and putting them in DHCP client options.
-Yes, I have 2 DHCP clients, the one I am using through my ISP box (otherwise I would not be able to post this :) ) and the other one I am trying to setup. But, of course, only one is enabled at a time, though I admit it is not very clear in the config file I am exporting with winbox...

Then coming back to the business :)
I have performed all the advised modifications, and the DHCP client goes now in "requesting" status, one step further :)
I have simplified as well the filter rule as recommended, but then it means that all the packets would be tagged at priority 6 which would impact the bandwith I assume...
But as you said, "let it works" first, we will see that after :)

If I sniff packets either on ether1 or bridgeprio6, I can see the DHCP Discovery, Offer and Request, but no Ack. I see as well that the VLAN tag is here now :) but the priority remains at 0... :? I am almost sure that I dont receive this Ack due to that...

Here is the new conf file, if you see something wrong...
Again, thank you all for your time :)

PS sindy: What does "OP" stands for?

Code: Select all

# may/12/2019 13:00:06 by RouterOS 6.44.2
# software id = 6DZP-Q4TF
#
# model = RB4011iGS+
# serial number = AAAF09CD4344
/interface bridge
add admin-mac=B8:69:F4:XX:XX:XX auto-mac=no comment=defconf name=bridge
add fast-forward=no ingress-filtering=yes name=bridgePrio6 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridgePrio6 name=Vlan832 vlan-id=832
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authentication value="XXXXXX"
add code=77 name=userclass value="XXXXXX"
add code=60 name=vendorclass value=0x736167656d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
add action=set-priority chain=output log=yes new-priority=6 out-bridge=\
bridgePrio6 out-interface=ether1-WAN passthrough=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6,ether1-WAN vlan-ids=832
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-WAN
add dhcp-options=hostname,clientid,authentication,vendorclass,userclass \
disabled=no interface=Vlan832
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=XXXXX
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name="sniff 12 Mai" filter-interface=ether1-WAN
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sun May 12, 2019 3:13 pm

PS sindy: What does "OP" stands for?
OP is the Original Post or the Original Poster (= you here), depending on context.

What makes me slide is that it doesn't work now. When you sniff at the bridge, you get the packets before the bridge filter rule in chain=output could do something, but as you sniff at ether1-WAN, you see the frames after the bridge filter rule should have already done its job. So that leaves us with just two options, the rule doesn't match the packets or it doesn't set the priority.

So what is the output of
/interface bridge filter print
and of
/interface bridge filter print stats
?

also, what can you see when you run
tool sniffer quick interface=ether1-WAN mac-protocol=arp

while running, in another window,
ping 192.168.33.33 arp-ping=yes interface=Vlan832
?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sun May 12, 2019 3:50 pm

Here you go:

interface bridge filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=set-priority new-priority=6 passthrough=no out-interface=ether1-WAN
out-bridge=bridgePrio6 log=yes log-prefix=""

interface bridge filter print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 output set-priority 303688 1084

tool sniffer quick interface=ether1-WAN mac-protocol=arp
INTE... TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS

ethe... 43.397 44 -> B8:69:F4:XX:XX:XX FF:FF:FF:FF:FF:FF 832 0.0.0.0: who has 192.168.33.33?
ethe... 44.305 45 <- A0:F3:E4:59:7B:AA A4:3E:51:XX:XX:XX 832:7 86.XXX.XX.1: who has 86.XXX.YY.109?
ethe... 44.399 46 -> B8:69:F4:XX:XX:XX FF:FF:FF:FF:FF:FF 832 0.0.0.0: who has 192.168.33.33?

So I understand we can see that some packets are going through the filter... but it doesn't set the priority, right?
For the sake of clarity, I have to say that one of the options of DHCP I have modified is the option 61, "clientid" in which I have set the MAC of the ISP box, which is the second MAC on line 45, the first MAC is the MAC that is sending the Offer...
But I don't know what to do with those information :)

I'll come back later, have a nice day btw! :D
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sun May 12, 2019 5:06 pm

As an aside this was the same result for my old zyxel router. The stupid router would not respond with the correct priority on the handshake and thus would never get a TV IP address. The CoS setting would work every other time/place except for the original handshake, most frustrating. Would love to see this one solved! Just to say I know your frustration and honestly hoping for the best on this one.
(As for artistry, so far Sindy's solution is so ugly it makes blind children cry!! baddaboom)

Seems to be not a new issue!!
viewtopic.php?t=106144

I was looking at Bridge filter and there appears to be two places for priority (don't see where the op found NEW PRIORITY for his settings??)
1 - (GENERAL TAB) ingress priority
2 - (ADVANCED TAB) vlan priority
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sun May 12, 2019 5:36 pm

So I understand we can see that some packets are going through the filter... but it doesn't set the priority, right?
Right. So I started investigating what the heck is going on and the conclusion is that action=set-priority in /interface bridge filter silently fails if vlan-filtering=yes on the bridge. I suppose it is a bug, and I suppose it happens because the CoS field is a part of the VLAN tag which vlan-filtering=yes is interested in.

So since there are actually no other VLANs than 832 on bridgePrio6, you can set vlan-filtering=no on that bridge and you'll finally start setting the frames' priority. As a "side effect", the pvid parameter of /interface bridge port interface=ether1-WAN as well as all rows (or the single one in your case) with bridge=bridgePrio6 in /interface bridge vlan will stop being important.

For the sake of clarity, I have to say that one of the options of DHCP I have modified is the option 61, "clientid" in which I have set the MAC of the ISP box, which is the second MAC on line 45, the first MAC is the MAC that is sending the Offer...
But I don't know what to do with those information :)
This may be an important moment if the Alcatel-Lucent box on the remote end checks that the source MAC address of the DHCPDISCOVER and DHCPREQUEST matches the Client-ID field in the packet body; to stay at the safe side, do /interface bridge set bridgePrio6 set auto-mac=no admin-mac=A4:3E:51:XX:XX:XX protocol-mode=none.

The blue part makes sure that the packets will use the MAC of the ISP-provided box also as source MAC address of the Ethernet frames carrying the ARP and IP packets (including DHCP) and the orange part prevents STP BPDUs from being sent to the ALu box.


I have simplified as well the filter rule as recommended, but then it means that all the packets would be tagged at priority 6 which would impact the bandwith I assume...
If setting of CoS=6 for all frames has an impact on bandwidth, we'll have to do some additional black magic to set it selectively for DHCP packets alone. The issue is that bridge-filter can match only on fields of the topmost ethertype in the stack, so once there is a VLAN tag on the frame, you cannot match on fields of the IP header or even of the UDP or TCP headers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sun May 12, 2019 5:56 pm

Seems to be not a new issue!!
viewtopic.php?t=106144
The best point there is the last post which confirms that the DSCP value is not important and only the value in CoS matters. Hope no one visits this forum from that ISP whose name better not be named to avoid drawing attention of robots browsing the internet for mentionings of their name to this post.

I was looking at Bridge filter and there appears to be two places for priority (don't see where the op found NEW PRIORITY for his settings??)
In WebFig, it is even lower in the form, in the "Action" section, so it must be somewhere around there also in Winbox. Both ingress-priority and vlan-priority are match conditions, no idea how exactly they are related.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sun May 12, 2019 7:21 pm

As an aside this was the same result for my old zyxel router. The stupid router would not respond with the correct priority on the handshake and thus would never get a TV IP address. The CoS setting would work every other time/place except for the original handshake, most frustrating. Would love to see this one solved! Just to say I know your frustration and honestly hoping for the best on this one.
(As for artistry, so far Sindy's solution is so ugly it makes blind children cry!! baddaboom)

Seems to be not a new issue!!
viewtopic.php?t=106144

I was looking at Bridge filter and there appears to be two places for priority (don't see where the op found NEW PRIORITY for his settings??)
1 - (GENERAL TAB) ingress priority
2 - (ADVANCED TAB) vlan priority
Thanks for sharing this other thread, I'll have a look.
And for the new priority settings, it is neither the one or the other, it is located in "Action" tab in winbox :) Btw, I do not have set anything in the General and Advanced tab regarding this priority, I assume that this is correct, right?
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sun May 12, 2019 7:29 pm

So I understand we can see that some packets are going through the filter... but it doesn't set the priority, right?
Right. So I started investigating what the heck is going on and the conclusion is that action=set-priority in /interface bridge filter silently fails if vlan-filtering=yes on the bridge. I suppose it is a bug, and I suppose it happens because the CoS field is a part of the VLAN tag which vlan-filtering=yes is interested in.

So since there are actually no other VLANs than 832 on bridgePrio6, you can set vlan-filtering=no on that bridge and you'll finally start setting the frames' priority. As a "side effect", the pvid parameter of /interface bridge port interface=ether1-WAN as well as all rows (or the single one in your case) with bridge=bridgePrio6 in /interface bridge vlan will stop being important.

For the sake of clarity, I have to say that one of the options of DHCP I have modified is the option 61, "clientid" in which I have set the MAC of the ISP box, which is the second MAC on line 45, the first MAC is the MAC that is sending the Offer...
But I don't know what to do with those information :)
This may be an important moment if the Alcatel-Lucent box on the remote end checks that the source MAC address of the DHCPDISCOVER and DHCPREQUEST matches the Client-ID field in the packet body; to stay at the safe side, do /interface bridge set bridgePrio6 set auto-mac=no admin-mac=A4:3E:51:XX:XX:XX protocol-mode=none.

The blue part makes sure that the packets will use the MAC of the ISP-provided box also as source MAC address of the Ethernet frames carrying the ARP and IP packets (including DHCP) and the orange part prevents STP BPDUs from being sent to the ALu box.


I have simplified as well the filter rule as recommended, but then it means that all the packets would be tagged at priority 6 which would impact the bandwith I assume...
If setting of CoS=6 for all frames has an impact on bandwidth, we'll have to do some additional black magic to set it selectively for DHCP packets alone. The issue is that bridge-filter can match only on fields of the topmost ethertype in the stack, so once there is a VLAN tag on the frame, you cannot match on fields of the IP header or even of the UDP or TCP headers.
BUMMER!!
It works!!
I am writing this reply without the ISP box!! :D :D :D
The DHCP client bounds immediately with that settings, and I just add to create a new NAT rule masquerade with VLAN832 as out interface and everything runs well now!
I am doing some further testings, but just wanted to share the good news!
Thank you again for all your swift and efficient feedback! You're MASTERS! :D
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN over Bridge

Sun May 12, 2019 9:27 pm

hey zigjack can you post a working config for us (slow me) to look at please!
CONGRATS!!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sun May 12, 2019 10:31 pm

Sure, here it is:
# may/12/2019 18:30:31 by RouterOS 6.44.2
# software id = 6DZP-Q4TF
#
# model = RB4011iGS+
# serial number = AAAF09CD4344
/interface bridge
add admin-mac=B8:69:F4:XX:XX:XX auto-mac=no comment=defconf name=bridge
add admin-mac=A4:3E:51:XX:XX:XX auto-mac=no fast-forward=no name=bridgePrio6 \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridgePrio6 name=Vlan832 vlan-id=832
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authentication value="XXXXXXX"
add code=77 name=userclass value="XXXXXXX"
add code=60 name=vendorclass value=0x736167656d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
add action=set-priority chain=output log=yes new-priority=6 out-bridge=\
    bridgePrio6 out-interface=ether1-WAN passthrough=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridgePrio6 ingress-filtering=yes interface=ether1-WAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6,ether1-WAN vlan-ids=832
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-WAN
add dhcp-options=hostname,clientid,authentication,vendorclass,userclass \
    disabled=no interface=Vlan832
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=Vlan832
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=XXXXX
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name="sniff 12 Mai" filter-interface=ether1-WAN

I am now digging in the speed part of things, my upload is horrible (around 0.4 Mb/s, not that good for FTTH :? ) but if I set back the bridge filter rule with MAC-protocol to IP, Src port to 68, Dst port to 67 and protocol to UDP, the upload goes up to 40. The downside is that the DHCP Client cannot rebind to the ISP servers...
The download is not that good too, around 6, and is not affected by this above change...

Any suggestions? :)
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Sun May 12, 2019 11:33 pm

I am now digging in the speed part of things, my upload is horrible (around 0.4 Mb/s, not that good for FTTH :? ) but if I set back the bridge filter rule with MAC-protocol to IP, Src port to 68, Dst port to 67 and protocol to UDP, the upload goes up to 40. The downside is that the DHCP Client cannot rebind to the ISP servers...
The download is not that good too, around 6, and is not affected by this above change...
Well, by setting back the filter rule to match on mac-protocol=ip you have you have just neutralized it, so there is no surprise that the DHCP client cannot bind.

So those guys are really evil and want you to set CoS to 6 only for DHCP, okay. What bothers me more is whether the download via the 4011 is slower than with the device they provide. It kinda should be tens of megabits if you can upload at 40M... I mean, what sense it makes to spend the effort on fixing upload if download will be 10 times less than with the original box.

Anyway, to fix the upload, you'll have to rearrange the order of elements in the WAN chain from current (ether1 <-> bridge <-> interface vlan <-> dhcp client) to (ether1 <-> interface vlan <-> bridge <-> dhcp client) and use the bridge filter rule the way you have modified it, just with another out-interface:
action=set-priority chain=output mac-protocol=ip ip-protocol=udp dst-port=67 new-priority=6 out-bridge=bridgePrio6 out-interface=Vlan832

To do this, first save the backup of the current configuration. Next, add the modified rule above to /interface bridge filter (you'll remove the existing one later, they don't collide). Then do
/ip dhcp client set [find interface=Vlan832] interface=bridgePrio6 (to move the DHCP client from the /interface vlan to the /interface bridge)
/interface vlan set Vlan832 interface=ether1-WAN (to attach the tagged end of the /interface vlan directly to /interface ethernet)
/interface bridge port set [find interface=ether1-WAN] interface=Vlan832 (to make the /interface vlan a member port of the bridge rather than the /interface ethernet.


Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Tue May 14, 2019 8:23 pm

Hi there!

So I have tried as suggested, but the DHCP Client gets stuck on "requesting" stage.
Here is the config file (scrapped the annoying part) :
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=ether1-WAN name=Vlan832 vlan-id=832
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
# in/out-bridge-port matcher not possible when interface (Vlan832) is not slave
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
    mac-protocol=ip new-priority=6 out-bridge=bridgePrio6 out-interface=\
    Vlan832 passthrough=no src-port=68
/interface bridge port
add bridge=bridgePrio6 ingress-filtering=yes interface=Vlan832
/interface bridge vlan
add bridge=bridgePrio6 tagged=bridgePrio6,ether1-WAN vlan-ids=832
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-WAN
add dhcp-options=hostname,clientid,authentication,vendorclass,userclass \
    disabled=no interface=bridgePrio6
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=Vlan832
add action=dst-nat chain=dstnat dst-port=443 in-interface=Vlan832 protocol=\
    tcp to-addresses=192.168.88.81 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=Vlan832 protocol=tcp \
    to-addresses=192.168.88.81 to-ports=80
And about the speed testings I've made on Sunday, they were done on my former desktop, which should have an issue, I have re performed them on my laptop and it is much better:
Without MAC protocol ip, protocol UPD, port 67-68:
Download 185 Mb/s; Upload 0,5 Mb/s
With MAC protocol ip, protocol UPD, port 67-68:
DL: 213; UL: 224
There is still the issue with UL, but DL side is ok ;)
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Tue May 14, 2019 9:46 pm

So I have tried as suggested, but the DHCP Client gets stuck on "requesting" stage.
Here is the config file (scrapped the annoying part) :
There must be something rotten. What does /interface bridge export verbose, /interface bridge print detail, and /interface bridge port print detail say (before you do what I suggest below)? The point is that the rule in interface bridge filter has a warning # in/out-bridge-port matcher not possible when interface (Vlan832) is not slave next to it, but the next part of the configuration says it actually is:

/interface bridge port
add bridge=bridgePrio6 ingress-filtering=yes interface=Vlan832


There is a mistake in the following section (ether1-WAN is not a member port of the bridge so there is no point in making it a tagged member of a VLAN on that bridge), but when I replicated this configuration at my hAP ac lite, I didn't get the same error on the filter rule. There must be bridge-filtering=no at the bridge anyway so the whole /interface bridge vlan section should be left empty, and the ingress-filtering=yes in the /interface bridge port item for Vlan832 should also be changed to default no, but none of these explains that error.

So maybe remove everything from /interface bridge port that is related to bridgePrio6 (not the lines referring to the other bridge, otherwise you'd lose access to the machine), /interface bridge vlan, interface bridge filter, then remove Vlan832, the /ip dhcp-client attached to bridgePrio6, and finally the bridgePrio6 itself.

Then, reboot the machine, and then create all that stuff again in the following order:
  1. Vlan832 on ether1-WAN
  2. bridgePrio6 with protocol-mode=none vlan-filtering=no
  3. /interface bridge port add bridge=bridgePrio6 interface=Vlan832
  4. /interface bridge filter add action=set-priority chain=output dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-bridge=bridgePrio6 out-interface=Vlan832 src-port=68
  5. IMPORTANT:/interface list member add list=WAN interface=bridgePrio6 (otherwise the default firewall rules referring to interface-list=WAN won't work, letting the "filth from the net" in)
  6. add the /ip dhcp-client to bridgePrio6

And about the speed testings I've made on Sunday, they were done on my former desktop, which should have an issue, I have re performed them on my laptop and it is much better:
...
There is still the issue with UL, but DL side is ok ;)
Good. It would be a real disappointment to find out that all the effort was in vain.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Tue May 14, 2019 10:38 pm

Thanks for the so fast feedback! :D

Here is the outcome of the 3 commands:
/interface bridge export verbose
/interface bridge
add admin-mac=B8:69:F4:XX:XX:XX ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto \
    name=bridge priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
add admin-mac=A4:3E:51:XX:XX:XX ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no dhcp-snooping=no disabled=no fast-forward=no igmp-snooping=no mtu=auto name=bridgePrio6 protocol-mode=none vlan-filtering=no
/interface bridge filter
add action=set-priority !arp-dst-mac-address !arp-gratuitous !arp-hardware-type !arp-opcode !arp-packet-type !arp-src-mac-address chain=output disabled=no !dst-address !dst-mac-address !dst-port !in-bridge \
    !in-bridge-list !in-interface !in-interface-list !ingress-priority !ip-protocol !limit log=yes log-prefix="" !mac-protocol new-priority=6 out-bridge=bridgePrio6 !out-bridge-list out-interface=ether1-WAN \
    !out-interface-list !packet-mark !packet-type passthrough=no !src-address !src-mac-address !src-port !stp-flags !stp-port !stp-root-address !stp-root-cost !stp-sender-address !stp-type !tls-host !vlan-encap \
    !vlan-id !vlan-priority
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether2 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether3 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether4 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether5 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether6 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether7 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether8 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether9 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=ether10 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=\
    yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgePrio6 broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=ether1-WAN internal-path-cost=\
    10 learn=auto multicast-router=temporary-query path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface bridge vlan
add bridge=bridgePrio6 disabled=no tagged=bridgePrio6,ether1-WAN untagged="" vlan-ids=832


/interface bridge print detail
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=B8:69:F4:XX:XX:XX protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=B8:69:F4:XX:XX:XX 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 

 1 R name="bridgePrio6" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=A4:3E:51:XX:XX:XX protocol-mode=none fast-forward=no igmp-snooping=no auto-mac=no admin-mac=A4:3E:51:XX:XX:XX 
     ageing-time=5m vlan-filtering=no dhcp-snooping=no 


/interface bridge port print detail
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 0 I   ;;; defconf
       interface=ether2 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 1 I   ;;; defconf
       interface=ether3 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 2 I   ;;; defconf
       interface=ether4 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 3 I   ;;; defconf
       interface=ether5 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 4 I   ;;; defconf
       interface=ether6 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 5 I   ;;; defconf
       interface=ether7 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 6     ;;; defconf
       interface=ether8 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 7 I   ;;; defconf
       interface=ether9 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 8 I   ;;; defconf
       interface=ether10 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 9 I   ;;; defconf
       interface=sfp-sfpplus1 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

10   H interface=ether1-WAN bridge=bridgePrio6 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

I'll restart setup as per your advice, back in a few minutes... or hours :lol:

So maybe remove everything from /interface bridge port that is related to bridgePrio6 (not the lines referring to the other bridge, otherwise you'd lose access to the machine)
Btw, I already did that a few days after having my Mikrotik... Now I know... 8)
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Wed May 15, 2019 9:00 pm

Back!
Unfortunately the suggested modification brought me back in DHCP Client stuck on searching...

Here is the config file, did I made a mistake?
# may/15/2019 19:24:41 by RouterOS 6.44.2
# software id = 6DZP-Q4TF
#
# model = RB4011iGS+
# serial number = AAAF09CD4344
/interface bridge
add admin-mac=B8:69:F4:XX:XX:XX auto-mac=no comment=defconf name=bridge
add name=bridgePrio6 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=ether1-WAN name=vlan832 vlan-id=832
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authentication value="XXXXXX"
add code=77 name=userclass value="XXXXXXX"
add code=60 name=vendorclass value=0x736167656d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp \
    mac-protocol=ip new-priority=6 out-bridge=bridgePrio6 out-interface=\
    vlan832 passthrough=yes src-port=68
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridgePrio6 interface=vlan832
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridgePrio6 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-WAN
add dhcp-options=hostname,clientid disabled=no interface=bridgePrio6
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
# no interface
add action=masquerade chain=srcnat out-interface=*F
 
sindy
Forum Guru
Forum Guru
Posts: 3459
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN over Bridge

Wed May 15, 2019 9:26 pm

I am missing the imitation of the Sagem device (use of the specific options in the /ip dhcp-client configuration and setting of auto-mac=no and the proper admin-mac value on bridgePrio6) in this export, otherwise it should work. If /interface bridge filter print stats shows a non-0 count of packets (and increasing), and if /tool sniffer quick interface=ether1 mac-address=ff:ff:ff:ff:ff:ff shows packets from 0.0.0.0:68 to 255.255.255.255.67 with VLAN 832:6 once in a couple of seconds, the rule works but the source MAC address and/or client ID are ignored by the DHCP server.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
zigjack
just joined
Topic Author
Posts: 18
Joined: Wed Jan 30, 2019 9:37 pm

Re: VLAN over Bridge

Sat May 18, 2019 11:45 am

I just saw the error, I had completely forgotten to add the DHCP options in client to allow the chat between the ISP and the RB4011, not only the mac, but the other options as well...
Now this is sorted out, it just runs wonderfully! :)
Thank you again for all your precious help sindy, I really appreciate it! Forums are missing guys like you :D
Don't hesitate to PM if I can do anything for you in return!

Who is online

Users browsing this forum: Google [Bot] and 53 guests