Better way to pass WAN (untagged) to LAN (tagged)?

nemoforum · Wed Feb 26, 2020 1:13 am

Hello!

Recently, I've found Manual:Layer2 misconfiguration - VLAN in bridge with a physical interface https://wiki.mikrotik.com/wiki/Manual:L ... interfaces .
I have the same configuration and would like to make it better. However, the provided solution is not suitable in my case, because it's impossible to add an interface to more than one bridge.

I have 2 IPs from my ISP: one for my router (hAP ac2) and one for my home server.
I want my server to be connected to LAN as well as connected to the internet directly, using the IP from ISP.
There is only one Ethernet port on the server.

Currently, my working config is:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface vlan
add interface=ether2 name=vlan10 vlan-id=10

/interface bridge
add name=br-lan
add name=br-wan protocol-mode=none

/interface bridge port
add bridge=br-lan interface=wlan24
add bridge=br-lan interface=wlan50
add bridge=br-lan hw=no interface=ether2
add bridge=br-lan interface=ether3
add bridge=br-lan interface=ether4
add bridge=br-lan interface=ether5
add bridge=br-wan interface=ether1-wan
add bridge=br-wan interface=vlan10
add bridge=br-lan interface=wlan24.1
add bridge=br-lan interface=wlan50.1

/ip dhcp-client
add disabled=no interface=br-wan use-peer-dns=no use-peer-ntp=no

On the server I have:


enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.253  netmask 255.255.255.0  broadcast 10.10.10.255

vlan10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 176.38.50.112  netmask 255.252.0.0  broadcast 176.39.255.255

default         _gateway        0.0.0.0         UG    0      0        0 vlan10
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 enp2s0

Everything works as expected.
One interesting thing I noted is that upload speed on the server is limited to ~170 Mbps, if HW offload is turned on on ether2. With HW offload turned off on ether2, the upload speed is as expected (700+ Mbps).

So, the question is: how to configure the same in the right way?

Sob · Wed Feb 26, 2020 2:10 am

Why would you want to add any interface to two bridges?

Check this thread: viewtopic.php?f=13&t=157803

With bridge VLAN filtering, bridge is used as a way to either configure hardware switch (on some/few devices) or emulate the same behaviour in software. You can then work with different vlans using vlan interfaces on bridge and it automatically takes care about tagging and untagging them on the right ports. It may be confusing at first, because you see WAN ethernet interface bridged with LAN ethernet interface(s) and it looks completely wrong. But it's the filtering part that makes things separated. It's actually really nice and simple once you understand it. The only problem is that support for HW offloading is quite limited on many devices. Hopefully it will be fixed in future where possible, but nobody knows when.

nemoforum · Wed Feb 26, 2020 10:14 am

Sob,
Thank you for your answer. It looks like exactly what I want.
And you are right, adding all interfaces to one bridge is confusing at first look.
I'll give it a try.
Thanks again!

Sob · Wed Feb 26, 2020 12:39 pm

Check examples in manual:

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

They are simple and relatively easy to understand. Or there's also this popular thread:

viewtopic.php?f=13&t=143620

IMHO the most confusing part is that bridge interface can be two things at once. First is interface for configuring the switch (either hardware or software), but also the bridge interface itself can be used as member port of selected vlan (depending on bridge's pvid).

anav · Wed Feb 26, 2020 7:46 pm

My limited experience is that its better not to involve bridge in anything beyond moving traffic around/
a. keep its default PVID of 1
b. do not assign any dhcp responsibilities
c. if a management VLAN is required assign it to an unused number 66, 99 etc........

nemoforum · Wed Feb 26, 2020 11:32 pm

Okay, I got it working with this config (using switch chip, i.e. with HW offload):

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface vlan
add interface=ether1-wan name=vlan10-wan vlan-id=10

/interface bridge
add name=br protocol-mode=none

/interface bridge port
add bridge=br interface=wlan24
add bridge=br interface=wlan50
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=wlan24.1
add bridge=br interface=wlan50.1
add bridge=br interface=ether1-wan

/interface ethernet switch port
set 0 default-vlan-id=10 vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=no ports=ether1-wan,ether2,switch1-cpu switch=switch1 vlan-id=10

I just don't understand one thing: why vlan10-wan was able to get an IP via DHCP from ISP only when vlan10-wan is on ether1-wan, and not on br?

nemoforum · Thu Feb 27, 2020 12:04 am

BTW, I've tried the solution suggested by Sob in this post viewtopic.php?f=13&t=157803#p776032 :

- bridge all ports together
- bridge itself is your untagged LAN
- give PVID 2 to bridge port ether1
- add VLAN interface with id 2 on bridge
- VLAN interface is your new WAN
- configure VLAN assigment on bridge (in Bridge->VLANs), add VLAN 2 as untagged on ether1 and tagged on ether2-5 and bridge
- enable bridge VLAN filtering

It's not clear for me what is "- add VLAN interface with id 2 on bridge".
I supposed, it's:

/interface vlan
add interface=bridge name=VLAN vlan-id=2

So, my config is:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan

/interface bridge
add name=br protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=br interface=wlan24
add bridge=br interface=wlan50
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=wlan24.1
add bridge=br interface=wlan50.1
add bridge=br interface=ether1-wan pvid=10

/interface vlan
add interface=br name=vlan10-wan vlan-id=10

/interface bridge vlan
add bridge=br tagged=ether2 untagged=ether1-wan vlan-ids=10

I was able to get an IP via DHCP from my ISP on the server.
However, vlan10-wan was unable to get an IP from ISP. Did I miss something?

Sob · Thu Feb 27, 2020 1:00 am

I don't know about hw switch way, I never really used it, except some test long time ago, and it was old switch without vlan support. I don't know how it coexists with bridge, and I have no device I could test it with.

For the other way you need tagged vlan also on bridge interface, i.e. tagged=ether2,br. It's the confusing part, here the bridge is used as interface and it needs to know that vlan interface added on top of it can access this tagged vlan.

nemoforum · Thu Feb 27, 2020 1:28 am

For the other way you need tagged vlan also on bridge interface, i.e. tagged=ether2,br.

This:

/interface bridge vlan
add bridge=br tagged=ether2,br untagged=ether1-wan vlan-ids=10

works! Thank you!

Sob · Thu Feb 27, 2020 2:18 am

Don't forget to check what it does with speed, if it's enough.

Better way to pass WAN (untagged) to LAN (tagged)? [SOLVED]

Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Re: Better way to pass WAN (untagged) to LAN (tagged)? [SOLVED]

Re: Better way to pass WAN (untagged) to LAN (tagged)?

Who is online