Community discussions

MikroTik App
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

vlan problem on hEX

Tue Mar 30, 2021 6:52 am

After 6.41, master port changed to bridge, I find my vlan does not work as intended.
Some vlan-100 clients get vlan-1 IPs, some didn't get any IP.
My network topology is as follows:
VLAN.png
hEX config related with VLAN as follows:
# mar/29/2021 15:24:47 by RouterOS 6.48.1
/interface bridge
add fast-forward=no name=bridge-home vlan-filtering=yes
/interface vlan
add interface=bridge-home name=vlan-guest vlan-id=100
add interface=bridge-home name=vlan-home vlan-id=1
/ip pool
add name=home ranges=192.168.1.10-192.168.1.254
add name=guest ranges=192.168.11.10-192.168.11.254
add name=service ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=home authoritative=after-2sec-delay disabled=no interface=\
    vlan-home lease-time=12h name=home
add address-pool=guest authoritative=after-2sec-delay disabled=no interface=\
    vlan-guest lease-time=1h name=guest
add address-pool=service disabled=no interface=ether5 name=service
/ip hotspot
add address-pool=guest interface=vlan-guest name=hotspot1
/interface bridge port
add bridge=bridge-home ingress-filtering=yes interface=ether2
add bridge=bridge-home interface=ether3
add bridge=bridge-home interface=ether4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge-home tagged=bridge-home untagged=ether2 vlan-ids=1
add bridge=bridge-home tagged=ether2,bridge-home vlan-ids=100
/ip address
add address=192.168.11.1/24 comment="hotspot network" interface=vlan-guest \
    network=192.168.11.0
add address=192.168.1.1/24 comment=home interface=vlan-home network=\
    192.168.1.0
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=home dhcp-option=proxy dns-server=\
    192.168.1.90 domain=local gateway=192.168.1.1 netmask=24
add address=192.168.11.0/24 comment=guest dns-server=192.168.11.1 gateway=\
    192.168.11.1 netmask=24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
This setting was working long ago, not sure if it's not working because of 6.41 update.
VLAN-100 gets no traffic in /interface.
Where should I start to look?
You do not have the required permissions to view the files attached to this post.
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Tue Mar 30, 2021 7:07 am

I read some post that VLAN-1 doesn't need to be set, we can use bridge as vlan-1 interface.
I tried this recommendation, wireless VLAN-100 clients still get VLAN-1 IPs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan problem on hEX

Tue Mar 30, 2021 2:35 pm

First you need to upgrade your firmware its dated,,,,,,,, use the latest LONG version of firmware for best results.
Then read this link which shows vlan1 does not need to be identified as it already exists by default.
No one creates and uses vlan1 as a traditional vlan.

Read this excellent link.........
viewtopic.php?f=23&t=143620
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Wed Mar 31, 2021 4:48 am

First you need to upgrade your firmware its dated,,,,,,,, use the latest LONG version of firmware for best results.
Then read this link which shows vlan1 does not need to be identified as it already exists by default.
No one creates and uses vlan1 as a traditional vlan.

Read this excellent link.........
viewtopic.php?f=23&t=143620
I am using 6.48.1 (latest stable), do you mean downgrading to 6.47.9 (latest long-term)?
I have read that link, maybe I missed something, will read again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan problem on hEX

Wed Mar 31, 2021 2:37 pm

If you are already at 6.48 you can leave it at that..... I simply prefer the more stable long term versions.
You should post the entire config as its all inter related.
/export hide-sensitive file=anynameyouwish
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan problem on hEX

Wed Mar 31, 2021 2:44 pm

(1) My advice besides posting the complete config as noted above is to remove this rule
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

as its very tricky to use properly and is only needed in special cases whereas the normal firewall rules work for 99% of needs.

(2) Change VLAN1 for home to VLAN10

(3) Good idea to keep eth5 on separate LANsubnet in case there are problems on the bridge and get locked out.

(5) Bridgeport config cannot be commented on unless we know what is attached to each port (smart device - can read vlan tags) or dumb device.
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Sat Apr 03, 2021 6:21 am

(1) OK, I will change this
(2) I doubt it will work, because VLAN-100 doesn't work. Besides, I have to figure out a proper procesure, in case I am locked out of AP or switch management interfaces. Do you have any suggestions?
(3) Because I was locked out several times. :-)
(4) I will post the full config below, only masked some username/password/MAC address.
vlan.rsc
(5) only two devices connected to hEX directly, eth1 connects to fiber modem, eth2 connects to CISCO Switch.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan problem on hEX

Sat Apr 03, 2021 2:40 pm

(1) Am I to assume that all three ports are going to 'Smart Devices' that can read vlan tags??
/interface bridge port
add bridge=bridge-home interface=ether2
add bridge=bridge-home interface=ether3
add bridge=bridge-home interface=ether4
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge-home tagged=ether2,bridge-home,ether3,ether4 vlan-ids=100


(2) Am I to assume that you have two networks/subnets travelling over ether2,3,4 VLAN100 and the home subnet?
/ip address
add address=192.168.11.1/24 comment="hotspot network" interface=vlan-guest \
network=192.168.11.0
add address=192.168.1.1/24 comment=home interface=bridge-home network=\
192.168.1.0
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0


(3) The way you have setup ether5 to be separate from the bridge should allow you to access the router if the bridge setup kicks you out.

(4) I am not used to mixing vlans and non-vlans ( my lack of confidence in doing so more than anything else),
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Sun Apr 04, 2021 11:22 am

Yes for both Q1 and Q2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan problem on hEX

Sun Apr 04, 2021 3:29 pm

Would you consider making all VLANs going over the ports........... would make it clearer and cleaner. aka make home subnet vlan10
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Sun Apr 04, 2021 4:15 pm

Would you consider making all VLANs going over the ports........... would make it clearer and cleaner. aka make home subnet vlan10
Yes if VLAN100 works in the first place.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlan problem on hEX

Sun Apr 04, 2021 6:19 pm

I suspect your issues are self-caused in having a way too complicated for me to understand dhcp server setup coupled with add firewall rules to the bridge.

What I would do is ensure that a plain jane vanilla setup works and then add in dhcp stuff after...........
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: vlan problem on hEX

Sun Apr 04, 2021 8:37 pm

Why do you use Bridge vlan filtering ?
You can just use ether2 as your trunk port without using any Bridge....
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Mon Apr 05, 2021 5:14 am

Why do you use Bridge vlan filtering ?
You can just use ether2 as your trunk port without using any Bridge....
Yes, for now. My switch ports are full, or someone suggest I can connect routeros and switch with two access ports.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: vlan problem on hEX

Mon Apr 05, 2021 4:26 pm

The configuration you have posted as a file seems fine to me regarding VLANs. VLAN 100 is tagged on both the bridge and ether2 ports of the bridge, VLAN1 is not tagged on either of the two, and the DHCP servers are attached as appropriate, the one for VLAN 100 is attached to the /interface vlan and the one for VLAN 100 is attached directly to the bridge interface of the router.

What are your reasons to use use-ip-firewall-for-vlan=yes under /interface bridge settings? Can you change that to no and try again?
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Sat Apr 10, 2021 11:52 am

What are your reasons to use use-ip-firewall-for-vlan=yes under /interface bridge settings? Can you change that to no and try again?
There is no perticular reason.
Screen Shot 2021-04-10 at 4.50.23 PM.png
I have set it to no now.
You do not have the required permissions to view the files attached to this post.
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX

Sat Apr 10, 2021 11:59 am

A quick update.

I boot up VM-1 (on VLAN-100) today, it CAN get address from VLAN-100 and working fine.
I think this change comes with my removing of VLAN-1.

So, I am wondering if my CISCO AP has some bug?
 
fqx
newbie
Topic Author
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: vlan problem on hEX  [SOLVED]

Tue Apr 13, 2021 1:36 pm

I have found out what is wrong.

I have set native vlan of AP to 100, so even if I set "use tag", it won't be tagged.

It is working right now.
Sorry for wasting your time.😂

Who is online

Users browsing this forum: baragoon, onnyloh, rplant and 84 guests