[cross-post from the german mikrotik forum https://mikrotik-forum.de/viewtopic.php ... fefb15fe01. I will publish the solution on either side.]
Hello,
I run a network in my house with several VLANs. The hardware is heterogeneous: OPNsense router/firewall, Netgear main switch, APs from Zyxel and Mikrotik. The whole thing is actually working as it should at the moment.
But now I want a freifunk router (an old Fritz!Repeater 1200 flashed with the OpenWRT-based firmware of the local freifunk community). I have created my own VLAN for freifunk (VLAN60). If I operate the freifunk router on a VLAN60 access port of the main switch (netgear), everything works fine. However, I want the router outside in a bicycle shed. There hangs a hAP ac2, which is connected to the switch via several stations. A normal client (iPad) works fine on the VLAN60 access port of the hAP. But if I plug in the freifunk router there, the hAP "disappears" from the network, e.g. it is no longer listed in winbox.
To reduce the complexity, I have now connected a cAP ac directly to the main switch (port 1) and port 2 (access port VLAN60) to the FF router -> the result is identical. I attach the configuration.
Obviously something is configured incorrectly on the cAP - but I can't find the error.
What could be the cause? What could I do to isolate the problem?
Thank you very much!
Freifunk router on Mikrotik AP
You do not have the required permissions to view the files attached to this post.
Re: Freifunk router on Mikrotik AP
Knowing nothing about the "Freibox" (Freifunkene Fritzbox) thing and you mentioning it to act as a repeater, is there any chance that it could cause an L2 loop, so RSTP would cut the connection to the hAP ac2 or cAP ac, whichever is used during the "test"?
Also, I'd highly recommend to take an USB-to-serial converter (or two if you don't have a serial port on your laptop), connect it to the hAP ac2 (no USB port available on cAP ac) and via a null-modem cable to the laptop, and see how the hAP ac2 itself feels while the Freibox is associated to it. /interface bridge port monitor [find] once could hint something.
Also, I'd highly recommend to take an USB-to-serial converter (or two if you don't have a serial port on your laptop), connect it to the hAP ac2 (no USB port available on cAP ac) and via a null-modem cable to the laptop, and see how the hAP ac2 itself feels while the Freibox is associated to it. /interface bridge port monitor [find] once could hint something.
Re: Freifunk router on Mikrotik AP
Thanks a lot for yout tip regarding monitoring the hAP! I will try that ASAP and report back.
Freifunk is a community project aiming to provide free wifi. My Fritz!Repeater 1200 shound act as a note (AP + router) in the freifunk-net. Freifunk is available under diffeent names in different countries. More information is provided here: https://en.wikipedia.org/wiki/Freifunk
And YES: I also think it may be a L2 loop. Is there a way to separate VLAN60 completly from my VLAN-bridge?
Freifunk is a community project aiming to provide free wifi. My Fritz!Repeater 1200 shound act as a note (AP + router) in the freifunk-net. Freifunk is available under diffeent names in different countries. More information is provided here: https://en.wikipedia.org/wiki/Freifunk
And YES: I also think it may be a L2 loop. Is there a way to separate VLAN60 completly from my VLAN-bridge?
Re: Freifunk router on Mikrotik AP
Looking at your configuration export more carefully, I've noticed it not to be completely correct.And YES: I also think it may be a L2 loop. Is there a way to separate VLAN60 completly from my VLAN-bridge?
The thing is that if you set vlan-id on a particular wireless interface (configured using an /interface wireless row), there is no point in setting pvid to the same value on the corresponding row of /interface bridge port. Plus if ingress-filtering is set to no, the frame-types item on the same row is ignored.
Regarding the L2 loop - RouterOS is quite sensitive about receiving frames with any of its own MAC addresses as source (and rightfully so). So if the Freibox can connect to one of the wireless interfaces of the cAP ac/hAP ac2, and there's a bridge in it itself between the wireless and wired interface, you may search no further.
Regarding separating VLAN 60 completely from the bridge - the answer is "yes, but". The very purpose of VLANs is to logically separate traffic on the same physical links, and a single Ethernet port can only be a member port of a single bridge. To exclude VLAN 60 from being handled by the common bridge, you would have to exclude all the other VLANs from it too and make it the "old way", attaching the tagged ends of all your VLAN interfaces on the cAP ac/hAP ac2 to ether1, and creating an individual bridge for each of them. But this means to switch off RSTP and vlan filtering as such. Another workaround would be to use an EoIP tunnel rather than a VLAN to logically separate the traffic currently occupying VLAN 60. But none of these should be necessary once you find and fix the actual issue.
Re: Freifunk router on Mikrotik AP
Thank you for diving in my config! Am I right, that all VLAN config should be done on the bridge? So I would remove the pvid setting in /interface wireless? Or is it the other way around?The thing is that if you set vlan-id on a particular wireless interface (configured using an /interface wireless row), there is no point in setting pvid to the same value on the corresponding row of /interface bridge port. Plus if ingress-filtering is set to no, the frame-types item on the same row is ignored.
The Freifunk-router does not have access (by means of has confured ssid and passphrase) to my WiFi interfaces.Regarding the L2 loop - RouterOS is quite sensitive about receiving frames with any of its own MAC addresses as source (and rightfully so). So if the Freibox can connect to one of the wireless interfaces of the cAP ac/hAP ac2, and there's a bridge in it itself between the wireless and wired interface, you may search no further.
Would it be helpful (for debuging purpose only) to set protocol=none on the bridge?
Re: Freifunk router on Mikrotik AP
Well, the setting on the wireless interface is a relict from pre-vlan-filtering times I'd say. So in this sense yes, use-vlan=no on the /interface wireless row and use of pvid on the /interface bridge port rowsis more correct.Am I right, that all VLAN config should be done on the bridge? So I would remove the pvid setting in /interface wireless? Or is it the other way around?
In that case I can't see how it could create an L2 loop if it is connected solely to ether2 of the cAP ac, unless there is some bug or misconfiguration in it that makes it send a packet with Mikrotik's own MAC address as source back to the Mikrotik. A misconfiguration could be if you had (speaking in Mikrotik terms) two /interface vlan attached to the same Ethernet port and both were be member ports of the same bridge.The Freifunk-router does not have access (by means of has confured ssid and passphrase) to my WiFi interfaces.
Not really - on one hand, it is better to have STP active to save the situation if an L2 loop occurs, on the other hand, the loop detection on Mikrotik works even if protocol-mode on a bridge is set to none.Would it be helpful (for debuging purpose only) to set protocol=none on the bridge?
Re: Freifunk router on Mikrotik AP
It is now working (meaning: freifunk-router connected to his backbone and my net still running) with setting protocol=none on the bridge (nothing else changed).
Of course I would prefer to leave RSTP enabled on the bridge.
Any recommendation what test to run or what log to check to identify the cause of this problen?
Of course I would prefer to leave RSTP enabled on the bridge.
Any recommendation what test to run or what log to check to identify the cause of this problen?
Re: Freifunk router on Mikrotik AP
So it seems that the L2 loop is indeed there. But since the cAP ac doesn't process RSTP now, it just freely passes the RSTP BPDUs between ether1 and ether2. So the device connected to cAP ac's ether1 became an "RSTP neighbor" of the Freibox connected to cAP ac's ether2, and due to this, the L2 loop has been cut, by setting a port to Alternate or Backup state, at some other place than before. So now the link between the cAP ac and your other device remains open and you can access the cAP ac. Bear in mind that on one hand, the STP BPDUs are sent and received outside the "VLAN space" and they are the only frames that keep being ingress and egress on an Alternate or Backup port, and on the other hand, the spanning tree processes do not care about VLANs enabled on individual ports interconnecting the switches, so if the VLAN you use to communicate between the cAP ac and the rest of the network is not permitted on some port on the other, long, path between them, RSTP is happy but you lose connection to the cAP ac.
So as said before, /interface bridge monitor and /interface bridge port monitor are your best friends. They should reveal the port state on the cAP ac itself and the device connected to its ether1 when RSTP is enabled on the cAP ac and Freibox is connected to it. In this state you'll either need the serial connection, or possibly a wireless one could do, using another Mikrotik router as a wireless station (client) and allowing management access to the cAP ac from one of the wireless interfaces in advance. Monitoring the state of the bridge and its ports on the individual devices in your network will also tell you the MAC address of the root bridge, and if it is a device outside your network, they will also let you track down the other interface in your network that connects your network to that root bridge, the first one being the cAP ac's ether2.
It is still possible to fix that by using MSTP, which can be configured to effectively work as a normal RSTP on switches in your own network but make your whole network feel like one large switch to the RSTP apparently running in the Freifunk network. Provided that all your devices support MSTP of course.
Maybe you have an L2 tunnel to your friendly neighbor and he's got another Freifunk gateway?
So as said before, /interface bridge monitor and /interface bridge port monitor are your best friends. They should reveal the port state on the cAP ac itself and the device connected to its ether1 when RSTP is enabled on the cAP ac and Freibox is connected to it. In this state you'll either need the serial connection, or possibly a wireless one could do, using another Mikrotik router as a wireless station (client) and allowing management access to the cAP ac from one of the wireless interfaces in advance. Monitoring the state of the bridge and its ports on the individual devices in your network will also tell you the MAC address of the root bridge, and if it is a device outside your network, they will also let you track down the other interface in your network that connects your network to that root bridge, the first one being the cAP ac's ether2.
It is still possible to fix that by using MSTP, which can be configured to effectively work as a normal RSTP on switches in your own network but make your whole network feel like one large switch to the RSTP apparently running in the Freifunk network. Provided that all your devices support MSTP of course.
Maybe you have an L2 tunnel to your friendly neighbor and he's got another Freifunk gateway?
Re: Freifunk router on Mikrotik AP
.... In this state you'll either need the serial connection, or possibly a wireless one could do, using another Mikrotik router as a wireless station (client) and allowing management access to the cAP ac from one of the wireless interfaces in advance....
Or, better yet, a woobm.
Re: Freifunk router on Mikrotik AP
Thanks for all these informations. Seems I have some homework to do. I will report back.So it seems that the L2 loop is indeed there. But since the cAP ac doesn't process RSTP now, it just freely passes the RSTP BPDUs between ether1 and ether2. So the device connected to cAP ac's ether1 became an "RSTP neighbor" of the Freibox connected to cAP ac's ether2, and due to this, the L2 loop has been cut, by setting a port to Alternate or Backup state, at some other place than before. So now the link between the cAP ac and your other device remains open and you can access the cAP ac. Bear in mind that on one hand, the STP BPDUs are sent and received outside the "VLAN space" and they are the only frames that keep being ingress and egress on an Alternate or Backup port, and on the other hand, the spanning tree processes do not care about VLANs enabled on individual ports interconnecting the switches, so if the VLAN you use to communicate between the cAP ac and the rest of the network is not permitted on some port on the other, long, path between them, RSTP is happy but you lose connection to the cAP ac.
So as said before, /interface bridge monitor and /interface bridge port monitor are your best friends. They should reveal the port state on the cAP ac itself and the device connected to its ether1 when RSTP is enabled on the cAP ac and Freibox is connected to it. In this state you'll either need the serial connection, or possibly a wireless one could do, using another Mikrotik router as a wireless station (client) and allowing management access to the cAP ac from one of the wireless interfaces in advance. Monitoring the state of the bridge and its ports on the individual devices in your network will also tell you the MAC address of the root bridge, and if it is a device outside your network, they will also let you track down the other interface in your network that connects your network to that root bridge, the first one being the cAP ac's ether2.
It is still possible to fix that by using MSTP, which can be configured to effectively work as a normal RSTP on switches in your own network but make your whole network feel like one large switch to the RSTP apparently running in the Freifunk network. Provided that all your devices support MSTP of course.
Maybe you have an L2 tunnel to your friendly neighbor and he's got another Freifunk gateway?
Re: Freifunk router on Mikrotik AP
I allready saw that one. Will probably get one. Thank you!.... In this state you'll either need the serial connection, or possibly a wireless one could do, using another Mikrotik router as a wireless station (client) and allowing management access to the cAP ac from one of the wireless interfaces in advance....
Or, better yet, a woobm.
Re: Freifunk router on Mikrotik AP [solved] [SOLVED]
Hey all.
I have it up and running now with RSTP switched on again. Solution was to carefully set all RSTP router prioritory values in my network. Before I had used the default settings what was "good enough" without the Freifunk-router but not with it.
When I now visit bridge/ports I see just one root port and the others are designated or disabled.
Thank you very much for your help!
I have it up and running now with RSTP switched on again. Solution was to carefully set all RSTP router prioritory values in my network. Before I had used the default settings what was "good enough" without the Freifunk-router but not with it.
When I now visit bridge/ports I see just one root port and the others are designated or disabled.
Thank you very much for your help!
Re: Freifunk router on Mikrotik AP [solved]
Err.... doing that may have just hidden the issue from you.
The fact that connecting the Freibox has caused all this mess strongly suggests that the loop path goes through the Freibox, which further implies that either there is a RSTP running in the Freifunk network and your network becomes part of its spanning tree, or that the Freifunk network doesn't use RSTP and thus it just transparently delivers the RSTP BPDUs sent by the cAP ac to some other port of some device of your own network. If Freifunk uses RSTP, your reconfiguration has solved your trouble but likely caused a trouble to Freifunk. And in either case, it is possible that the traffic of your hypothetical neighbor now goes through your Freifunk connection or vice versa.
One more point - it took me a while to realize that the Freibox is not a wireless client of the cAP ac, just due to the topic title
The fact that connecting the Freibox has caused all this mess strongly suggests that the loop path goes through the Freibox, which further implies that either there is a RSTP running in the Freifunk network and your network becomes part of its spanning tree, or that the Freifunk network doesn't use RSTP and thus it just transparently delivers the RSTP BPDUs sent by the cAP ac to some other port of some device of your own network. If Freifunk uses RSTP, your reconfiguration has solved your trouble but likely caused a trouble to Freifunk. And in either case, it is possible that the traffic of your hypothetical neighbor now goes through your Freifunk connection or vice versa.
One more point - it took me a while to realize that the Freibox is not a wireless client of the cAP ac, just due to the topic title
Re: Freifunk router on Mikrotik AP
Well, I doesn‘t heard of any problems in the Freifunk net… Would it help to set the port as edge port (it ist not detected as edge) in order to drop outgoing BPDUs and ignore any received BPDUs?
Re: Freifunk router on Mikrotik AP
It depends. If you do that, your own network will see the whole path from the ether2 of the cAP to the other port of your network as a single patchcord, and STP will do nothing about that because it will effectively be deactivated at those ports. But if broadcast frames (or frames to unknown destination MAC addresses) will get through that path, which depends on whether VLAN 60 is the native VLAN of the other port through which your network is interconnected with the Freifunk one, broadcast packets in VLAN 60 will gradually take all the bandwidth. The reason why L2 loops are a problem is that the L2 header has no time-to-live so a frame whose destination MAC address is not linked to a particular port keeps circulating forever.