Community discussions

MikroTik App
 
miankamran7100
Member
Member
Topic Author
Posts: 331
Joined: Tue Sep 17, 2019 9:28 am

untagg multiple VLAN on ether port

Tue Nov 12, 2024 5:07 pm

Hello
Dear all,
I have SXT on my Client side.
I have untagged VLAN-10 on the SXT ether port
but also want to untagg VLAN-20 & (native VLAN-1) traffic on the ether port.

How can I do that.?

I have posted my configuration

/interface bridge
add name=bridge1 pvid=10 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk eap-methods="" mode=dynamic-keys name=\
"Password profile" supplicant-identity="" wpa-pre-shared-key=mka@1234
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-a/n channel-width=\
20/40mhz-Ce country=australia disabled=no frequency=5805 frequency-mode=\
superchannel installation=any mode=station-bridge nv2-preshared-key=\
mka@1234 nv2-security=enabled radio-name="Station Hostel" \
security-profile="Password profile" ssid="AP Hostal" station-roaming=\
enabled wds-default-bridge=bridge1 wds-mode=dynamic wireless-protocol=nv2

/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=wlan1
/interface bridge vlan
add bridge=bridge1 tagged=wlan1,bridge1 untagged=ether1 vlan-ids=10
/interface wireless access-list
add interface=wlan1 mac-address=08:55:31:4A:57:AA vlan-mode=no-tag
/ip address
add address=172.20.20.26/24 interface=vlan20 network=172.20.20.0
/tool romon
set enabled=yes
 
erlinden
Forum Guru
Forum Guru
Posts: 2571
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 5:25 pm

You want multi VLAN's untagged on a port? Can you explain why?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21703
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 5:44 pm

Why are you defining and using vlan1 on any mikrotik router.
WHAT DEVICE is at the other end of the port that will accept multiple untagged VLANS ????

+++++++++++++++++++++++++++++++++++++++++++++++

access-port --> goes to dumb device, ONLY ONE vlan can exist on an access port - untagging is used on exit of traffic from port ( device cant read tags )
trunk port --> goes to smart device. One or MORE vlan exist on a trunk port tagging is used for all vlans on exit of traffic from port ( device can read tags )
AND
hybrid port ---> goes to special smart device (typically unifi APs (default uses untagged vlan for managment and all data vlans tagged) or phone devices (uses tagged vlan and passes untagged vlan to connected computer)
One or more vlans exist on a HYBRID ports, BUT ONLY ONE CAN PASS as untagged.

Therefore your request to untagg MORE than one vlan on any port is NOT possible.

Surprize me though. I repeat, WHAT DEVICE is at the other end of the port that will accept multiple untagged VLANS ????
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12861
Joined: Thu Mar 03, 2016 10:23 pm

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:11 pm

but also want to untagg VLAN-20 & (native VLAN-1) traffic on the ether port.

Your main problem so far is that VLAN 20 is only mentioned in VLAN interface creation. Bridge doesn't kniw about VLAN 20, so it won't pass it between CPU and other bridge ports ... and other bridge ports are not configured to allow it in any direction.

But anyway, you can pass multiple VKANs untagged on any port, just make that port untagged member of all relevant VLANs. However: any given port can only tag untagged frames on ingress with one VID and there are no ifs or buts. Which essentially means that bidirectional communication works only for single VLAN (the one set as PVID on port).

So again, what is your use case?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21703
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:21 pm

You give false impressions mate.

Quote: "But anyway, you can pass multiple VKANs untagged on any port, just make that port untagged member of all relevant VLANs" unquote.

Is incorrect and misleading, let me reword it in real english.

Although one can, in vlan-filtering=yes configs, PHYSICALLY force the router to have multiple VLANS untagged to a single port in /bridge interface vlans, it serves NO PURPOSE.
it means nothing!, its nonsensical!

So to even bring it up is ridonkulous........mkx gets the bronx cheer of the week.............

ThIS IS NOT POSSIBLE ( a port maybe only be identified once in bridge ports and only one pvid can be assigned to a port )
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=30
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=40


Only one vlan go pass untagged leaving ether 2 and that is predicated upon the pvid setting at /interface bridge port at ether2.
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=single vlan


As noted previously even it it was a hybrid port, only one vlan can leave port untagged.
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge tagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge tagged=ether2 vlan-ids=30
add bridge=bridge tagged=bridge tagged=ether2 vlan-ids=40


/interface bridge port
add bridge=bridge interface=ether2 pvid=single vlan
Last edited by anav on Tue Nov 12, 2024 8:41 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12861
Joined: Thu Mar 03, 2016 10:23 pm

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:29 pm

Only one vlan go pass untagged leaving ether 2 and that is predicated upon the pvid setting at /interface bridge port
Wrong. Correct would be: All configured VLANs pass untagged leaving ether2 but only one VLAN offers bidirectional communication.
Just because you don't see use case for something doesn't mean it's wrong. Yes, as good forum citizens we are obliged to point at weird configurations or requests, but we can give honest answers to direct questions (your reworded version is not correct).

I think I was clear enough in my previous post, last sence, standing in own paragraph, was written in that particular way on purpose.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21703
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:33 pm

Since all the vlans passing untagged out of the port do not offer bilateral communications, you are effectively admitting that there is no point because return traffic even if magically came back to the router, would not be accepted on input/return to the port, only the pVID vlan would have its traffic accepted back..........
Hence by stating its possible too setup the router to provide no useful return of information, is an amazing thing, you do have skills.

We agree on the end result, just not how to get there.......... I never said, that one could not send a bunch of untagged vlans out the port, I showed you the config, we both agree that it serves no purpose. I call this forced because its an unnatural thing to think let alone actually do.

So you are wrong, in your assessment of what I said but I do appreciate the technical addition of what actually happens at the port.......... Shall we continue LOL
 
kleshki
Member Candidate
Member Candidate
Posts: 285
Joined: Tue Mar 10, 2020 6:37 am

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:40 pm

The OP seems to be confused about the terms, so don't make pointless argues. Let's ask OP about network diagram: where VLANs 10 and 20 originate and where they should or should not go.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21703
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:47 pm

Concur, and is why in post #3 I presented clear feedback. It was not me that muddied the waters by saying oh what your doing is possible sort of with caveats, oh yeah so clear !!!! ;-PP
 
kleshki
Member Candidate
Member Candidate
Posts: 285
Joined: Tue Mar 10, 2020 6:37 am

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 7:55 pm

Concur, and is why in post #3 I presented clear feedback. It was not me that muddied the waters by saying oh what your doing is possible sort of with caveats, oh yeah so clear !!!! ;-PP
It's actually possible to have multiple untagged vlans per port. The setup can be like this:

MikroTik -> dumb switch -> whatever multiple devices

So you can add each device behind dumb switch to a separate VLAN using bridge/hosts tab. And add PVID to set a VLAN for those MACs that aren't defined. Example:
/interface bridge port
add bridge=bridge interface=ether1 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=20
/interface bridge host
add bridge=bridge mac-address=_mac_ vid=20
Don't ask me why, but I think there may exist a tiny use case for a small branch network, where heads didn't approve buying a managed switch, but VLANs are still required for network simplicity.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21703
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 8:40 pm

Sorry you have further muddied the waters and perhaps my understanding is not correct.

As MKX stated --> However: any given port can only tag untagged frames on ingress with one VID and there are no ifs or buts. Which essentially means that bidirectional communication works only for single VLAN (the one set as PVID on port).

The only use case MKX hinted at is bidirectional traffic for one vlan, and one-way traffic for the rest of the vlans out the port to dumb device and never any return traffic expected or needed.

It would seem your implying that all of the untagged vlans traffic would be returned via the dumb switch back to the router and accepted by the router.
This seems contradictory to what I know, but please tell me how this would work............when such traffic (vlans 20,30,40 hits the port X on the dumb switch heading to the router
they will get dropped when they enter the router.

+++++++++++++++++++++++++++++++++++++++++++++++

I believe you are confused with the use case for a hybrid port where one port is untagged and multiple vlans also pass through it.
What may happen at the un-managed switch is unknown............ but its possible that all traffic actually works in this case.......

You also may be confused with a use case where a trunk port his an un-managed switch with multiple vlans and what may happen is unknown but its possible that all traffic works.
 
kleshki
Member Candidate
Member Candidate
Posts: 285
Joined: Tue Mar 10, 2020 6:37 am

Re: untagg multiple VLAN on ether port

Tue Nov 12, 2024 11:45 pm

Nope I meant that traffic passes through dumb switch without any tags and reaches untagged to router at port where switch is connected. Then, if MAC address is found in bridge/host table, traffic gets tagged according to MAC->VID mapping and goes with tag through MT bridge. The return traffic gets untagged and in dumb switch acts like all devices in same L2 but with different subnets.

I did that in the past when I had to modernize an old network full of dumb switches. So while I was waiting for HQ approving proper equipment, purchase and delivery process, I did setup router to tag devices per their MAC, so there could be printer and PC in different VLAN connected to same dumb switch. For dumb switch and devices it looks like you have just router and throw multiple IPs to the bridge - so technically there's multiple subnets, but on switch level anyone can communicate as no VLAN exists.

Yes, this is just a dirty trick, don't blame me for that as this was just a temporary solution, but I don't mess hybrid ports and trunks with native VLAN, and in that setup, the port is indeed marked as untagged in multiple VLANs. You can try it on your own. And I don't contradict you, there's only one PVID possible per port - which, in that scheme, would be used to mark traffic from devices missing in bridge/host table.
 
miankamran7100
Member
Member
Topic Author
Posts: 331
Joined: Tue Sep 17, 2019 9:28 am

Re: untagg multiple VLAN on ether port

Wed Nov 13, 2024 7:16 am

Dear all,
I want to untag all VLAN on my SXT port.
SXT was installed on the client side and connected with a dumb switch.
I need to access everything I have mentioned on this dumb switch
DHCP Server = VLAN 10
Static IP = VLAN 20
VLAN1 = PPPoE Server

Thanks
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12861
Joined: Thu Mar 03, 2016 10:23 pm

Re: untagg multiple VLAN on ether port

Wed Nov 13, 2024 8:49 am

As already explained: you can't have multiple VLANs untagged on single port and having bidirectional communication (with exception of somehow implementing MAC VLAN which tags ingress packets based on source MAC addresses).

I recommend you to rethink the network topology ... best would be to install smart switch (which supports VLANs) on client side and pass necessary VLANs through wireless link (SXT).
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 232
Joined: Thu Dec 21, 2023 6:45 pm

Re: untagg multiple VLAN on ether port

Wed Nov 13, 2024 9:00 am

Well if that's really what you wan't, you can abuse one of the Layer 2 Misconfigurations https://help.mikrotik.com/docs/spaces/R ... linterface

Because your device only has two ports, ether1 and wlan1, you should:
  • Remove the existing bridge
  • Configure VLAN 10 and VLAN 20 on ether1, as tagged.
  • Create another VLAN, let's say 100, that will be used for the network currently served by the bridge (the old VLAN 1). This VLAN 100 is untagged on ether1.
  • Create a bridge spanning the VLAN 10, VLAN 20, VLAN 100, and wlan1. But don't forget to turn off any kind of (R)STP on this bridge. And don't configure any IP address or other Layer 3 feature on this bridge.

But you should really consider some other proper way. Please note that many dumb switches will happily forward frames with VLAN tags unmodified. Which means you can still setup wlan1 as trunk or hybrid port correctly. The handling of the tagged VLANs can be done on the end-devices. Operating systems like Linux and Windows do support multiple VLANs and you don't need a smart switch. Here is a guide for Windows https://woshub.com/configure-multiple-vlan-on-windows/.

Who is online

Users browsing this forum: vingjfg and 30 guests