Can't get VLAN trunk working

InfraErik · Wed Mar 26, 2025 9:57 am

OK - I have what should be a very simple setup for using VLANs but for some reason it's not working.

The managed switch is setup with the SFP+ port using VLAN tagging for the 4 noted VLANs, and individual ports are setup as access ports for the different VLANs. What's interesting is that I can see that this communication is working properly when vlan-filtering is disabled and I'm plugged into an access port, Winbox shows the IP address of the interface for just that VLAN. It also shows an interface with an IP address of 0.0.0.0 which is puzzling. In this state I can use the Winbox via MAC address to contact the router, but I can't get an IP from the DHCP server, and I can't contact the IP address even when I assign a fixed IP to the workstation in that subnet. As soon as I activate vlan-filtering the router becomes completely unreachable over this interface.

schema.jpg

Here's what I've put together based on the documentation and various examples in the forums:

#############################################
# Basic Configuration
/ip dns set servers=1.1.1.1,9.9.9.9
/system clock set time-zone-name=Europe/Paris
/system identity set name=gw-rmb
/system logging add topics=firewall
/system note set show-at-login=no

#### VLANs ####
# Create the bridge to hold VLANs - disabled while I set things up
/interface bridge add name=internal-bridge vlan-filtering=no 

# Add the SFP+ port to the bridge
/interface bridge port add bridge=internal-bridge interface=sfp28-2

# Add the VLANs as tagged on the internal SFP, attached to the bridge
/interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=29 
/interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=30 
/interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=31
/interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=32

# Create the virtual interfaces for each VLAN on the bridge
/interface vlan add interface=internal-bridge name=DMZ  vlan-id=29
/interface vlan add interface=internal-bridge name=LAN  vlan-id=30
/interface vlan add interface=internal-bridge name=MGMT vlan-id=31
/interface vlan add interface=internal-bridge name=IOT  vlan-id=32

# Assign IP addresses to the VLAN interfaces
/ip address add address=192.168.29.254/24 interface=DMZ  network=192.168.29.0
/ip address add address=192.168.30.254/24 interface=LAN  network=192.168.30.0
/ip address add address=192.168.31.254/24 interface=MGMT network=192.168.31.0
/ip address add address=192.168.32.254/24 interface=IOT  network=192.168.32.0

#### DHCP Servers ####
# IP Pools to distribute
/ip pool add name=dmz_pool  ranges=192.168.29.101-192.168.29.199
/ip pool add name=lan_pool  ranges=192.168.30.101-192.168.30.199
/ip pool add name=mgmt_pool ranges=192.168.31.101-192.168.31.199
/ip pool add name=iot_pool  ranges=192.168.32.101-192.168.32.199

# Define DHCP network zones
/ip dhcp-server network add address=192.168.29.0/24 comment=DMZ  dns-server=192.168.30.199,192.168.20.4 gateway=192.168.29.254
/ip dhcp-server network add address=192.168.30.0/24 comment=LAN  dns-server=192.168.30.199,192.168.20.4 gateway=192.168.30.254
/ip dhcp-server network add address=192.168.31.0/24 comment=MGMT dns-server=192.168.30.199,192.168.20.4 gateway=192.168.31.254
/ip dhcp-server network add address=192.168.32.0/24 comment=IOT  dns-server=192.168.30.199,192.168.20.4 gateway=192.168.32.254

# Enable Servers
/ip dhcp-server add address-pool=dmz_pool  interface=DMZ name=DMZ
/ip dhcp-server add address-pool=lan_pool  interface=LAN name=LAN
/ip dhcp-server add address-pool=mgmt_pool interface=MGMT name=MGMT
/ip dhcp-server add address-pool=iot_pool  interface=IOT name=IOT

For testing purposes, the WAN connection is unplugged and the firewall rules are simply:

/ip firewall filter
add action=accept chain=forward
add action=accept chain=input

I'm clearly missing something basic here - anyone have an idea?

erlinden · Wed Mar 26, 2025 10:44 am

Only one topic you have to follow:
viewtopic.php?t=143620

I'm missing the "frame-types=admit-only-vlan-tagged" on the /Interface bridge port
Just for VLAN security.

But that doesn't explain the problems tou encounter.

Could you please share a complete config of both the router and the switch? You are referring to accessport, but it is not shown in the config.

ConradPino · Wed Mar 26, 2025 12:59 pm

Iis vlan-filtering=no still in effect?
Remember Safe Mode before make change.

/interface/bridge/set bridge vlan-filtering=yes

InfraErik · Wed Mar 26, 2025 1:36 pm

The topic noted was one of my sources and I think that I have followed the instructions adapted to this configuration.

Effectively, I disabled the "frame-types=admit-only-vlan-tagged" as a measure to keep things as open as possible. Complete configuration attached

minimum.rsc

The switch is a really basic Mokerlink model setup with the VLANs tagged on the SFP interface and some access ports set up for testing.

Mokerlink.png

It's when I set vlan-filtering=yes that I lose all contact over the SFP+ interface

CGGXANNX · Wed Mar 26, 2025 2:55 pm

The settings on your Molkerlink is currently wrong. A port cannot have multiple VLANs untagged at the same time. Edit the entry for VLAN 1 and remove ports 1, 2, 3, 8, 9 (set to Not Member).

InfraErik · Wed Mar 26, 2025 3:39 pm

Done - but removing VLAN 1 from all ports doesn't change the situation as far as communicating with the router.

CGGXANNX · Wed Mar 26, 2025 4:09 pm

Interesting. Are you currently connected to port #2 of the Mokelink? According to the screenshot, you are on port 6. Port 6 has no connectivity to the CCR2004.

InfraErik · Wed Mar 26, 2025 4:37 pm

That was just a screenshot I had on hand. When I'm connected to port#2 and I open Winbox, I see a good connection L2 Ethernet and I can see that the MGMT interface is properly associated with it's IP but that information is all just broadcast over ethernet frames. There's no L3 connectivity in that state or when I set vlan-filtering=yes.

CGGXANNX · Wed Mar 26, 2025 6:59 pm

Hm, on the Mokerlink, did you go to "Configuration > VLAN -> 802.1Q VID" and set the PVID for the ports?

Port 1 should have PVID 30
Port 2 should have PVID 31
Port 3 should have PVID 32
Port 8 should have PVID 29

And while you are there, change Accepted Frame Type of those ports to only untagged too?

InfraErik · Wed Mar 26, 2025 7:49 pm

Bingo! Many thanks @CGGXANNX

I was working from the assumption (stupid me) that setting the untagged VLAN was sufficient, but effectively it also needed to be manually assigned the PVID and I hadn't even looked into that submenu as the VID title didn't make me think of everything. If only the title had been PVID I would have thought to look sooner.

anav · Wed Mar 26, 2025 7:51 pm

Bingo! Many thanks @CGGXANNX

I was working from the assumption (stupid me) that setting the untagged VLAN was sufficient, but effectively it also needed to be manually assigned the PVID and I hadn't even looked into that submenu as the VID title didn't make me think of everything. If only the title had been PVID I would have thought to look sooner.

You were quoted a great ref document, there was no need to make assumptions LOL.

Can't get VLAN trunk working

Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working

Re: Can't get VLAN trunk working