Community discussions

MikroTik App
  4. RouterOS
  5. General

Bridge VLAN Filtering / Can't access the MikroTik  [SOLVED]

Post Reply
 
User avatar
agomes
newbie
Topic Author
Posts: 38
Joined: Thu Mar 17, 2016 8:16 am

Bridge VLAN Filtering / Can't access the MikroTik

Thu Dec 09, 2021 12:17 pm

Hello,

I recently started using the Bridge VLAN Filtering option and I'm unable to access the MikroTik through Access or Trunk ports.
Inter-VLAN communication works (I can access the switch from a PC connected with an MikroTik access port). What am I missing?
Is there something special to consider with the VLAN interfaces & Bridge VLAN Filtering?

Otherwise, this kind of configuration is working just fine in another setup of two 1100AHx4 in a VRRP and RSTP configuration, which is why I'm confused.
I'm probably blind to some detail here. Appreciate any help. Thx.
Code: Select all

# dec/09/2021 11:11:25 by RouterOS 6.48.6
# software id = 
#
# model = 1100AHx2
# serial number = 
/interface bridge
add name=bridge-LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] comment="LAN Trunk"
set [ find default-name=ether9 ] comment="INET Access"
set [ find default-name=ether10 ] comment="MGMT Access"
set [ find default-name=ether11 ] comment=BYPASS disabled=yes
set [ find default-name=ether12 ] comment=BYPASS disabled=yes
set [ find default-name=ether13 ] comment=BOOT
/interface vlan
add interface=bridge-LAN name=INET vlan-id=117
add interface=bridge-LAN name=MGMT vlan-id=105
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-INET ranges=192.168.53.10-192.168.53.200
/ip dhcp-server
add add-arp=yes address-pool=pool-INET disabled=no interface=INET name=server-INET src-address=192.168.53.254
/interface bridge port
add bridge=bridge-LAN interface=ether9 pvid=117
add bridge=bridge-LAN interface=ether10 pvid=105
add bridge=bridge-LAN interface=ether8
/interface bridge vlan
add bridge=bridge-LAN tagged=ether8 untagged=ether10 vlan-ids=105
add bridge=bridge-LAN tagged=ether8 untagged=ether9 vlan-ids=117
/ip address
add address=192.168.88.1/24 interface=ether13 network=192.168.88.0
add address=10.90.90.254/24 interface=MGMT network=10.90.90.0
add address=192.168.53.254/24 interface=INET network=192.168.53.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.53.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.53.254
/ip firewall filter
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Vienna
Top
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 725
Joined: Tue Dec 17, 2019 1:08 pm

Re: Bridge VLAN Filtering / Can't access the MikroTik  [SOLVED]

Thu Dec 09, 2021 12:21 pm

You also need to add the "Bridge" to the Tagged VLAN-Filtering rules

Basic-Exemple:

/interface bridge vlan
add bridge=bridge-LAN tagged=ether8,bridge-LAN untagged=ether10 vlan-ids=105
add bridge=bridge-LAN tagged=ether8,bridge-LAN untagged=ether9 vlan-ids=117
Top
 
User avatar
agomes
newbie
Topic Author
Posts: 38
Joined: Thu Mar 17, 2016 8:16 am

Re: Bridge VLAN Filtering / Can't access the MikroTik

Thu Dec 09, 2021 12:58 pm

You also need to add the "Bridge" to the Tagged VLAN-Filtering rules

Basic-Exemple:

/interface bridge vlan
add bridge=bridge-LAN tagged=ether8,bridge-LAN untagged=ether10 vlan-ids=105
add bridge=bridge-LAN tagged=ether8,bridge-LAN untagged=ether9 vlan-ids=117
Thank you. It works now.
Interestingly this was not necessary in my other setup.
Top
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 725
Joined: Tue Dec 17, 2019 1:08 pm

Re: Bridge VLAN Filtering / Can't access the MikroTik

Thu Dec 09, 2021 1:14 pm

That`s a good question ...

Posible Reason 1:
The Bridge-Interface has a default PVID-Parameter.
A dynamic VLAN-Filtering Rule is created, if no Static rule is defined for this vlan-ID.

Posible Reason 2:
You only need to add the bridge,
if the Device itself need to communicate with the VLAN.

So for a L2-Switch, you usually don`t need to add the bridge to the VLAN.
(except maybe the Management VLAN)
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11627
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN Filtering / Can't access the MikroTik

Thu Dec 09, 2021 7:21 pm

When you have this kind of configuration:
Code: Select all
/interface vlan
add interface=bridge-LAN name=INET vlan-id=117
add interface=bridge-LAN name=MGMT vlan-id=105
with something like this following
Code: Select all
/ip dhcp-server
add add-arp=yes address-pool=pool-INET disabled=no interface=INET name=server-INET src-address=192.168.53.254
/ip address
add address=10.90.90.254/24 interface=MGMT network=10.90.90.0
add address=192.168.53.254/24 interface=INET network=192.168.53.0
that means that device has to interact with VLANs and bridge interface (as already mentioned by @conymercier) has to be tagged member of said VLAN(s). In OP's case that's actually interface bridge-LAN.

More about bridge personalities in ROS.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], beeman, eworm, GoogleOther [Bot], lurker888 and 200 guests
  4. RouterOS
  5. General