Community discussions

MikroTik App
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

VLAN Filtering not working on LHG60ad P2P

Tue Aug 16, 2022 1:01 am

Hi,

I have spent a crazy amount of time trying to figure out why VLAN Filtering only works on the station bridge side and not the bridge side, without breaking the station side.

VLANs i want to trunk across this LHG60ad to LHG60ad wireless bridge:

VLAN1 - default (in use elsewhere)
VLAN20
VLAN105 - MGMT
VLAN230

I believe I have configure these devices correctly, however it seems not, please help!

P2P A-B Config:
/interface bridge
add name=bridge1 protocol-mode=none
/interface w60g
set [ find ] disabled=no mode=bridge name=wlan60-1 put-stations-in-bridge=bridge1 ssid=KSW
/interface vlan
add interface=bridge1 name=VLAN1 vlan-id=1
add interface=bridge1 name=VLAN20 vlan-id=20
add interface=bridge1 name=MGMT vlan-id=105
add interface=bridge1 name=VLAN230 vlan-id=230
/interface w60g station
add mac-address=C4:AD:34:AC:0E:06 name=wlan60-station-1 parent=wlan60-1 remote-address=C4:AD:34:AC:0C:5E
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan60-1
/interface bridge vlan
add bridge=bridge1 untagged=ether1,wlan60-1 vlan-ids=1
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=20
add bridge=bridge1 tagged=ether1,wlan60-1,bridge1 vlan-ids=105
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=230
/ip address
add address=10.20.105.200 interface=MGMT network=10.20.105.0
/system identity
set name=AtoB

P2P B to A Config:
/interface bridge
add name=bridge1 protocol-mode=none
/interface w60g
set [ find ] disabled=no mode=station-bridge name=wlan60-1 ssid=KSW
/interface vlan
add interface=bridge1 name=VLAN1 vlan-id=1
add interface=bridge1 name=VLAN20 vlan-id=20
add interface=bridge1 name=MGMT vlan-id=105
add interface=bridge1 name=VLAN230 vlan-id=230
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan60-1
/interface bridge vlan
add bridge=bridge1 untagged=ether1,wlan60-1 vlan-ids=1
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=20
add bridge=bridge1 tagged=ether1,wlan60-1,bridge1 vlan-ids=105
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=230
/ip address
add address=10.20.105.201/24 interface=MGMT network=10.20.105.0
/system identity
set name=BtoA
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Wed Aug 17, 2022 1:44 am

Is there anyone that can help?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN Filtering not working on LHG60ad P2P

Wed Aug 17, 2022 10:03 am

Let's start from what you expect VLAN Filtering to do, and what is "not working" in particular.

In the configuration of the RouterOS bridges, there is a configuration item named vlan-filtering which, if set to yes alone, allows tagging/untagging frames on ingress/egress to/from ports of that bridge, and only allows frames to egress through member ports of the VLAN they are tagged with. To prevent frames with "wrong" VIDs also from ingressing via a given port, you have to use additional settings, ingress-filtering and frame-types, on the individual ports.

In none of your two exports, vlan-filtering is set to yes, but that may be because you've reverted it after seeing it did not work as you expected.

However, there is another catch - if you want the Mikrotik device itself to be reachable via a given VLAN, it is not enough to attach an /interface vlan to the bridge interface, you must also put the bridge port on the corresponding list (tagged or untagged) on the /interface bridge vlan row for that VID.

See this topic for clarification what the single name of the bridge means in distinct contexts (as an interface, as a bridge port, as a "virtual switch"). It should clarify why the above is necessary.

Having said that - although activation of vlan-filtering should normally not cause an issue if you have configured /interface bridge port and /interface bridge vlan properly before, I have seen a case where it has failed and it was necessary to reboot the device to regain control of it. Since it did work properly after the reboot, the issue was not the vlan-filtering configuration but the actual process of change.

As you are so careful about not breaking the settings of the station, I assume access to it is complicated. Therefore, I'd first try to set up a second wireless interface with another SSID at both the AP and the station, as virtual ones linked to the physical ones, set up IP addresses from a common unique subnet on them, and check that you can access the STA this way. This will be your access channel to the station even if you break the bridge settings badly. I was not sure whether a virtual interface can run in station mode so I've tried on a mAP lite and succeeded, but there is still a chance that virtual interfaces won't work at a 60 GHz radio - you have to try on your own, I don't have any 60 GHz product handy.
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sat Aug 20, 2022 11:51 am

Hi,
In none of your two exports, vlan-filtering is set to yes, but that may be because you've reverted it after seeing it did not work as you expected.
Yes I removed as did not work as expected, however when I applied it to the station and lost connection, I did not try rebooting incase its what you say it could be
the actual process of change
. I shall try this.
However, there is another catch - if you want the Mikrotik device itself to be reachable via a given VLAN, it is not enough to attach an /interface vlan to the bridge interface, you must also put the bridge port on the corresponding list (tagged or untagged) on the /interface bridge vlan row for that VID.
- If I understand you correctly, I believe this is configured correctly in the configuration??
/interface vlan
add interface=bridge1 name=VLAN1 vlan-id=1
add interface=bridge1 name=VLAN20 vlan-id=20
add interface=bridge1 name=MGMT vlan-id=105
add interface=bridge1 name=VLAN230 vlan-id=230
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan60-1
/interface bridge vlan
add bridge=bridge1 untagged=ether1,wlan60-1 vlan-ids=1
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=20
add bridge=bridge1 tagged=ether1,wlan60-1,bridge1 vlan-ids=105
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=230
Could the lack of VLAN Filtering configuration the reason for MAC flapping between the uplink to the bridge and the port channel to the rest of the LAN??


Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sat Aug 20, 2022 2:25 pm

If I understand you correctly, I believe this is configured correctly in the configuration??
It depends on what you mean by "correctly". There are definitely multiple inconsistencies.
  1. you have added the router-facing port of bridge1 as a tagged member of VLAN 105
  2. since pvid=1 (the default one, so not shown in the export) in /interface bridge configuration for bridge1, the router-facing port of bridge1 is an untagged member of VLAN 1
  3. the router-facing port of bridge1 is not a member of VLANs 20 and 230
Due to 3., VLAN interfaces (in Cisco vernacular, subinterfaces of the switch-facing interface of the router) VLAN20 and VLAN230 never get any frame they expect.
Due to 2., frames belonging to VLAN 1 get untagged already as they egress the bridge towards the router, so the subinterface VLAN1 will ignore them as they do not bear the tag it expects
In summary, with this configuration, only the "subinterface" VLAN105 has an actual access to VLAN 105, meaning you can access the router via an IP address attached to that "subinterface".


Could the lack of VLAN Filtering configuration the reason for MAC flapping between the uplink to the bridge and the port channel to the rest of the LAN??
Not sure what you mean by either "uplink to the bridge" or "port channel...". Port channel is a Cisco term for a Link Aggregation Group (bond); the bridge has no uplinks, it has just member ports, in your case, three: ether1, wlan60-1, and the router-facing port which is created implicitly.

In general, if we leave aside the case when two devices in the same L2 segment use the same MAC address, in a loop-free L2 network, MAC flapping can occur when vlan-filtering is disabled if other equipment in the same network uses per-VLAN MAC learning so frames from the same MAC address but tagged with different VLAN IDs arrive to your bridge via different ports. With vlan-filtering=no, the bridge itself completely ignores VLAN tags. With vlan-filtering=yes, it uses per-VLAN MAC learning, so such a situation is not considered MAC flapping.

If the network is not loop-free, MAC flapping is caused by the same frame coming via multiple paths.
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sat Aug 20, 2022 8:57 pm

Thanks.

I think I'm over thinking this and now a bit more confused.

What I am trying to do is create the below topology:
Capture.PNG
Basically I wish to trunk all of the VLANs from SW-A over to SW-B. VLAN105 is the MGMT VLAN which will be used to access the bridge and station-bridge devices only. VLAN1 is to be kept native.

The issue I saw in regards to MAC flapping with my config was that mac addresses were seen flapping between po1(Gi1/0/25-26) on SW-A and on Gi1/0/24, how this was happening is what I was trying to understand as these mac addresses are elsewhere on the network and should not be seen from Gi1/0/24 (Bridge).

I did find a config example of someone who I believe has similar issues with trunking (not sure about mac flapping though as he didn't have vlan-filtering on), so I was going to give it a go. It would be great to see a good example of configs that achieves this, it will make me understand more of what's going on and how this is supposed to work.

Updated configs:

BRIDGE
/interface bridge
add admin-mac=C4:AD:34:AC:0E:05 auto-mac=no name=bridge1 pvid=1 vlan-filtering=yes
/interface w60g
set [ find ] disabled=no isolate-stations=no mode=bridge name=wlan60-1 put-stations-in-bridge=bridge ssid=KSW-P2P
/interface w60g station
add mac-address=C4:AD:34:AC:0E:06 name=wlan60-station-1 parent=wlan60-1 remote-address=C4:AD:34:AC:0C:5E
/interface vlan
add interface=bridge1 name=MGMT vlan-id=105
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan60-1
/ip address
add address=10.20.105.200/24 interface=MGMT network=10.20.105.0
/ip route
add distance=1 gateway=10.20.105.1
/system identity
set name=P2P-01
STATION-BRIDGE
/interface bridge
add admin-mac=C4:AD:34:AC:0E:05 auto-mac=no name=bridge protocol-mode=none pvid=1 vlan-filtering=yes
/interface w60g
set [ find ] disabled=no mode=station-bridge name=wlan60-1 ssid=KSW-P2P
/interface vlan
add interface=bridge name=MGMT vlan-id=105
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan60-1
/ip address
add address=10.20.105.201/24 interface=MGMT network=10.20.105.0
/ip route
add distance=1 gateway=10.20.105.1
/system identity
set name=P2P-02

I appreciate your help!
You do not have the required permissions to view the files attached to this post.
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sun Aug 21, 2022 1:39 am

Well that last config didn't work :( I believe it didn't work is because I didn't add this into the script at minimum
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1,wlan60-station-1 vlan-ids=105
This is my understanding of what is what:

ether1 is the actual physical port, what is tagged/untagged seems to be defined under /interface bridge vlan. What's not clear is what interfaces get tagged and why. I believe you would always select tagged ether1 and wlan60-1 for non MGMT VLANs (MGMT VLAN would have bridge1 tagged also to enable remote access). Don't know if wlan60-station-1 needs to be tagged also (don't really know what that is and why you get the option, but it seems its required as I had issues accessing the station-bridge without it).

/interface vlan i think now is what's classed as a sub interface and I would only have the MGMT VLAN defined here as there is a ip address mapped to it

/interface bridge port - I believe is where you tag/untag vlans you require. but what is supposed to get tagged is still a best guess. I believe that all VLANs going over the wireless link should be defined here.


The below config seems to work with vlan-filtering=yes so now feels like I've made some progress :), I just cant test it yet to see if it stops the mac flapping...

STATION
/interface bridge
add admin-mac=C4:AD:34:AC:0E:05 auto-mac=no name=bridge1 protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on
/interface w60g
set [ find ] disabled=no isolate-stations=no mode=bridge name=wlan60-1 \
    put-stations-in-bridge=bridge1 ssid=KSW-P2P
/interface vlan
add interface=bridge1 name=MGMT vlan-id=105
/interface w60g station
add mac-address=C4:AD:34:AC:0E:06 name=wlan60-station-1 parent=wlan60-1 \
    remote-address=C4:AD:34:AC:0C:5E
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan60-1
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1,wlan60-station-1 vlan-ids=105
add bridge=bridge1 tagged=ether1,wlan60-1,wlan60-station-1 vlan-ids=230
add bridge=bridge1 tagged=ether1,wlan60-1,wlan60-station-1 vlan-ids=20
/ip address
add address=10.20.105.200/24 interface=MGMT network=10.20.105.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.20.105.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=P2P-01

BRIDGE-STATION
/interface bridge
add admin-mac=C4:AD:34:AC:0C:5D auto-mac=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface w60g
set [ find ] disabled=no mode=station-bridge name=wlan60-1 ssid=KSW-P2P
/interface vlan
add interface=bridge1 name=MGMT vlan-id=105
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan60-1
/interface bridge vlan
add bridge=bridge1 tagged=ether1,wlan60-1,bridge1 vlan-ids=105
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=230
add bridge=bridge1 tagged=ether1,wlan60-1 vlan-ids=20
/ip address
add address=10.20.105.201/24 interface=MGMT network=10.20.105.0
/ip route
add distance=1 gateway=10.20.105.1
/system identity
set name=P2P-02

Does this look any better?

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sun Aug 21, 2022 1:59 pm

Does this look any better?
Definitely yes now as you've properly added the port lists for the individual VLANs.

My problem is that the way the 60 GHz bridge mode configuration is quite specific and I've got no hands-on experience with it, so I can only comment on the generic vlan-filtering configuration but not on the 60 GHz-specific part where the clients are added automatically as member ports of the bridge at the AP end - on a 2.4 GHz/5 GHz wireless interface, this is not the case, and the manual for 60 GHz is not exactly detailed.

The topology diagram has indeed added a lot of missing parts to the puzzle, but on the other hand it is now even harder to understand why MAC addresses should be flapping due to anything but a bug on the Mikrotik side as there is no way to create an L2 loop physically. The only thing to come to my mind would be that Mikrotik's flavor of RSTP (which is used on the bridges by default, and you haven't set protocol-mode to none in your early attempts) would somehow interfere with STP operation of the Cisco switches - not that it would be clear to me how that would be possible.
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sun Aug 21, 2022 9:49 pm

The only thing to come to my mind would be that Mikrotik's flavor of RSTP (which is used on the bridges by default, and you haven't set protocol-mode to none in your early attempts) would somehow interfere with STP operation of the Cisco switches
Yes I thought the same thing and did disable these during testing but didn't have any noticeable affect and didn't have a lot of time for further tweaking or troubleshooting (I didn't try disable switch port end). My suspicions then moved over to the issue of not being able enable VLAN filtering properly. I'm ruling out a bug as the issue happened before I took it on and they were on an older version of code. Quite a serious bug if it is, especially if it made its way to the latest version :shock:

Hoping to get back Tues to test this updated version. Feeling a bit more confident about this config and sounds like you are satisfied with it and it should do what I am intending it to. I

Been a bit of a headache this one as I've not touched these before and documentation available and best practices are difficult to understand/come by, so I am grateful for your input. I was told these devices literally work straight out of the box and no special configuration is required other than adding mgmt ip and other stuff i.e NTP, DNS etc.

I'll update my findings and fingers crossed all works as intended.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sun Aug 21, 2022 9:56 pm

I was told these devices literally work straight out of the box and no special configuration is required other than adding mgmt ip and other stuff i.e NTP, DNS etc.
They indeed do if it is enough for you that they are just transparent.

Unrelated - if there is still an issue with MAC flapping, I would try not to specify wlan60-1 as a port of bridge1, given that an interface representing the station (client) is added to the bridge automatically.
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Sun Aug 21, 2022 11:22 pm

I would try not to specify wlan60-1 as a port of bridge1
What exactly do you mean by that?

Do you mean removing this from Station?:

/interface bridge port
add bridge=bridge1 interface=wlan60-1
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN Filtering not working on LHG60ad P2P

Mon Aug 22, 2022 8:25 am

Yes (the device names are confusing!), the one where the remote station is automatically added as a bridge port (called wlan60-station-1).
 
mrmcrae
just joined
Topic Author
Posts: 14
Joined: Wed Jul 06, 2022 7:22 pm

Re: VLAN Filtering not working on LHG60ad P2P

Fri Aug 26, 2022 11:58 am

Just an update.

With this config we are still experiencing MAC flaps... troubleshooting continues... I may have to create a separate discussion

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], Egate, InfraErik, johnson73 and 65 guests