Community discussions

MikroTik App
 
User avatar
senseivita
newbie
Topic Author
Posts: 35
Joined: Fri Jan 01, 2021 4:20 am

CHR - VLAN Filtering on bridge kills access

Fri Aug 19, 2022 5:42 am

I'm trying to set up a CHR with a bridge instead of individual VLANs on an ethernet interface; all seems to go well until the moment I enable VLAN filtering, then I'm cut off.

The router has two intefaces, a trunk (VLAN 4095 — vSphere) and the second one is on a single VLAN from which I could access easily in case I'd get locked out. But, when I enable VLAN filtering even that one stops responding too, not always, I'm still trying to find out what triggers it, but it does.

Here the config can be seen at a glance:
Image

Losing access:
Screen_Shot_2022-08-18_at_7_29_15_PM 2.png
That last one occasionally get taken down as well.

And the relevant config, actually, most of the config since I'm just setting it up. Besides this, the only other configured data it has are DHCP reservations. No firewall rules, no--nothing.. Speaking of firewaal rules; I tried disabling IP firewall settings on the bridge too and spanning tree (network-wide, not only in the CHR) as well. No luck.
# aug/18/2022 20:22:44 by RouterOS 6.49.6
# software id = 
#
#
#
/interface bridge
add name=mainbridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no name=mgmtAccessBackup
/interface vlan
add interface=mainbridge name=z100 vlan-id=1
add interface=mainbridge name=z200 vlan-id=2
add interface=mainbridge name=z300 vlan-id=3
add interface=mainbridge name=z400 vlan-id=4
add interface=mainbridge name=z500 vlan-id=5
add interface=mainbridge name=z600 vlan-id=6
add interface=mainbridge name=z700 vlan-id=7
add interface=mainbridge name=z800 vlan-id=8
add interface=mainbridge name=z900 vlan-id=9
add interface=mainbridge name=zA00 vlan-id=10
add interface=mainbridge name=zB00 vlan-id=11
add interface=mainbridge name=zC00 vlan-id=12
add interface=mainbridge name=zD00 vlan-id=13
add interface=mainbridge name=zE00 vlan-id=14
add interface=mainbridge name=zF00 vlan-id=15
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=z100 name=z100 use-radius=yes
add disabled=no interface=z200 name=z200 use-radius=yes
add disabled=no interface=z300 name=z300 use-radius=yes
add disabled=no interface=z400 name=z400 use-radius=yes
add disabled=no interface=z500 name=z500 use-radius=yes
add disabled=no interface=zF00 name=zF00 use-radius=yes
add disabled=no interface=zE00 name=zE00 use-radius=yes
add disabled=no interface=zD00 name=zD00 use-radius=yes
add disabled=no interface=zC00 name=zC00 use-radius=yes
add disabled=no interface=zB00 name=zB00 use-radius=yes
add disabled=no interface=zA00 name=zA00 use-radius=yes
add disabled=no interface=z900 name=z900 use-radius=yes
add disabled=no interface=z800 name=z800 use-radius=yes
add disabled=no interface=z700 name=z700 use-radius=yes
add disabled=no interface=z600 name=z600 use-radius=yes
/ip dhcp-server option
add code=12 name=hostname value="\$(HOSTNAME)"
/ip pool
add name=z100 ranges=10.1.0.200-10.1.0.250
add name=z200 ranges=10.2.0.200-10.2.0.250
add name=z300 ranges=10.3.0.200-10.3.0.250
add name=z400 ranges=10.4.0.200-10.4.0.250
add name=z500 ranges=10.5.0.200-10.5.0.250
add name=z600 ranges=10.6.0.200-10.6.0.250
add name=z700 ranges=10.7.0.200-10.7.0.250
add name=z800 ranges=10.8.0.200-10.8.0.250
add name=z900 ranges=10.9.0.200-10.9.0.250
add name=zA00 ranges=10.10.0.200-10.10.0.250
add name=zB00 ranges=10.11.11.200-10.11.11.250
add name=zC00 ranges=10.12.0.200-10.12.0.250
add name=zD00 ranges=10.13.0.200-10.13.0.250
add name=zE00 ranges=10.14.0.200-10.14.0.250
add name=zF00 ranges=10.15.0.200-10.15.0.250
/interface bridge port
add bridge=mainbridge hw=no interface=ether1 trusted=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set lldp-med-net-policy-vlan=7
/ip settings
set icmp-rate-limit=0
/interface bridge vlan
add bridge=mainbridge tagged=ether1 vlan-ids=1
add bridge=mainbridge tagged=ether1 vlan-ids=2
add bridge=mainbridge tagged=ether1 vlan-ids=3
add bridge=mainbridge tagged=ether1 vlan-ids=4
add bridge=mainbridge tagged=ether1 vlan-ids=5
add bridge=mainbridge tagged=ether1 vlan-ids=6
add bridge=mainbridge tagged=ether1 vlan-ids=7
add bridge=mainbridge tagged=ether1 vlan-ids=8
add bridge=mainbridge tagged=ether1 vlan-ids=9
add bridge=mainbridge tagged=ether1 vlan-ids=10
add bridge=mainbridge tagged=ether1 vlan-ids=11
add bridge=mainbridge tagged=ether1 vlan-ids=12
add bridge=mainbridge tagged=ether1 vlan-ids=13
add bridge=mainbridge tagged=ether1 vlan-ids=14
add bridge=mainbridge tagged=ether1 vlan-ids=15
/interface list member
add interface=z100 list=LAN
add interface=z200 list=LAN
add interface=z300 list=LAN
add interface=z400 list=LAN
add interface=z500 list=LAN
add interface=z600 list=LAN
add interface=z700 list=LAN
add interface=z800 list=LAN
add interface=z900 list=LAN
add interface=zA00 list=LAN
add interface=zB00 list=LAN
add interface=zC00 list=LAN
add interface=zD00 list=LAN
add interface=zE00 list=LAN
add interface=zF00 list=LAN
/ip address
add address=10.9.0.252/24 interface=mgmtAccessBackup network=10.9.0.0
add address=10.1.0.253/24 interface=z100 network=10.1.0.0
add address=10.2.0.253/24 interface=z200 network=10.2.0.0
add address=10.3.0.253/24 interface=z300 network=10.3.0.0
add address=10.4.0.253/24 interface=z400 network=10.4.0.0
add address=10.5.0.253/24 interface=z500 network=10.5.0.0
add address=10.6.0.253/24 interface=z600 network=10.6.0.0
add address=10.7.0.253/24 interface=z700 network=10.7.0.0
add address=10.8.0.253/24 interface=z800 network=10.8.0.0
add address=10.9.0.253/24 interface=z900 network=10.9.0.0
add address=10.10.0.253/24 interface=zA00 network=10.10.0.0
add address=10.11.11.253/24 interface=zB00 network=10.11.11.0
add address=10.12.0.253/24 interface=zC00 network=10.12.0.0
add address=10.13.0.253/24 interface=zD00 network=10.13.0.0
add address=10.14.0.253/24 interface=zE00 network=10.14.0.0
add address=10.15.0.253/24 interface=zF00 network=10.15.0.0
/ip dns
set servers=10.11.11.24
/ip route
add distance=1 gateway=10.1.0.1
add distance=1 gateway=10.2.0.1
add distance=1 gateway=10.4.0.1
add distance=1 gateway=10.9.0.1
add distance=1 gateway=10.3.0.1
add distance=1 gateway=10.5.0.1
add distance=1 gateway=10.6.0.1
add distance=1 gateway=10.7.0.1
add distance=1 gateway=10.8.0.1
add distance=1 gateway=10.9.0.1
add distance=1 gateway=10.11.11.1
add distance=1 gateway=10.10.0.1
add distance=1 gateway=10.12.0.1
add distance=1 gateway=10.13.0.1
add distance=1 gateway=10.14.0.1
add distance=1 gateway=10.15.0.1

Where did I screw up? I have a backup of my old config (last time I did this) but the network has changed kind of a lot since then and I don't see anything in the old file that stands out from what I've got now anyway. :/

Thanks for your help!
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: CHR - VLAN Filtering on bridge kills access

Fri Aug 19, 2022 8:34 am

Do not forget to include your "mainbridge" on each of the tagged interfaces too.
Also, looking ay my RB5009 (working) config, under the Bridge-settings I DO NOT have "use ip firewall" or any other setting with "firewall" in there.
Perhaps CHR is perhaps a completely different animal requiring different setting? No expierence with those.
Screenshot from 2022-08-19 07-34-46.png
Screenshot from 2022-08-19 07-35-11.png
Screenshot from 2022-08-19 07-35-36.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CHR - VLAN Filtering on bridge kills access

Fri Aug 19, 2022 1:22 pm

Notice I am not helping because the perp, I mean OP, defined vlan1 for what purpose I do not know.
Get rid of it and use vlan101 for example.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: CHR - VLAN Filtering on bridge kills access

Fri Aug 19, 2022 1:30 pm

Notice I am not helping because the perp, I mean OP, defined vlan1 for what purpose I do not know.
Get rid of it and use vlan101 for example.
VLAN1 is just fine, I also use this as "default"
Its not a crime to use VLAN1 ;-) despite what the textbook of enterprise-networking would suggest. (my 2 cents)
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CHR - VLAN Filtering on bridge kills access

Fri Aug 19, 2022 1:50 pm

There is certainly no problem using the default VLAN 1 untagged, e.g. if you have a working setup based on the intital configuration and then add some additional tagged VLANs on top. Using VLAN 1 tagged however is full of traps for the unwary, and a number of vendors hard-code VLAN 1 to be 'untagged only' in their equipment.

The typical issue, as the OP has done here, results in a mix of tagged and untagged on bridge-to-cpu and ether1 interfaces as the default bridge and port setting is pvid=1. This would be more obvious if the /export didn't hide the default value.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CHR - VLAN Filtering on bridge kills access

Fri Aug 19, 2022 2:48 pm

All I am saying is that for newbies, actually defining a vlan with vlan-id=1 is going to be fraught with config issues.
There is no harm in staying clear of it, but not the reverse so I always go with the cautionary approach.

Who is online

Users browsing this forum: Bolendox, cmmike, mtkvvv, svh79 and 41 guests